The New Audit Protocol And How It Affects You
Webinar: Tuesday, July 24, 2012 @ 01:00 pm Eastern
In this session we will discuss the HIPAA audit and enforcement processes and how they apply to covered entities and business associates, and the new random HIPAA compliance audit program in particular. We will review the new audit processes and discuss what will be asked in an audit and how. Protocols and the questions asked at recent audits will be explained.
We will explain the enforcement regulations and their recent changes that increase fines and create new penalty levels, including new penalties for willful neglect of compliance that begin at $10,000. We will discuss what information and documentation needs to be prepared in advance so that you can be ready for an audit without notice. Sample information request forms and questions asked at prior audits will be presented.
The session will also cover how to know if you may become the subject of an audit or enforcement action, and what you can do to help limit your exposure. We will discuss how most enforcement actions come about and what can be done to prevent incidents that lead to enforcement.
The HIPAA Privacy, Security, and Breach Notification regulations and how they will be audited will be explained. Documentation requirements for compliance will be explored and a framework of security policies necessary for compliance will be presented.
The results of prior HHS audits (and their penalties) will be discussed, including recent actions involving multi-million dollar fines and settlments. A plan for attaining compliance will be presented. The steps to follow to prepare for an audit and respond to an audit request will be outlined. In addition, upcoming trends in information security risks will be discussed.
This session will prepare health care professionals so they can quickly and properly respond to audits and minimize any issues related to responding to audit requests, based on the latest information from HHS and entities that have been recently audited.
Why should you attend: The US Department of Health and Human Services (HHS)has begun, a program to meet requirements in the HITECH Act in the American Recovery and Reinvestment Act of 2009 (ARRA) for performing periodic audits of compliance with the HIPAA Privacy and Security Rules. In addition new enforcement is taking place related to the new HIPAA Breach Notification Rule. While in the past, audits had been performed only at entities that had had a compliant filed against them, the new rule calls for audits whether or not there is a complaint. This means that the HHS Office for Civil Rights (OCR) can show up at your door and ask to perform an audit on short notice, and your organization will need to be ready.
Now information is available on how the audits are conducted and what the auditors are looking for, and if you want to stay ahead of the auditors, you will need to be able to quickly respond to audits. The best way to do that is to know what they will ask.
If your organization is not ready, the HIPAA rules have new, significantly higher fines, including mandatory minimum fines of $10,000 for willful neglect of compliance. All HIPAA Covered Entities and Business Associates need to be fully in compliance and prepared for an audit at any time, or risk the significant fines for non-compliance.
In addition, HIPAA enforcement has taken on a new importance at HHS, as shown in multi-million dollar fines and even a one million dollar settlement for a breach of just 192 records. HHS OCR officials have publicly stated that enforcement is now a priority, and that means being ready for an audit is more important than ever. The “slap-on-the-wrist” days are over and fines and settlements are being levied, with more on the way — don’t let your organization be hit for an audit unprepared. And even postal inspectors are now using HIPAA to prosecute identity theft cases.
By using an information security management process, those responsible for health information can develop the procedures and policies that can help prevent security problems, and help prepare the organization for any incidents, audits, or enforcement actions.
If you don’t take the proper steps to ensure your patients’ health information is being protected according to the HIPAA Security and Privacy Rules, you can be hit with significant fines and penalties. With the increased HIPAA fines beginning at $10,000 in cases of willful neglect, providing good information security and being in compliance are more important than ever.
Areas Covered in the Session:
- Fines and penalties for violations of the HIPAA regulations have been significantly increased and now include mandatory fines for willful negligence that begin at $10,000 minimum.
- HIPAA Audits have been few and far between in the past, but that’s now changing – the HHS is now auditing HIPAA covered entities and business associates even if there have been no complaints or problems reported.
- Find out what the audit process is, what HHS OCR is likely to ask you if you are selected for an audit, and what you’ll have to have prepared already when they do.
- Find out what the rules are that you need to comply with and what policies you can adopt that can help you come into compliance.
- Learn how the HIPAA rules have changed and how you may need to change how you work to keep up with them.
- Learn how having a good compliance process can help you stay compliant more easily.
- Find out what you’ll need to have documented to survive an audit and avoid fines.
- Find out what you’ll need to think about to deal with future threats to the security of patient information.
Who Will Benefit:
- Compliance Director
- CEO and CFO
- Privacy Officer
- Security Officer
- Information Systems Manager
- HIPAA Officer
- Chief Information Officer
- Health Information Manager
- Healthcare Counsel/lawyer
- Office Manager
- Engineering Staff
CLICK HERE for additional information and to register.
Jim Sheldon-Dean is the founder and director of compliance services at Lewis Creek Systems, LLC, a Vermont-based consulting firm founded in 1982, providing information privacy and security regulatory compliance services to health care firms and businesses throughout the Northeast and nationally. Sheldon-Dean’s firm provides a variety of advisory, training, assessment, policy development, project management and mitigation services for a number of health care providers, businesses, universities, small and large hospitals, urban and rural mental health and social service agencies, health insurance plans and health care business associates. He serves on the HIMSS Information Systems Security Workgroup, the Workgroup for Electronic Data Interchange Privacy and Security Workgroup, and co-chairs the WEDI HIPAA Updates sub-workgroup. He is a frequent speaker regarding HIPAA and information privacy and security compliance issues at seminars and conferences, including speaking engagements at AHIMA national conventions and WEDI national conferences, and before the New York Metropolitan Chapter of the Healthcare Financial Management Association, Health Information Management Associations of New York City, New York State, and Vermont, the Connecticut Hospital Association, and the Hospital and Health System Association of Pennsylvania. Sheldon-Dean has nearly 30 years of experience in policy analysis and implementation, business process analysis, information systems and software development. His experience includes leading the development of health care related Web sites; award-winning, best-selling commercial utility software; and mission-critical, fault-tolerant communications satellite control systems. In addition, he has eight years of experience doing hands-on medical work as a Vermont certified volunteer emergency medical technician. Sheldon-Dean received his B.S. degree, summa cum laude, from the University of Vermont and his master’s degree from the Massachusetts Institute of Technology.