The 30-Minute Guide to Understanding Compliance...3 MCG/ Compliancy Group Free Education Series...
Transcript of The 30-Minute Guide to Understanding Compliance...3 MCG/ Compliancy Group Free Education Series...
![Page 1: The 30-Minute Guide to Understanding Compliance...3 MCG/ Compliancy Group Free Education Series Upcoming & Past webinars Free Resources (whitepapers, articles, infographics) Please](https://reader033.fdocuments.net/reader033/viewer/2022052014/602b52c3fd484636fe25481f/html5/thumbnails/1.jpg)
11
The 30-Minute Guide to
Understanding Compliance
855 85 HIPAA (855-854-4722) www.CompliancyGroup.com
![Page 2: The 30-Minute Guide to Understanding Compliance...3 MCG/ Compliancy Group Free Education Series Upcoming & Past webinars Free Resources (whitepapers, articles, infographics) Please](https://reader033.fdocuments.net/reader033/viewer/2022052014/602b52c3fd484636fe25481f/html5/thumbnails/2.jpg)
2
Marc Haskelson
Compliancy Group, CEO
Meet Your Experts
Tripp Rabourn
Medical Consulting Group,
Client Development Specialist
![Page 3: The 30-Minute Guide to Understanding Compliance...3 MCG/ Compliancy Group Free Education Series Upcoming & Past webinars Free Resources (whitepapers, articles, infographics) Please](https://reader033.fdocuments.net/reader033/viewer/2022052014/602b52c3fd484636fe25481f/html5/thumbnails/3.jpg)
33
MCG/ Compliancy Group Free Education Series
▪ Upcoming & Past webinars
▪ Free Resources (whitepapers, articles, infographics)
Please ask questions If we are unable to address them during the webinar,
you will receive a response via email within 24-48 hours.
![Page 4: The 30-Minute Guide to Understanding Compliance...3 MCG/ Compliancy Group Free Education Series Upcoming & Past webinars Free Resources (whitepapers, articles, infographics) Please](https://reader033.fdocuments.net/reader033/viewer/2022052014/602b52c3fd484636fe25481f/html5/thumbnails/4.jpg)
4
Medical Consulting Group
Medical Consulting Group (MCG) has spent more than 29 years creating customized business solutions.
We specialize in all area’s of Medical Business ▪ Practice, corporate, and ambulatory surgery center (ASC) strategic consulting
▪ Creative services - branding, marketing, video production, web, and social media
▪ Management Services Organization (MSO)
▪ Billing services
▪ Accounting
▪ ASC development and management
▪ Co-op patient education program - PatientBuilder
▪ Clinical and medical device education - MCG University
▪ Compliancy
![Page 5: The 30-Minute Guide to Understanding Compliance...3 MCG/ Compliancy Group Free Education Series Upcoming & Past webinars Free Resources (whitepapers, articles, infographics) Please](https://reader033.fdocuments.net/reader033/viewer/2022052014/602b52c3fd484636fe25481f/html5/thumbnails/5.jpg)
5
We simplify compliance so you can confidently focus on your business.
Compliancy Group
Started in 2005 by HIPAA auditors & Compliance experts
▪ Market need for a total end client solution
▪ Created The Guard: cloud-based solution
Compliance is our business
▪ No client has ever failed an OCR or CMS audit!
▪ 100% of our clients would refer us to a friend
Recognized Leader of Compliance
• CRN - Top Compliance Tools & Emerging Vendor
• 2017 ChannelPro Visionary
• Achievements in Health Care Spirit of Advocacy Award, (LIBN)
• CompTIA Channel Advisory Board
• CompTIA Business Applications Advisory Council
Proud Sponsor
Endorsed by
More than 40 medical associations and technology
providers – hosting, EHR, IT, Security
Eye Care Associations
• OOSS, AAO, AOA Excel, Plus 40 other medical
associations
Technology providers
• Essilor, Luxotica, Coherent Eye, First Eye Care, iMatrix,
Ocuco, Eyetopia, Vision Trends, iDoc
![Page 6: The 30-Minute Guide to Understanding Compliance...3 MCG/ Compliancy Group Free Education Series Upcoming & Past webinars Free Resources (whitepapers, articles, infographics) Please](https://reader033.fdocuments.net/reader033/viewer/2022052014/602b52c3fd484636fe25481f/html5/thumbnails/6.jpg)
6
HIPAA Optional Vs. Required?
Stick vs. Carrot
▪ Who really controls your brand?
▪ What Patients think about You!
▪ What Patients think about HIPAA
▪ What you need to know!
![Page 7: The 30-Minute Guide to Understanding Compliance...3 MCG/ Compliancy Group Free Education Series Upcoming & Past webinars Free Resources (whitepapers, articles, infographics) Please](https://reader033.fdocuments.net/reader033/viewer/2022052014/602b52c3fd484636fe25481f/html5/thumbnails/7.jpg)
7
Reviews Are Important
▪ U.S. News & World Report: patients surveyed
• 30% Search the web for a doctor
• 33% review you online
• 55% are only happy with some of their doctors
(looking for new provider?)
![Page 8: The 30-Minute Guide to Understanding Compliance...3 MCG/ Compliancy Group Free Education Series Upcoming & Past webinars Free Resources (whitepapers, articles, infographics) Please](https://reader033.fdocuments.net/reader033/viewer/2022052014/602b52c3fd484636fe25481f/html5/thumbnails/8.jpg)
8
Are you confident your healthcare
providers protect your medical
records?
▪ Not confident
http://medidfraud.org/wp-content/uploads/2015/02/2014_Medical_ID_Theft_Study1.pdf
68%
Did your providers’ negligence cause
or contribute to identify theft?
53%▪ Yes, they
caused or contributedto it.
How Do Patients Feel About HIPAA?
![Page 9: The 30-Minute Guide to Understanding Compliance...3 MCG/ Compliancy Group Free Education Series Upcoming & Past webinars Free Resources (whitepapers, articles, infographics) Please](https://reader033.fdocuments.net/reader033/viewer/2022052014/602b52c3fd484636fe25481f/html5/thumbnails/9.jpg)
9
Are YOU HIPAA Compliant?
![Page 10: The 30-Minute Guide to Understanding Compliance...3 MCG/ Compliancy Group Free Education Series Upcoming & Past webinars Free Resources (whitepapers, articles, infographics) Please](https://reader033.fdocuments.net/reader033/viewer/2022052014/602b52c3fd484636fe25481f/html5/thumbnails/10.jpg)
10
Risk Assessments
▪ I had an expensive Security Risk Assessment done
▪ Am I HIPAA compliant?
![Page 11: The 30-Minute Guide to Understanding Compliance...3 MCG/ Compliancy Group Free Education Series Upcoming & Past webinars Free Resources (whitepapers, articles, infographics) Please](https://reader033.fdocuments.net/reader033/viewer/2022052014/602b52c3fd484636fe25481f/html5/thumbnails/11.jpg)
11
Policies & Procedures
▪ I have a Manual, I am compliant “right”?
![Page 12: The 30-Minute Guide to Understanding Compliance...3 MCG/ Compliancy Group Free Education Series Upcoming & Past webinars Free Resources (whitepapers, articles, infographics) Please](https://reader033.fdocuments.net/reader033/viewer/2022052014/602b52c3fd484636fe25481f/html5/thumbnails/12.jpg)
12
Workforce Training
▪ I paid for my employees HIPAA training, I am compliant.
* Cost for 10 employee practice
![Page 13: The 30-Minute Guide to Understanding Compliance...3 MCG/ Compliancy Group Free Education Series Upcoming & Past webinars Free Resources (whitepapers, articles, infographics) Please](https://reader033.fdocuments.net/reader033/viewer/2022052014/602b52c3fd484636fe25481f/html5/thumbnails/13.jpg)
13
Avoidable Breach
▪ Who: Anchorage Community Mental Health Services
(ACMHS) - Nonprofit org. (Alaska)
▪ What: Malware caused breach of unsecured ePHI
▪ Why: Ineffective compliance program• Audits
• Policies & Procedures
• Training
▪ Settlement: $150,000 & CAP (Corrective Action Plan)
![Page 14: The 30-Minute Guide to Understanding Compliance...3 MCG/ Compliancy Group Free Education Series Upcoming & Past webinars Free Resources (whitepapers, articles, infographics) Please](https://reader033.fdocuments.net/reader033/viewer/2022052014/602b52c3fd484636fe25481f/html5/thumbnails/14.jpg)
14
Important Definitions
Covered Entity (CE): Health care providers, health plans, health care
clearinghouses who electronically transmit any Protected Health
Information (PHI)
Business Associate (BA): Any individual or organization that creates,
receives, maintains or transmits PHI on behalf of a Covered Entity (CE)
Subcontractor: Create, receive, maintain or transmit PHI on behalf of a BA
![Page 15: The 30-Minute Guide to Understanding Compliance...3 MCG/ Compliancy Group Free Education Series Upcoming & Past webinars Free Resources (whitepapers, articles, infographics) Please](https://reader033.fdocuments.net/reader033/viewer/2022052014/602b52c3fd484636fe25481f/html5/thumbnails/15.jpg)
16
What Information Does HIPAA Protect?
▪ Names
▪ Addresses
▪ Dates of Service
▪ Telephone Numbers
▪ Fax Numbers
▪ Email Addresses
▪ Social Security Numbers
▪ Medical Record Numbers
▪ Health Plan Beneficiary Numbers
▪ Account Numbers
▪ Certificate/License Numbers
▪ Vehicle identifiers/Serial Numbers
▪ Device identifiers and serial numbers
▪ Web Universal Resource Locators
(URLs)
▪ Internet Protocol (IP) address numbers;
▪ Biometric identifiers
▪ Full Face Photos or Videos
▪ Any other unique identifying number,
characteristic, or code
PHI may include any of the following:
![Page 16: The 30-Minute Guide to Understanding Compliance...3 MCG/ Compliancy Group Free Education Series Upcoming & Past webinars Free Resources (whitepapers, articles, infographics) Please](https://reader033.fdocuments.net/reader033/viewer/2022052014/602b52c3fd484636fe25481f/html5/thumbnails/16.jpg)
17
AuditsRequired
Technical, Privacy ,
Administrative
Remediation Plans
Policies,Procedures& Training
BusinessAssociate
Management
IncidentManagement &
Remediation
Document Version,
Employee Attestation &
Tracking
Security VS. HIPAA Compliance
731-1643
Policies,Procedures& Training
Audits SRA (Security Risk
Assessment)
$
$
$
$
Security Remediation
Efforts
$
![Page 17: The 30-Minute Guide to Understanding Compliance...3 MCG/ Compliancy Group Free Education Series Upcoming & Past webinars Free Resources (whitepapers, articles, infographics) Please](https://reader033.fdocuments.net/reader033/viewer/2022052014/602b52c3fd484636fe25481f/html5/thumbnails/17.jpg)
19
Physical Audit
Requires safeguards to ensure only those who should have access to
electronic protected health information (ePHI) will have
access.
Security Rule
Administrative/Privacy Audit
Security/Technical Audit
Sets standards for when protected health
information (PHI) may be used and disclosed.
Privacy Rule
Breaches of unsecured PHI require notifying HHS,
affected individuals, and in some cases the media.
Breach Notification Rule
Meaningful Use/MIPS
Risk Assessment
![Page 18: The 30-Minute Guide to Understanding Compliance...3 MCG/ Compliancy Group Free Education Series Upcoming & Past webinars Free Resources (whitepapers, articles, infographics) Please](https://reader033.fdocuments.net/reader033/viewer/2022052014/602b52c3fd484636fe25481f/html5/thumbnails/18.jpg)
20
Omnibus Rule
▪ Business Associates:
• Direct liability by function
• Directly liable for violations
• Must be HIPAA Compliant (Security Rule)
▪ Technical, Administrative, & Physical Safeguards
▪ Covered Entities:
• Compliance with Privacy Rule
• Must have BAAs (Business Associate Agreements)
• Conduct a Technical Due Diligence
▪ Contracting with subcontractors
• BA liability flows to all subcontractors
![Page 19: The 30-Minute Guide to Understanding Compliance...3 MCG/ Compliancy Group Free Education Series Upcoming & Past webinars Free Resources (whitepapers, articles, infographics) Please](https://reader033.fdocuments.net/reader033/viewer/2022052014/602b52c3fd484636fe25481f/html5/thumbnails/19.jpg)
21
Causes Of A HIPAA Audit
?%Breach Notification
Business Associates
Phase 2 Random
Meaningful Use Failure
Reported
•Whistleblower
•Complaint
HHS is REQUIRED by law to investigate ALL HIPAA violation complaints
?%
![Page 20: The 30-Minute Guide to Understanding Compliance...3 MCG/ Compliancy Group Free Education Series Upcoming & Past webinars Free Resources (whitepapers, articles, infographics) Please](https://reader033.fdocuments.net/reader033/viewer/2022052014/602b52c3fd484636fe25481f/html5/thumbnails/20.jpg)
22
The Need For BAAs
▪ Who: Raleigh Orthopaedic (North Carolina)
▪ What/Why: 17,300 patients affected
• Handed over PHI to potential business partner without first executing a business associate agreement.
▪ Settlement: $750,000 & CAP
“HIPAA’s obligation on covered entities to obtain business associate agreements is more than a mere check-the-box paperwork exercise,” said Jocelyn Samuels, Director
of OCR. “It is critical for entities to know to whom they are handing PHI and to obtain assurances that the information will be protected.”
http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/raleigh-orthopaedic-clinic-bulletin/index.html
![Page 21: The 30-Minute Guide to Understanding Compliance...3 MCG/ Compliancy Group Free Education Series Upcoming & Past webinars Free Resources (whitepapers, articles, infographics) Please](https://reader033.fdocuments.net/reader033/viewer/2022052014/602b52c3fd484636fe25481f/html5/thumbnails/21.jpg)
23
$31,000 Mistake
▪ Who: The Center for Children’s Digestive Health (CCDH), small pediatric practice
▪ What: Investigation of a BA (Filefax)
▪ Why:
• Caused by OCR investigating improper disposal of
PHI by Filefax;
• Subsequent investigation detected lack of BAA with
CCDH
▪ Settlement: $31,000 & CAP
https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/ccdh/index.html
![Page 22: The 30-Minute Guide to Understanding Compliance...3 MCG/ Compliancy Group Free Education Series Upcoming & Past webinars Free Resources (whitepapers, articles, infographics) Please](https://reader033.fdocuments.net/reader033/viewer/2022052014/602b52c3fd484636fe25481f/html5/thumbnails/22.jpg)
24
But…It Probably Won’t Happen To Me
▪ In a recent study, more than half of business associates (59%) reported a data breach in the last two years that involved the loss or theft of patient data. More than a quarter (29%) experienced two breaches or more.
▪ Of the 345 incidents reported by HHS and listed on their site under Breaches Affecting 500 or More Individuals, 74 involved a business associate (21%).
Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data conducted by Ponemon Institute http://media.scmagazine.com/documents/121/healthcare_privacy_security_be_30019.pdf
![Page 23: The 30-Minute Guide to Understanding Compliance...3 MCG/ Compliancy Group Free Education Series Upcoming & Past webinars Free Resources (whitepapers, articles, infographics) Please](https://reader033.fdocuments.net/reader033/viewer/2022052014/602b52c3fd484636fe25481f/html5/thumbnails/23.jpg)
25
PHI Breaches
59%
▪ Caused by Theft or Loss-
related reasons
https://www.healthcare-informatics.com/news-item/cybersecurity/study-30-percent-patient-data-breaches-involve-business-associates
11%
▪ Involved Business
Associates
30%
▪ Caused by Hacking
or IT incident
![Page 24: The 30-Minute Guide to Understanding Compliance...3 MCG/ Compliancy Group Free Education Series Upcoming & Past webinars Free Resources (whitepapers, articles, infographics) Please](https://reader033.fdocuments.net/reader033/viewer/2022052014/602b52c3fd484636fe25481f/html5/thumbnails/24.jpg)
26
HHS Wall Of Shame
Source: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
*13 Eye Care Breaches under investigation (last 24 months)
![Page 25: The 30-Minute Guide to Understanding Compliance...3 MCG/ Compliancy Group Free Education Series Upcoming & Past webinars Free Resources (whitepapers, articles, infographics) Please](https://reader033.fdocuments.net/reader033/viewer/2022052014/602b52c3fd484636fe25481f/html5/thumbnails/25.jpg)
27
Lack of Timely Breach Notification = $475k
▪ Who: Presence Health
▪ What/Why: 836 patients affected
• Breach: missing paper operating room schedules
• Failed to notify within 60 days each of the 836
individuals affected
• Failed to notify OCR within 60 days
▪ Settlement: $475,000 & CAP
“Covered entities need to have a clear policy and procedures in place to respond to the Breach Notification Rule’s timeliness requirements” said OCR Director Jocelyn
Samuels. “Individuals need prompt notice of a breach of their unsecured PHI so they can take action that could help mitigate any potential harm caused by the breach.”
https://www.hhs.gov/about/news/2017/01/09/first-hipaa-enforcement-action-lack-timely-breach-notification-settles-475000.html
![Page 26: The 30-Minute Guide to Understanding Compliance...3 MCG/ Compliancy Group Free Education Series Upcoming & Past webinars Free Resources (whitepapers, articles, infographics) Please](https://reader033.fdocuments.net/reader033/viewer/2022052014/602b52c3fd484636fe25481f/html5/thumbnails/26.jpg)
28
The Seven Fundamental Elements of an
Effective Compliance ProgramCompliance according to HHS:
1. Implementing written policies, procedures and standards of conduct.
2. Designating a compliance officer and compliance committee.
3. Conducting effective training and education.
4. Developing effective lines of communication.
5. Conducting internal monitoring and auditing.
6. Enforcing standards through well-publicized disciplinary guidelines.
7. Responding promptly to detected offenses and undertaking
corrective action.
*Source HHS & OIG
![Page 27: The 30-Minute Guide to Understanding Compliance...3 MCG/ Compliancy Group Free Education Series Upcoming & Past webinars Free Resources (whitepapers, articles, infographics) Please](https://reader033.fdocuments.net/reader033/viewer/2022052014/602b52c3fd484636fe25481f/html5/thumbnails/27.jpg)
29
Easily Avoidable HIPAA Fines
▪ Patient testimonials – $25,000
• Physical Therapy – posted testimonials on website w/out permission, failure to have updated policy and procedures
▪ Press Release - $2,400,000
• Publish Press release including PHI w/out authorization, failure to have policy and procedures
▪ Late breach notification - $475,000
• Did not notify OCR/patients within (60) days, – failure to have policy and procedures
▪ Unencrypted devices - $2,700,000
• SIX risk analysis – failure to have updated policy and procedures
▪ Malware - $750,000
• Incomplete Risk Assessments, failure to have policies/procedures
![Page 28: The 30-Minute Guide to Understanding Compliance...3 MCG/ Compliancy Group Free Education Series Upcoming & Past webinars Free Resources (whitepapers, articles, infographics) Please](https://reader033.fdocuments.net/reader033/viewer/2022052014/602b52c3fd484636fe25481f/html5/thumbnails/28.jpg)
30
The HIPAA Compliance PuzzleAudits
SRA (Security Risk Assessment),
Administrative, Privacy
Remediation Plans
Policies,Procedures& Training
BusinessAssociate
Management
IncidentManagement &
Remediation
Document Version
Employee Attestation &
Tracking
![Page 29: The 30-Minute Guide to Understanding Compliance...3 MCG/ Compliancy Group Free Education Series Upcoming & Past webinars Free Resources (whitepapers, articles, infographics) Please](https://reader033.fdocuments.net/reader033/viewer/2022052014/602b52c3fd484636fe25481f/html5/thumbnails/29.jpg)
31
MCG + Compliancy Group
▪ Managing all the pieces of the compliancy puzzle
can be overwhelming
▪ All the tools you need
▪ Specialist to help every step of the way
![Page 30: The 30-Minute Guide to Understanding Compliance...3 MCG/ Compliancy Group Free Education Series Upcoming & Past webinars Free Resources (whitepapers, articles, infographics) Please](https://reader033.fdocuments.net/reader033/viewer/2022052014/602b52c3fd484636fe25481f/html5/thumbnails/30.jpg)
32
Marc Haskelson
President & CEO
855-854-4722 Ext 507
Questions?
Tripp Rabourn
Medical Consulting Group, Client Development Specialist
© 2018 Medical Consulting Group, LLC
& Compliancy Group, LLC