Learn why having a CCHIT Certified EMR/EHR does not make you HIPAA Compliant automatically..Click Here!
It all begins with RISK ASSESSMENT!
Compliance with HIPAA and HITECH Acts begin with a comprehensive Risk Assessment of a Covered Entity (CE)’s Privacy and Security environment. This is a required element, and if and when you are audited or investigated, this would be first item auditors will ask for. HCC can conduct a thorough Risk Assessment of your setup and provide you with a clear road map to becoming compliant. Remember, not having this assessment makes you liable of a willful negligence of the rules and expose you to maximum penalties and sanctions.
The HIPAA Privacy Rule
is undergoing significant changes with new patient rights and new restrictions on uses and disclosures of PHI going into effect. We can:
- Review your HIPAA Privacy policies to ensure they include the required topics and reflect the new regulations, and
- Provide the training necessary to get your staff up to speed on your HIPAA policies, new and old.
The HIPAA Security Rule
isn’t changing much, but it’s being enforced more fully and you need to be sure you have the risk analysis, policies, and procedures necessary to protect PHI. We can:
- Perform a HIPAA Security Risk Analysis to identify the areas you need to focus on for reducing your security risks,
- Review your HIPAA Security policies to make sure they meet the extensive requirements of the rules, and provide new policy language where needed,
- Provide the training you need to make sure policies are actually implemented and followed,
- Provide technical security specialists to review the technical security of systems and networks and recommend and implement improvements, and
- Establish the documentation necessary to show compliance, and documentation systems needed to stay in compliance.
The HIPAA Breach Notification Rule
requires that you have an incident handling process that will help you determine whether an incident is a breach or not, and what to do if it is. We can:
- Review your policies and procedures to ensure you have what you need in the event of a potential breach, and
- Provide the policies and processes to help prevent breaches, prepare for the eventuality of breaches, and provide a guide for what to do when a breach actually occurs.
Business Associates
have new obligations under the HIPAA regulations that will require changes to the Business Associate Agreements you have in place as well as new ones going forward. We can help you:
- Prioritize your BA agreements for review and updating, and
- Provide language to amend current agreements and create a new template.
New audit and enforcement activities
raise the bar for compliance with HIPAA. We can help you:
- Work through the compliance questions asked of other entities in prior audits,
- Understand the most common risks and how they can be minimized, and
- Avoid the problems the enforcers from the US Department of Health and Human Services find most often, and the fines they’ll be happy to levy for non-compliance.
To Comply or Not To Comply?
The Federal Agencies enforcing the HIPAA/HITECH Privacy and Security Acts include Department of Health and Human Services (HHS/CMS), Office of Inspector General (OIG) and Office of Civil Rights (OCR). The State Attorney Generals have also been empowered to enforce the HIPAA/HITECH laws. They carried out first round of random audits last year (2012) and based on the results, they now have a better idea of where the covered entities (Providers, Health Plans and Clearinghouses, and their Business Associates) have weak spots what are the red flags they should for to identify a CE that needs further scrutiny. There is also a policy shift towards conducting audits without a reported offence, opposed to what it used to be in the past. HITECH act brought heavier fines and sanctions. This year (2013) some significant modifications have been made to the HIPAA and HITECH Final Rules that bring in the Business Associates as well under the CE umbrella. Patients are also becoming more aware of their rights, which all boils down to the CE’s to proactively become compliant and be on top of these privacy and security Rules. The HIPAA Privacy, Security, and Breach Notification Rules require a number of policies and procedures to be established, and actions to be taken for compliance.
Background:
In 1996 Congress passed the HIPAA laws that defined how Healthcare providers needed to protect their patient’s medical information. These were focused around privacy and dealt with procedures, policies and forms that doctors needed to use in their practices. In February of 2010, Congress passed the HITECH Act, which expanded the HIPAA rules to cover electronic Protected Health Information (e-PHI) because of the push to get everyone using Electronic Medical Record (EMR) also known as Electronic Health Records (EHR). All medical practices—Doctors, Dentists, Chiropractors, Nursing Care, Psychologists, etc. and their Business Associates that handle Patient Health Information (PHI) are now required to achieve and maintain compliance with regulations set forth in theHIPAA and HITECH Acts. This compliance must be made available for review by auditors and inspectors. See the Act here – HITECH Act Enforcement Interim Final Rule.
We provide a broad array of HIPAA-HITECH solutions to help meet HIPAA-HITECH regulatory requirements. These include, for example, data protection products, incident and data breach management, encryption services, policy templates, business associate templates and more.
HCC also provides Online Social Medial and Information Technology solutions for the Healthcare Industry.
The Risk?
- Maximum fine under HIPAA was $100, it is now $50,000
- If the violation is considered willful neglect, fines have been increased from $25,000 to $1.5 MILLION
- Each states Attorney General can now prosecute HIPAA violations
- The Office of Civil Rights (OCR) (They are the federal HIPAA enforcement agency) and the State Attorney General can keep the fines
- There are many new CRIMINAL liabilities, in addition to civil fines
New Penalties:
- Maximum fine under HIPAA was $100, it is now $50,000
- If the violation is considered willful neglect, fines have been increased from $25,000 to $1.5 MILLION
- Each states Attorney General can now prosecute HIPAA violations
- The Office of Civil Rights (OCR) (They are the federal HIPAA enforcement agency) and the State Attorney General can keep the fines
- There are many new CRIMINAL liabilities, in addition to civil fines
Federal Reimbursement?
You must prove “Meaningful use” if you want to get your federal grant / reimbursement (up to $44,000). The “meaningful use” criteria includes a set of 15 “core” requirements – #15 requires a Security Risk and a Gap analysis of your practice. We deliver this risk analysis and the reports required for demonstrating Meaningful use.