Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
What is happening with the Affordable Care Act and HIPAA?
© Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC
J. Ira BedenbaughConsulting Shareholder
This material was used by Elliott Davis Decosimo during an oral presentation; it is not a complete record of the discussion. This presentation is for informational purposes and does not contain or convey specific advice. It should not be used or relied upon in regard to any particular situation or circumstances without first consulting the appropriate advisor. No part of the presentation may be circulated, quoted, or reproduced for distribution without prior written approval from Elliott Davis Decosimo.
© Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC
Affordable Care Act
• Employer Shared Responsibility Provision• 2016 – Penalties will apply to firms with 50 or more
employees who do not provide coverage or do not offer coverage which meets minimum value and affordability standards• President Obama recently signed legislation changing the
requirements for small businesses on the coverage and cost requirements
© Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC
Affordable Care Act
• Accountable Care Organizations• Coordinate Medicare beneficiaries’ care and provide
services more efficiently• In 2014 • 196 ACOs saved Medicare money • 97 received bonuses• 157 ACOs had cost greater than Medicare expected• 3 ACOs had to pay back Medicare• Net impact was a $3 million loss to Medicare on the
$500 billion Medicare spent in 2014
© Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC
Affordable Care Act
•Medicaid expansion• Medicaid enrollment expanded by 13.8% in FY 2015• Federal Medicaid spending increased by 13.9% in FY 2015
and State spending increased by 4.5% in FY 2015• In FY 2016, Federal Medicaid spending is expected to
increase 6.9% and States spending 4.2%
© Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC
Affordable Care Act
• Insurance Exchange• Enrollment began November 1, 2015• 11.7 million selected plans by the end of the 2015
enrollment period• 9.9 million were enrolled at the end of June 2015• Goal of 10 million enrollees for 2016• 2016 – fines will be the greater of $695 per person
($347.50 per child under 18) or 2.5% of income• With the 2016 enrollment, consumers will be able to see if
their physicians are covered under specific plans
© Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC
Affordable Care Act
• Insurance Co-ops• Created under the ACA to foster competition by offering
consumer friendly plans that offered greater choice and better coverage• Co-ops are in 23 states• 11 received notices that they must produce “corrective
plans”
© Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC
Affordable Care Act
• Cadillac Tax• Scheduled to take effect in 2018• 40% excise tax on insurance plans that are deemed too
generous - premiums greater than $10,200 for an individual and $27,500 for a family• Options for governmental entities• Reduce benefits and therefore costs of plans• Pass along tax to taxpayers.
© Elliott Davis Decosimo, LLC
HIPAA
• In August 1996 Congress passed the Health Insurance Portability and Accountability Act of 1996 (HIPAA)• Improve portability and continuity of health insurance• Combat waste, fraud and abuse in health insurance and
health care delivery• Promote the use of medical savings accounts• Improve access to long term care• Simplify the administration of health insurance
© Elliott Davis Decosimo, LLC
Privacy Rules – Protected Health Information
• “Individually identifiable health information” held or transmitted by a covered entity or a business associate in any form or media• Demographic data• Individual’s past, present or future physical or mental
health or condition• Provision of health care to the individual• Past, present or future payment for the provision of
health care to the individual
© Elliott Davis Decosimo, LLC
Security Rule
• Published in February 2003 by the Department of Health and Human Services• Set national standards regarding electronic protected
health information (“ePHI”)• Confidentiality• Integrity• Availability
© Elliott Davis Decosimo, LLC
Security Rule – Protected Health Information
• Individually identifiable health information in an electronic form that an entity• Creates• Receives • Maintains• Transmits
© Elliott Davis Decosimo, LLC
Responsibilities of Covered Entity
• Covered entities must maintain reasonable and appropriate, technical and physical safeguards for protecting ePHI• Ensure the confidentiality, integrity and availability of all
ePHI which is created, received, maintained or transmitted• Identify and protect against reasonably anticipated
threats to the security or integrity of the ePHI• Protect against reasonably anticipated, impermissible
uses or disclosures• Ensure compliance by workforce
© Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC
HIPAA Breaches
• Breaches reported in NC, SC, TN and VA beginning January 2014 through October 15, 2015
NC SC TN VA
Breaches 9 4 13 10
Individuals Effected 162,227 93,093 4,997,566 818,554
Individuals per Breach 18,025 23,273 384,428 81,855
Governmental Entities 2 1 1 1
Individuals Effected 49,707 50,000 1,717 697,586
Individuals per Breach 24,853 50,000 1,717 697,586
© Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC
Types of Breaches
Type of Breach NC SC TN VA
Hacking/IT Incident 1 2
Improper Disposal 1 2
Loss 1 1
Loss/Theft 1
Other 1
Theft 3 1 6 4
Theft/Unauthorized Access/Disclosure 3
Unauthorized Access/Disclosure 4 1 4
© Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC
Types of Breaches
Type of Breach Governmental
Hacking/IT Incident 1
Improper Disposal 1
Loss 1
Loss/Theft
Other 1
Theft
Theft/Unauthorized Access/Disclosure
Unauthorized Access/Disclosure 1
© Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC
HIPAA Enforcement
HIPAA Violation Minimum Penalty Maximum Penalty
Did not know$100 per violation with an
annual maximum of $25,000
$50,000 per violation with an annual maximum of
$1.5 million
Reasonable Cause and not Willful Neglect
$1,000 per violation with an annual maximum of
$100,000
$50,000 per violation withan annual maximum of
$1.5 million
Willful Neglect with Corrective Action
$10,000 per violation with an annual maximum of
$250,000
$50,000 per violation withan annual maximum of
$1.5 million
Willful Neglect and not Corrected
$50,000 per violation with an annual maximum of
$250,000
$50,000 per violation withan annual maximum of
$1.5 million
© Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC
HIPAA Compliance
• Office of Civil Rights (“OCR”) is responsible for enforcement of HIPAA regulations• Federal Trade Commission (“FTC”) has begun
enforcement under Section 5 of the FTC Act• OCR and FTC have worked together in parallel
investigations of CVS Caremark and RiteAid• FTC acted alone in regards to Accretive Health and GMR
Transcriptions, with both entities entering into twenty year consent agreements.
© Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC
HIPAA Compliance
• OCR has engaged FCi Federal to conduct the Phase 2 Audit Program• In Phase 1, OCR found that smaller entities had substantial
problems with compliance, especially the Security Rule• 1,200 covered entities will receive audit surveys between the
end of September 2015 and middle of October 2015• 300 of the 1,200 will be selected for an audit
• Entities will have 10 days to respond to the audit request
© Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC
Focus of Audits
• Privacy Rule• Notice of Privacy Practices (2014)• Safeguards and Training to Policies and Procedures (2015)• Complaints (2016)
• Security Rule• Risk Analysis and Risk Management (2014)• Device/Media Controls and Transmission Security (2015) • Encryption and Decryption (2016)• Physical Facility Access Controls (2016)
© Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC
Focus of Audits
• Breach Rule• Content and Timeliness of Notifications (2014)• Breach Reports (2016)
© Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC
Preparing for an Audit
• Organization should have a current risk assessment
© Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC
• Organization must identify where ePHI is stored, received, maintained and transmitted• Organization must identify and document reasonably
anticipated threats to ePHI• Organization must identify and document vulnerabilities
which, if triggered or exploited by a threat, would create a risk of inappropriate access or disclosure of ePHI• Organization must assess current security measures
Requirements of a Risk Assessment
© Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC
• Organization must determine the likelihood of a threat occurrence• Organization must determine the potential impact of a threat
occurrence • Organization must determine the level of risk and document
the corrective actions to be performed to mitigate risk
Requirements of a Risk Assessment
© Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC
Preparing for an Audit
• Organization should have a current risk assessment• HIPAA policies must be up to date and be reflective of changes
in regulations• Business Associate Agreement must be up to date and the
organization must be able to provide a list of business associates• Organization must maintain a HIPAA compliance file that
includes evidence of compliance including training, review of activity logs, breaches and resolution of breaches• Organization must have a training program in place for staff
© Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC
Ira BedenbaughEmail: [email protected]: 864.552.4715Website: www.elliottdavis.com
Elliott Davis Decosimo ranks among the top 30 CPA firms in the U.S. With sixteen offices across seven states, the firm provides clients across a wide range of industries with smart, customized solutions. Elliott Davis Decosimo is an independent firm associated with Moore Stephens International Limited, one of the world's largest CPA firm associations with resources in every major market around the globe. For more information, please visit elliottdavis.com.
© Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC