The webinar, given by an expert HIPAA consultant, author, attorney, and expert witness, will begin an introduction stressing the importance of complying with the requirement to write and adopt policies and procedures, both those expressly stated and those that may also be necessary and have had the lack of result in a fine.
After an introduction, the seminar will focus on why do we need to understand this topic, how to use HIPAA required Risk Analysis to help you decide which policies and procedures to develop, and how to conduct research before drafting policies and procedures, by asking and answering the right questions, soliciting help, and collecting samples. Then it will cover how to draft policies and procedures that comply with HIPAA’s requirements, based on sound principles of substance, organization, coherence, style, and correctness.
Once policies are adopted, HIPAA requires covered entities and business associates to revise policies and procedures, including steps of reviewing, incorporating recommended changes, and implementing.
Then the webinar will help you figure out how to decide whether you must draft addressable policies under HIPAA—policies that you only have to implement if it is reasonable and appropriate to do so. Then it covers how to decide whether you need any other policies not mentioned by HIPAA followed by a conclusion and question and answer.
The webinar will conclude with a summary and a question and answer session.
Most HIPAA Security Standards do not require the implementation of any specific security measure. Rather, they require covered entities and business associates to write and adopt policies and procedures. For example, the Security Rule does not require you to terminate access in any particular way. Rather, you must have a Termination Procedure spelling out how you will terminate access. A number of six and seven-figure fines from HHS has involved not having policies or procedures or not having adequate ones. And HHS has fined violators in excess of for not having policies not even mentioned in HIPAA. Massachusetts General Hospital, for example, was fined $1 million for leaving paper PHI on a subway. No work-at-home policy! No such policy is mentioned in HIPAA.
And just having a policy is enough, it must say what you want it to understandably and be enforceable.
Jonathan P. Tomes is a national HIPAA compliance consultant and attorney admitted in Illinois, Missouri, Kansas, and Oklahoma who practices in Kansas City, Kansas, and the greater Kansas City area. After he had retired from the U.S. Army as a JAGC officer, having been a military judge (which taught him how to read and interpret government regulations) and having spent several years as a military intelligence officer (which taught him about gathering and using information), he taught law at IIT Chicago-Kent College of Law before he opened his own private law practice. Mr. Tomes is President of EMR Legal, a national HIPAA compliance consulting firm. EMR Legal has consulted and trained over 1,000 HIPAA clients since 1998, ranging from Federal, State and County governments to large hospitals to small practices. Jon is currently working on an online HIPAA training video and an online HIPAA risk assessment.