The collection of laws and regulations known commonly as HIPAA is comprised of two federal statutes and three federal rules: The Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH), the Privacy Rule (found at 45 C.F.R. 164.500 et. seq.), the Security Rule (found at 45 C.F.R. 164.300 et. seq.) and the Breach Notification Rule (found at 45 C.F.R. 164.400 et. seq.). The three rules were amended and combined in 2013 into what is known as the HIPAA Privacy, Security, Enforcement and Breach Notification: Final Omnibus Rule. The federal Office for Civil Rights (“OCR”) has the duty and responsibility to investigate complaints or reports of potential HIPAA violations and to continuously monitor entities required to comply with HIPAA (“Covered Entities”) for compliance. OCR began a preliminary pilot program for random compliance audits of Covered Entities in 2015.

The OCR looks at several areas of HIPAA compliance when performing an audit including:

• Does the Covered Entity have a Notice of Privacy Practices? Is the notice complete?  Is the notice posted and distributed properly
• What are the patients’ rights to request privacy protection, access to or an accounting of disclosures of their protected health information (“PHI”)
• What are the Covered Entities' administrative requirements for the security of PHI
• Does the Covered Entity have proper Authorizations for Use and Disclosure of PHI available for patient use
• Are there proper administrative, physical and technical safeguards in place on the premises of the Covered Entity

All medical practices must have a designated Security Officer who is responsible for HIPAA security. The designated Security Officer should perform regular internal Compliance Risk Assessments as well as staff training sessions to ensure that all of the proper protections are in place and are functioning properly. 

OCR is on schedule to begin its second round of HIPAA audits in early 2016 and plans to include many more types of Covered Entities than were included in the first phase as well as Business Associates (as defined by HIPAA) of Covered Entities. One of the essential items that OCR will be looking for is the proper performance of an internal Compliance Risk Assessment and the implementation of any necessary plans to cure any problems that are discovered as a result of the Compliance Risk Assessment or any recorded and reported Breach that has taken place. Although OCR will not be publicly posting any audit results, the results are not confidential and the potential financial consequences of a poor audit are substantial. 

HIPAA compliance is one of the most cited and least understood laws in the typical medical practice.  Although HIPAA has been in place for decades, it has changed rapidly in the last ten years due to the rapid proliferation of technology in medicine. In addition to these progressive changes, the law itself underwent a major overhaul in 2013 resulting in any practice that has not updated its HIPAA materials since that time being out of compliance. The speaker will highlight the major changes that must have been implemented after the 2013 HIPAA updates. Thereafter, the webinar will focus on the identification of a breach and what the required process is to remedy a breach if it is determined one has occurred.

1.Improve Compliance with Regulations/Laws.

• Understand the method to determine if a breach has occurred under the 2013 Omnibus Rule
• Gain skills for implementation of incident review in your practice
• Asses measures currently in place for compliance and efficiency

2.Reduce the possibility of Audits, Penalties and/or Fines.

• Reduce Risk of Unnecessary Government Investigation Due to Over-reporting
• Lower exposure to potential fines by ensuring appropriate reporting when necessary
• Develop the necessary policies and procedures to reduce patient complaints and dissatisfaction

3.Understand when and how frequently staff must be trained in HIPAA policy.

4.Tools to mitigate issues that cause incidents and breaches.

5.Resources to determine if policies and procedures are sufficient or require updating.

6.Clear guidelines as to how to report various types of breaches.

7.Step-by-step process to determine if an incident is a breach.