DisclaimerThis webinar may be recorded. This webinar presents a sampling of best practices and overviews, generalities, and some laws. This should not be used as legal advice. Itentive recognizes that there is not a “one size fits

all” solution for the ideas expressed in this webinar; we invite you to follow up directly with us for more personalized information as it pertains

to your specific practice and issues.

Thank you, and enjoy the webinar.

About Us

Our passion is to provide solutions for our healthcare provider partners which help them improve patient care, enhance the patient experience and maintain a financially healthy practice.

Since 2003 we have specialized in NextGen®

Healthcare services including:

• Consulting

• Hosting

• Customization

• And productivity tools such as ChartGuard® and RefundManager®

Upcoming Webinars

The Future of Healthcare Delivery: Telemedicine

• Wednesday, September 21, 2016

Also, keep your eyes peeled for any other webinar invites dependent on future regulatory changes

How to Survive a HIPAA Audit

With HIPAA One and Itentive

Presenters

Steven Marco

President and Founder

Bobby Seegmiller

VP of Business Development

Christ Floros

Managing Consultant, Security & Compliance

Today’s Agenda

HIPAA Basics and Benefits

Risk Analysis Documentation

Risk Management Methodology

Audit Preparation Tips

OCR Audit Updates

Company Introduction

HIPAA Compliance & Data Security

Healthcare compliance and risk Mgt.

Experts in talent, solutions and methodologies

Dedicated to constant improvement

HIPAA One® Risk analysis software:

Over 2,400 sites (CEs and BAs) protecting ePHI

Automation of all mundane labor-intensive activities

Privacy and Breach Notification recently added!

Developed and maintained in USA

Current with updated HIPAA Audit Protocol

Disclaimer: We are not attorneys, but as auditors must understand HIPAA!

9

Simple. Automated. Affordable.

HIPPOs and HIPAA

10

Simple. Automated. Affordable.

Problem – High Chance of an Audit

There are 5 ways to get audited:

1. Patient Complaint/Whistleblower

• Privacy (PHI), Security (ePHI) or possible Breach Notice

2. Breach Notice

• Omnibus update: all unauthorized disclosures are breaches

3. Meaningful Use

• Core Measure regarding “Protecting ePHI”

4. Random Audit

• Newman Research, Audit Protocol, ongoing audits

5. Business Associates

• Regardless “who’s fault” the CE is responsible

11

HIPAA Compliance Overview

1. Regulatory Compliance

PCI

HIPAA

SOX

GLBA

Health Insurance Portability and

Accountability Act (1996)

Title 1: Insurance Portability

Title II

Fraud & Abuse & Medical Liability

Reform

Administrative Simplifications

Privacy

Security

EDI (Electronic Data Interchange)

Transactions

Code Sets

Title III: Tax Related Health Provisions

Title IV: Group Health Plan Requirements

Title IV: Revenue Offsets

2. HIPAA

3. Office for Civil Rights: Compliant?

YES

NO

SECURITY RISK ANALYSIS

AUDIT ENFORCEMENT

12

Where is your ePHI?

13

Simple. Automated. Affordable.

In a Breach, Who reports?

Covered Entities (CE)

Are responsible for reporting breach to

the HHS upon discovery if 500 or more and not later than 60 days after

the end of each calendar year if less that 500

individuals affected without unreasonable delay, but in no event later

than 60 days after the discovery of the breach

prominent media outlets if 500 or more

Business Associates (BA)

Are responsible for reporting breaches to the CE following the

discovery of a breach of unsecured protected health

information.

14

Simple. Automated. Affordable.

In a Breach, Who pays?

Covered Entities (CE) § 160.402(c)(1) “A covered entity is liable…for a violation based on the

act or omission of any agent of the covered entity, including a workforce

member or business associate, acting within the scope of the agency.”

Business Associates (BA) § 160.402(c)(2) “A business associate is liable…for a violation based on the

act or omission of any agent of the business associate, including a

workforce member or subcontractor, acting within the scope of the

agency.”

15

Simple. Automated. Affordable.

How to Prepare For An Audit?

Perform a comprehensive HIPAA Security Risk Analysis

React: Implement plans to remediate deficiencies

Understand HIPAA Compliance vs Security

HIPAA Security is the effort to safeguard ePHI to preserve

confidentiality, availability and integrity of the data

HIPAA Compliance is the act proving the organization’s

intent to meet the requirements of the HIPAA Security Rule

OCR’s Final Guidance on Risk Analysis:

http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/rafinalintro.html

16

Simple. Automated. Affordable.

MACRA introduces CMS QPP

MACRA streamlines existing quality reporting programs into one NEW

Quality Payment Program (QPP), and expands the potential rewards for

adopting risk-based contracts.

MIPS APMs

Merit-Based Incentive Payment SystemCombines aspects of the MU, PQRS, and

VM programs – plus clinical practice

improvement activities.

Participants receive a score, which results

in an incentive payment or penalty

dependent on scoring relative to peers.

Alternative Payment ModelsFor providers with a significant portion of

revenue coming from two-sided risk

contracts, many of which are being

designed by CMS.

Participants are exempt from MIPS

requirements, and may be rewarded

annual bonuses of up to 5%.

QPP performance in 2017 will impact Medicare payments in 2019.

Stay tuned for more information!

17

HIPAA Audit Protocol Update

All protocols have been updated

More Policies and Procedures

Asking for evidence demonstrating

compliance

Security: BAAs & Plan Sponsors need

“Satisfactory Assurances”

Privacy: Minimum Necessary between CEs

Breach: Training, Complaints, Sanctions

Over 1654 updates in total

Ensure your software is updated!

18

How is a HIPAA RA Done using:

Step 1 – Gather Information, Interviews, Inventory, etc.

Participant login, answer simple questions and interview.

Step 2 – Remediation Planning

Results of Step 1, Develop and Assign tasks

Step 3 – Sign & Add Reviewers Ongoing Remediation, tracking and documentation

19

Working Demonstration

20

Step 1 – Gather Information

21

Interviews & Automatic NIST 800-30

22

Project Management Screen

23

Automated, Calculated Results

24

Assign Tasks

25

Ongoing Remediation

26

Final Report

27

SRA Pitfalls and Quick-Tips

Do not be embarrassed to answer “NO”

Pressure to remediate during assessment

Don’t do this! Finish entire process ASAP.

Click on “Yes”, “No” button for more information

Spend time in remediation planning

Itentive HIPAA Risk AnalysisItentive can assist you in performing a thorough and accurate HIPAA Security Risk Analysis

• Itentive will manage your HIPAA Security Risk Analysis and guide you, step-by-step through the entire process

• Our methodology leverages the proven and tested HIPAA One software platform which includes a comprehensive set of compliance questions and acts as a repository for maintaining the interview responses, supporting documentation and remediation action plan

• We will:

Review your interview responses and supporting materials and identify areas which need additional information or clarification

Identify threats/vulnerabilities and analyze controls in place

Guide the development of your remediation plan prioritizing risks by likelihood and impact

Help you track and document your ongoing remediation efforts throughout the year

Be available as a resource to answer your HIPAA and Meaningful Use compliance related questions

Questions

Christ Floros

• Managing Consultant, Security & Compliance at Itentive Healthcare Solutions

• cfloros@itentive.com

• 224-220-5533