Prepare for new HIPAA-HITECH security rules › files › upload › HIPAA-HITECH-Webcast.pdf · 2019-08-24 · Prepare for new HIPAA-HITECH security rules How breach notification
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Prepare for new HIPAA-HITECH security rulesHow breach notification requirements and changes in the enforcement landscape will impact your business
Today's session begins at 3:00 pm eastern time
To receive 1.5 hours of CPE or CLE, you must individually participate by:- Remaining logged in for the entire session- Responding to all polling questions
Learning objectivesAt the end of this webcast, you will better understand…
• The new Health Insurance Portability and Accountability Act (HIPAA) of 1996 (P.L.104-191) (HIPAA) security rules– Overview of the new HITECH legislation, the new
security requirements, deadlines and consequences for noncompliance
How well do you understand the new HITECH act overall?A. Very wellB. I understand the components that are important to meC. I understand a little bitD. I’m hoping to understand more by attending this
Other key changes• Business Associates liable for criminal and civil penalties • Compliance audits required• State Attorneys General expressly authorized to enforce• Enforcement funding and, by 2012, percentage of CMPs/settlement distributed
to individuals• Explicit authority to seek criminal penalties for wrongful disclosure of protected
health information (PHI)• PHI against individuals• Net effect
– More aggressive enforcement– higher penalties – more potential opportunities for enforcement
Has your organization performed a thorough risk assessment in the…A. Last 12 monthsB. Last two yearsC.Not sure when we did one lastD. I don’t know, I’m stumped
• Content– Description of breach, including dates of breach and discovery– Description of types of PHI involved– Steps individuals should take to protect against harm– Steps taken by Covered Entity to mitigate and protect against harm– Contact procedures
• Procedures– Written notice via First Class mail to last known address– Substitute notice, if insufficient or out of date information– May use telephone or other means if urgent
• Single notice may meet any state law requirements• Multiple notices permitted
• If breach involves 500 or more individuals, notify HHS Secretarysimultaneously with notice to individuals
• If less than 500 individuals, maintain log and provide information to HHS Secretary within 60 days of the end of the calendar year
• Form for notification of HHS Secretary (OMB No. 0990-0346) at http://transparency.cit.nih.gov/breach/index.cfm.
• Among other things, form requires an attestation and requests information about:– Type of breach e.g., theft, loss– Location of breached PHI– Safeguards in place prior to breach– Actions taken in response to breach
Which of the following describes your organization? We are…A. Well-prepared to respond to a breach.B. Somewhat prepared to respond to a breach.C.Not at all prepared to respond to a breach.D.We'll just figure it out, if and when it happens.
1. Begin with a thorough risk assessment2. Identify all locations with PHI3. Determine whether encryption is warranted, and to what
extent4. Create a cost-effective plan to mitigate top risks5. Ensure business associate contracts are modified6. Update policies and procedures7. Take a cross-functional approach to compliance
How would improved breach readiness help your organization?A. avoid litigationB. avoid negative pressC. avoid serious legal and administrative costsD. all of the above
Tax Professional Standards StatementThis document supports Grant Thornton LLP’s marketing of professional services, and is not written tax advice directed at the particular facts and circumstances of any person. If you are interested in the subject of this document we encourage you to contact us or an independent tax advisor to discuss the potential application to your particular situation. Nothing herein shall be construed as imposing a limitation on any person from disclosing the tax treatment or tax structure of any matter addressed herein. To the extent this document may be considered to contain written tax advice, any written advice contained in, forwarded with, or attached to this document is not intended by Grant Thornton to be used, and cannot be used, by any person for the purpose of avoiding penalties that may be imposed under the Internal Revenue Code.