why a risk assessment is not enough for hipaa compliance

855 85 HIPAA www.compliancygroup.com

Industry leading Education

Certified Partner Program

For Today •  Please ask and be prepared for questions! •  Today’s slides: www.compliancy-group.com/slides023 •  Upcoming & past webinars:

http://compliancy-group.com/webinar/

Get Involved

#cgwebinar

•  How to increase your profit using patient payments on file, recurring and online bill pay •  Tuesday, January 20th from 2:00 – 3:30 EST

Copyright 2007-2015 1


79% of health care providers believe completing a risk assessment will satisfy Meaningful Use AND HIPAA compliance •  FALSE !!!

A Common Misconception



•  Lose HITECH incentive payments •  Return the HITECH money •  HIPAA Fines/Penalties: •  Up to $50,000/incident •  $1.5 million max.

Why do you care?



•  Satisfy total set of regulations

•  Beyond just a risk analysis

•  To comply with HIPAA, you must continue to review, correct or modify, and update security protections

* http://www.govhealthit.com/news/steps-prep-phase-2-ocr-audits

OMNIBUS

“Pleading ignorance will not be a defense when OCR comes to call.”*



•  Health Insurance Portability and Accountability Act in 1996

•  Provide national standards to protect privacy of PHI(Personal Health Information)

•  Security, Breach Notification, and Safety Rules

HIPAA



Administrative Audit

Physical Audit Security Audit



CEs(Covered Entities) must prove that they are using a certified EHR(Electronic Heath Record) technology in a meaningful manner •  Incentive payments •  Providers required to demonstrate Meaningful Use

EVERY year

HITECH and Meaningful Use



Meaningful Use



“Conduct accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.”* •  Required for each reporting period for BOTH

Meaningful Use Stages 1 and 2 •  Steps: •  Review existing security infrastructure •  Identify potential threats to patient privacy and

security and assess the impact on your e-PHI •  Prioritize risks based on impact severity

Meaningful Use Risk Assessment

*http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/protocol.html



Administrative Audit

Physical Audit Security Audit

Meaningful Use Risk Assessment



Only 11% of Covered Entities passed the audit, 70% of Covered Entities are not compliant

(98%) health care providers audited had at least one negative finding •  Most common cause: entity unaware of the requirements

Beginning in 2015 •  5% of providers with be audited •  CMS will report failures to OCR(Office of Civil Rights) •  Onsite audits will be much more comprehensive including both

Covered Entities and Business Associates

CMS Says



Reporting on the compliance audits, CMS wrote •  “CEs did not understand the key elements of an effective risk

assessment. CEs did not conduct a documented analysis… In some cases, although management had identified certain risks within the organization, no formally documented risk assessment covering e-PHI risks throughout the organization existed.”*

•  Problems discovered with most or all CE’s policies and procedures including those for performing Risk Assessments

*CMS Compliance Reviews, “HIPAA Compliance Review Analysis and Summary of Results”

Is your Risk Assessment enough?



Penalties

$100-$50,000 per incident up to

$1.5 Million

$1,000-$50,000 per incident up to

$1.5 Million

$10,000-$50,000 per incident up to

$1.5 Million

$50,000 per incident up to

$1.5 Million



Step 1. Assess where you are against the regulation (GAP) •  The key to a risk analysis is auditing yourself against

the administrative, technical, and physical aspects of HIPAA •  A risk analysis will help you attest to Meaningful Use Stage 1 Core

Requirement 15

Step 2. Remediation Plan •  Prove that you remediated the deficiencies identified in the risk

analysis •  Policies & Procedures, Training, and Attestation

Beyond a Risk Analysis



Step 3. How do you prove it? Successful compliance plans address: •  Administration and Technical •  Policies and Procedures

•  IT security •  Devices installed and maintained within your organization

•  Physical •  Security within physical locations of your practice(s)

(Meaningful Use Stage 2 Core Requirement 9 requires remediation of found deficiencies during the risk analysis to be documented and completed) Step 4. Maintain your compliance •  As the regulations, staff, and practice changes



Questions?

For more information, contact:

Sales & Demo Scheduling Questions

Marc Haskelson 855.854.4722 ext 507

[email protected]

HIPAA Questions Bob Grant

855.854.4722 ext 502 [email protected]


why a risk assessment is not enough for hipaa compliance

Healthcare

meaningful use copyright

safety rules hipaa copyright

est copyright

hipaa compliance false

meaningful use stages

common misconception

health care providers

covered entity