Overview:
This session provides an overview of HIPAA enforcement rules and recent HIPAA enforcement activity. While the worldwide pandemic has prompted some relaxation of HIPAA requirements in specific circumstances to ease provision of medical services and communication of essential public health information, enforcement of HIPAA has continued, and the enforcement settlement pace has increased significantly.
Recent enforcement actions show a willingness for HHS to work in
conjunction with State Attorneys General to bring about settlements for
violations of several laws at once, a new emphasis on the importance of
prompt action on requests for individual access of Protected Health
Information (PHI), and a new crack-down on doctors’ responding to
patients’ social media posts and including PHI in the posting.
A particular focal point in recent enforcement is the issue of systemic
non-compliance leading to a breach.
Too many organizations haven’t done what’s necessary to assess their
risks, provide training, establish the correct organizational
relationships, and other compliance issues, resulting in a reportable
breach, ,and now they’re paying in multi-million dollar settlements and
multi-year corrective action plans.
And new guidance from HHS about the liability of Business Associates for
compliance makes it more clear what Business Associates are liable for,
and what responsibilities for HIPAA compliance remain in the Covered
Entities’ hands. Both Covered Entities and Business Associates need to
be prepared for the enforcement distinctions and responsibilities.
In this session we will discuss the enforcement actions that have been
taken, and the lessons that can be learned from those actions. We will
explore what kind of issues were most prevalent and what kind of
entities had the most problems, and show where entities need to improve
their compliance the most based on real enforcement experience.
Fines and penalties for violations of the HIPAA regulations have been
increased and include mandatory fines for willful neglect of the rules
that begin at over$10,000 minimum and can reach more than $50,000 per
day, but showing due diligence can reduce culpability and penalties.
Even though the HIPAA audit program is on hold for at least the time
being, that doesn’t mean there will be no enforcement of the HIPAA
rules. In fact, preparing for a HIPAA Audit is one of the best ways to
be ready to respond to any enforcement action, and going through an
internal HIPAA Audit will help you find issues before they become
problems that can lead to penalties.
USDHHS has published an updated, July 2018 protocol for the HIPAA
audits, so it is possible to know how to prepare for an audit or
enforcement review. Nearly any health care covered entity may be subject
to an audit or enforcement investigation; all entities need to know
what kinds of questions they’ll be asked, what information they'll need
to provide and how to prevent issues that could lead to violations and
fines.
Why you should Attend:
The US Department of Health and Human Services (HHS) Office for Civil
Rights has been pursuing a great deal of enforcement activity recently
that involves compliance in two primary areas.
One is violations involving systemic noncompliance with security
safeguards resulting in a breach, and the other is non-compliance with
requirements for the provision of patent access to health records. And
the pace of announcements of settlements has become a torrent of
enforcement actions, with several announced in the space of a few days
and even five in one announcement.
HHS OCR is definitely not relaxing HIPAA enforcement; it is using
enforcement to further its goals of securing information and providing
access to individuals.
The US Department of Health and Human Services (HHS) has also been busy
with enforcement focused in new areas and on new kinds of entities, and
compliance responsibilities for HIPAA Business Associates have been
clarified. At the same time enforcement has been relaxed during the
pandemic emergency for some HIPAA Business Associate requirements
pertaining to telemedicine.
The HHS Office for Civil Rights (OCR) recently increased the penalty
levels for HIPAA violations and indicated a new emphasis on the
culpability of organizations when determining penalties for rule
violations. If you have taken steps to comply with HIPAA, you will be
treated less severely than if you have ignored compliance.
Taking steps to meet compliance requirements can help minimize potential
penalties. Penalties have been increased across the board, now up to
more than $1.7 million per violation, and a single incident may spawn
several violations. The maximums permitted annually for any one
violation, have been reduced for all but the highest level of violation,
but all other fine levels have been increased.
Areas Covered in the Session:
- Find out what HHS OCR is likely to ask you if you are selected for
an audit or enforcement review, and what you'll have to have prepared
already when they do
- The HIPAA Audit Protocol will be examined along with the sets of questions asked at other, previous HIPAA audits
- HIPAA enforcement actions will be explored, to illustrate violations
that can be avoided and the proper practices that can help compliance
- Relaxation of enforcement for the pandemic will be explained, including how it works during and after the emergency
- Learn how having a good compliance process can help you stay compliant more easily
- Find out what you'll need to have documented to survive an audit or enforcement review and avoid fines
- Learn how to use the contents of the HIPAA Audit Protocol as the foundation of your compliance activities and documentation
Who Will Benefit:
- CEO
- HIPAA Privacy Officers
- HIPAA Security Officers
- Information Security Officers
- Risk Managers
- Compliance Officers
- Privacy Officers
- Health Information Managers
- Information Technology Managers
- Information Systems Managers
- Medical Office Managers
- Chief Financial Officers
- Systems Managers
- Chief Information Officer
- Healthcare Counsel/lawyer
- Operations Directors