Live Webinar

on

HIPAA Audit and Enforcement Update:

What’s Been Learned and
What Can Be Expected in the Future
Presented By:
Jim Sheldon-Dean
Director of Compliance Services
Lewis Creek Systems, LLC
www.lewiscreeksystems.com

1
 Agenda
• Learn from the HIPAA Audit Activities and Enforcement
Settlement Agreements
• Review the Agreements and Fines to date
• Identify the most prominently featured issues in
enforcement and audits
• Explain the documentation that must be in place to show
implementation of policies and procedures
• Review the HIPAA Audit process and results from past
audits
• Discuss HIPAA Privacy and Security requirements
• Learn about being prepared for enforcement and
auditing
• Q&A session

2
 To Prepare for an Audit or
Enforcement Investigation
• Make sure you have issues covered
– Breaches
– Enforcement Actions
– Issues noted in 2012 Audit Reports
• Document your Policies and Procedures and
actions taken pursuant to them
• Complete the HIPAA Audit Protocol
• Be ready to respond

3
 How to approach HIPAA Compliance
• Two ways to approach HIPAA compliance:
– One is to start from the regulations and work outward to deal with
issues found as compliance with the regulations is implemented
– Other way is to start with the known issues first, and knock them
down, as they are the most likely to cause problems
– Best is both, of course, but…
• We will examine the issues identified in audits and
enforcement actions to identify the top priorities for attention
• The session will provide background on the issues, explain
enforcement and audit activity, and show what must be
documented, and how to survive any issues

4
 HIPAA Privacy & Security Rules
• Privacy Rule
– 45 CFR §164.5xx; Enforceable since 2003
– Establishes Rights of Individuals
– Controls on Uses and Disclosures
– Access of PHI is a hot button issue for HHS
• Security Rule
– 45 CFR §164.3xx; Enforceable since 2005
– Applies to all electronic PHI
– Flexible, customizable approach to health information security
– Uses Risk Analysis to identify and plan the mitigation of security
risks

5
 HIPAA Breach Notification Rule
• Breach Notification Rule
– 45 CFR §164.4xx; Enforceable since February 2010
– Requires reporting of all PHI breaches to HHS and individuals
– Extensive/expensive obligations
– Provides examples of what not to do on the HHS “Wall of Shame”:
https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
• 2013 Omnibus Update Rule, with Preamble, available at:
http://www.gpo.gov/fdsys/pkg/FR-2013-01-25/pdf/2013-
01073.pdf
• Combined Rules as of March 2013 published by HHS OCR,
available at:
http://www.hhs.gov/ocr/privacy/hipaa/administrative/combined
/index.html

6
 What is a HIPAA Audit?
• HITECH §13411 requires HHS to conduct periodic audits
• Be able to show you have in place the policies and procedures required by the
HIPAA Privacy, Security, and Breach Notification Rules
• AND! Show you have been using them
• 2 week notice! – You must be prepared in advance or it’s too late!
• Round 1 conducted in 2012
• For Round 2 in 2016-2017:
– Desk Audits of 166 Covered Entities & 41 HIPAA Business Associates Completed
– Further desk audits and on-site audits have been CANCELLED for round 2
• Future Audits have been cancelled
• Phase 3 will be a report on best practices learned from Phases 1 and 2
• http://www.hhs.gov/hipaa/for-professionals/compliance-
enforcement/audit/index.html

7
 Breach Notification and the
2016 HIPAA Audits
• Not a general, soup-to-nuts review like in 2012
• 166 Desk Audits of Covered Entities and 41 Business Associates,
specific to particular problem areas revealed in prior Audits,
Breaches, and Enforcement Actions
– Privacy Rule
• Notice of Privacy Practices & Content Requirements §164.520(a)(1), (b)(1)
• Provision of Notice - Electronic Notice §164.520(c)(3)
• Right to Access §164.524(a)(1), (b)(1), (b)(2), (c)(2), (c)(3), (c)(4), (d)(1),
(d)(3)
– Breach Notification Rule
• Timeliness of Notification §164.404(b)
• Content of Notification §164.404(c)(1)
– Security Rule
• Security Management Process – Risk Analysis §164.308(a)(1)(ii)(A)
• Security Management Process – Risk Management §164.308(a)(1)(ii)(B)

8
 What is a HIPAA Breach?
• Breach may be any acquisition, access, use, or disclosure of PHI in
violation of Privacy Rule, except when:
– Unintentional use, in good faith, with no further use;
– Inadvertent use within job scope; or,
– Information cannot be retained (returned, sealed, unopened)
• A Breach but Not Reportable if:
– Destroyed, or Secured per HHS guidance
• Otherwise, must report unless there is a “low probability of
compromise” of the data, based on a risk assessment including:
– What was the info (and is its release “adverse to the individual”)
– To whom it was disclosed
– Was it actually acquired or viewed
– The extent of mitigation
• If Ransomware is involved, also consider integrity and availability
9
Is It a Reportable Breach?

10
For more information visit https://skillacquire.us

11