The collection of laws and regulations known commonly as HIPAA is comprised of two federal statutes and three federal rules: The Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH), the Privacy Rule (found at 45 C.F.R. 164.500 et. seq.), the Security Rule (found at 45 C.F.R. 164.300 et. seq.) and the Breach Notification Rule (found at 45 C.F.R. 164.400 et. seq.). The three rules were amended and combined in 2013 into what is known as the HIPAA Privacy, Security, Enforcement and Breach Notification: Final Omnibus Rule. The federal Office for Civil Rights (“OCR”) has the duty and responsibility to investigate complaints or reports of potential HIPAA violations and to continuously monitor entities required to comply with HIPAA (“Covered Entities”) for compliance. OCR began a preliminary pilot program for random compliance audits of Covered Entities in 2015.
The OCR looks at several areas of HIPAA compliance when performing an audit including:
All medical practices must have a designated Security Officer who is responsible for HIPAA security. The designated Security Officer should perform regular internal Compliance Risk Assessments as well as staff training sessions to ensure that all of the proper protections are in place and are functioning properly.
OCR is on schedule to begin its second round of HIPAA audits in early 2016 and plans to include many more types of Covered Entities than were included in the first phase as well as Business Associates (as defined by HIPAA) of Covered Entities. One of the essential items that OCR will be looking for is the proper performance of an internal Compliance Risk Assessment and the implementation of any necessary plans to cure any problems that are discovered as a result of the Compliance Risk Assessment or any recorded and reported Breach that has taken place. Although OCR will not be publicly posting any audit results, the results are not confidential and the potential financial consequences of a poor audit are substantial.
HIPAA compliance is one of the most cited and least understood laws in the typical medical practice. Although HIPAA has been in place for decades, it has changed rapidly in the last ten years due to the rapid proliferation of technology in medicine. In addition to these progressive changes, the law itself underwent a major overhaul in 2013 resulting in any practice that has not updated its HIPAA materials since that time being out of compliance. The speaker will highlight the major changes that must have been implemented after the 2013 HIPAA updates. Thereafter, the webinar will focus on the identification of a breach and what the required process is to remedy a breach if it is determined one has occurred.
1.Improve Compliance with Regulations/Laws.
2.Reduce the possibility of Audits, Penalties and/or Fines.
3.Understand when and how frequently staff must be trained in HIPAA policy.
4.Tools to mitigate issues that cause incidents and breaches.
5.Resources to determine if policies and procedures are sufficient or require updating.
6.Clear guidelines as to how to report various types of breaches.
7.Step-by-step process to determine if an incident is a breach.
Gina Campanella, focuses on Corporate counsel healthcare regulatory and transactional matters federally and in New Jersey, New York, Vermont, the District of Columbia and Pennsylvania. She has assisted clients with transactional services and regulatory compliance consulting, as well as general counsel services to small practices and large societies and medical groups alike. Clients also seek her expertise when reviewing employment agreements, formation of new practices, separation from and sale of practices, business structuring, and surgical center licensing and registration, including preparation for Department of Health, AAAHC and AAAASF surveys of licensed and Medicare deemed facilities, as well as preparation and implementation of resulting plans of correction. She lectures nationally on issues of health care law and compliance for events and organizations such as: the New Jersey Association of Osteopathic Physicians and Surgeons, the Atlantic Regional Osteopathic Conference, the New Jersey Chapter of the American College of Emergency Physicians, the New Jersey Podiatric Medical Society, the Health Care Compliance Association, the New Jersey Medical Group Management Association, the New York Medical Group management Association, Columbia University Medical School, the Advanced Emergency & Acute Care Medicine CME Conference, the CentraState Medical Center Practice Managers Group, Bassett Medical Center Medical Staff, the New Jersey State Society of Physician Assistants, MentorHealth and Skillacquire.