What to Expect and How to Prepare: Healthcare Security & Privacy Regulation and Enforcement in...

What to Expect and How to Prepare: Healthcare Security & Privacy Regulation and Enforcement in

2015 and Beyond

2014 Data breaches

Settlements & Resolution Agreements Approximately $5.5 million collected

Greatest number of HIPAA settlements

HIPAA Audits

Leadership changes

Complaints, compliance reviews & investigations

“OCR’s strong enforcement of the HIPAA privacy, security, and breach

notification rules, remains very much on track.”

2015

HIPAA Audits

Enforcement

Complaints, compliance reviews & investigations

HIPAA Audits

Policies & procedures – daily activities

Staff knowledge & training

Cybersecurity – Risk assessments, breach notification & access controls

Privacy notice practices

Audit protocol

http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/protocol.html

Enforcement

6,000+ open investigations

Increased focus on negotiating settlements

Various methods for enforcement

Complaints & Investigations

Complaints volume increases each year

Record number expected for 2015

Inconsistency between regional offices

Request policies & procedures (mini audits)

Culture of compliance

How to Prepare

1. Cybersecurity

2. Business Associate Agreements

Cybersecurity Gap analysis

Staff training

Inventory of systems & devices

Regular review of policies & procedures

Business Associate Agreements HITECH Act

Increased negotiation surrounding BAAs Indemnity

Which entity is responsible for breach notification & responding to patient requests

Subcontractor BAAs

Termination rights for material breach

Takeaways Audit first

Review and negotiate BAAs

Dust off Policies & Procedures Addressable Elements

Compliance Culture

Questions

?

Carrie S. GilbertDressman Benzinger LaVelle psc

cgilbert@dbllaw.com859-341-1881