Diagnosing HIPAA Compliance
1
Patient no: X89563 D i a g n osing HIPAA Compliance Key HIPAA Milestones • August 1996: HIPAA enacted • December 2000: Privacy Rule published • February 2003: Security Rule issued • February 2009: HITECH Act passed • March 26, 2013: HIPAA final omnibus rule effective • September 23, 2013: HIPAA audits start HHS Office for Civil Rights Director Leon Rodriguez said, “This final omnibus rule marks the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented.” Who does this affect? Why the need for HIPAA compliance? In the last 3 years records were impacted by 3 parts of HIPAA compliance: Privacy Rule 26% Security Rule 65% Breach Notif. Rule 9% Administrative Safeguards 42% Physical Safeguards 18% Technical Safeguards 40% Audit Violations within HIPAA Security Rule What is the impact of a violation or compromise? Getting started on your HIPAA compliance Evaluate the likelihood and impact of potential risks to ePHI, implement appropriate security measures, document chosen security measures, and maintain appropriate security protections. The Office of the National Coordinator for Health Information Technology has stated “doing a thorough and professional risk analysis that will stand up to a compliance review will require expert knowledge that could be obtained through services of an experienced outside professional.” Need help getting started? SecurityMetrics HIPAA Focus helps you with every step of compliance, from risk identification to audit preparation. For more information or to get started on your HIPAA compliance call 801.995.6801. www.securitymetrics.com/hipaa What is a covered entity? Health plans, health care clearinghouses and health care providers who electronically transmit any health information. • Revise Business Associate Agreements • Implement Business Associate HIPAA compliance program D a m a g e d t r u st F i n e s u p t o $ 5 0 , 0 0 0 p e r d a y f o r e a c h v i o l a t i o n L o s s o f r e v e n u e c u s t o m e r s L o s s o f p u b l i c i t y N e g a t i v e Resolution Agreement: A contract signed by HHS and a covered entity in which the covered entity agrees to per- form certain obligations, which may in- clude fine payment. These agreements are reserved to settle infractions from HIPAA investigations and/or breaches. Total of $14,883,345 in Resolution Agreements since 2008 “These changes [om- nibus rule] not only greatly enhance a patient’s privacy rights and protections, but also strengthen enforce the HIPAA privacy and secu- rity protections.” -Leon Rodriguez, HHS The Office of Civil Rights performed test audits to assess the overall HIPAA compliance efforts of covered entities. Who is a business associate? A person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity. That’s more than the populations of New York City, Los Angeles, Chicago, Houston, Denver, and Seattle combined. Dr HHS Audit • http://www.hhs.gov/news/press/2013pres/01/20130117b.html • http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html • http://csrc.nist.gov/news_events/hiipaa_june2012/day2/day2-2_lsanches_ocr-audit.pdf • http://healthitsecurity.com/2013/03/12/ocr-talks-hipaa-breach-notification-at-himss13/
-
Upload
securitymetrics -
Category
Documents
-
view
208 -
download
0
Transcript of Diagnosing HIPAA Compliance
Patient no: X89563
Diagnosing
HIPAACompliance
Key HIPAA Milesto
nes
• August 1996
: HIPAA enacte
d
• December 200
0: Privacy Rul
e
published
• February 20
03: Security R
ule
issued
• February 200
9: HITECH Act
passed
• March 26, 20
13: HIPAA fina
l
omnibus rule e
ffective
• September 23
, 2013: HIPAA
audits start
HHS Office for Civil Rights Director Leon Rodriguez said, “This final omnibus rule marks the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented.”
Who does this affect?
Why the need for HIPAA compliance?
In the last 3 years
records were impacted by
3 parts of HIPAA compliance:
Privacy Rule26%
Security Rule65%
Breach Notif.Rule9%
Administrative Safeguards
42%
PhysicalSafeguards
18%
Technical Safeguards
40%
Audit Violations within HIPAA Security Rule
What is the impact of a violation or compromise?
Getting started on your HIPAA compliance
Evaluate the likelihood and impact of potential risks to ePHI, implement appropriate security measures, document chosen security measures, and maintain appropriate security protections.
The Office of the National Coordinator for Health Information Technology has stated
“doing a thorough and professional risk analysis that will stand up to a compliance
review will require expert knowledge
that could be obtained through
services of an experienced
outside professional.”
Need help getting started?SecurityMetrics HIPAA Focus helps you with every step of compliance, from risk identification to audit preparation.
For more information or to get started on your HIPAA compliance call 801.995.6801.
www.securitymetrics.com/hipaa
What is a covered entity? Health plans, health care
clearinghouses and health care providers who
electronically transmit any health information.
• Revise Business Associate Agreements• Implement Business Associate HIPAA compliance program
Damaged trust
Fines up to$50,000 per day
for each violationLoss of
revenuecu
stomersLoss of
publicity
Negative
Resolution Agreement: A contract signed by HHS and a covered entity in which the covered entity agrees to per-form certain obligations, which may in-clude fine payment. These agreements are reserved to settle infractions from HIPAA investigations and/or breaches.
Total of $14,883,345
in Resolution Agreements since 2008
“These changes [om-nibus rule] not only greatly
enhance a patient’s privacy rights and protections, but also strengthen
enforce the HIPAA privacy and secu-rity protections.”
-Leon Rodriguez, HHS
The Office of Civil Rights performed test audits to assess the overall HIPAA compliance efforts of covered entities.
Who is a business associate? A person or entity that
performs certain functions or activities that involve the use
or disclosure of protected health information on behalf of, or provides services to, a
covered entity.
That’s more than the populations of New York City, Los Angeles, Chicago, Houston,
Denver, and Seattle combined.
Dr. HHS Audit
• http://www.hhs.gov/news/press/2013pres/01/20130117b.html• http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html• http://csrc.nist.gov/news_events/hiipaa_june2012/day2/day2-2_lsanches_ocr-audit.pdf• http://healthitsecurity.com/2013/03/12/ocr-talks-hipaa-breach-notification-at-himss13/
