Skip to main content

How to Handle HIPAA and HITECH Act Breaches, Complaints and Investigations: Everything You Need to Know

Compliance Key INC - HIPAA Compliance Training

Jonathan P. Tomes , J.D., is Keynote Speaker at Compliance key Inc. He is a health care attorney practicing in the greater Kansas City. He is a nationally recognized authority and expert witness on the legal requirements for health information.
 Seminar Id: IJ2018S5
 06:00 AM PT | 09:00 AM ET
 03/05/2018
 Duration: 1 Day
Overview
Every covered entity and the business associate will experience one or more security incidents every year. Such incidents range from an employee forgetting to log off with no harm done because you caught it before any unauthorized person accessed the computer to a ransomware attack in which you must pay a six-figure ransom to access your data.
Serious breaches require the covered entity to report the matter to the Department of Health and Human Services (DHHS) who will post the breach on the so-called "wall of shame". Not only is the breach so publicized, it may also need to be reported to local media! Worst of all, this self-reporting can result in a seven-figure civil money penalty. Further, an entity's report and response procedure for handling these incidents is an item of high interest in DHHS audits.This Continuing Education will teach attendees everything they need to know to identify security incidents, decides which ones are breaches, and tell which ones are reportable. The training will also cover how to handle incidents to minimize harm to affected individuals and to the entity. This portion will include a practical exercise to see how the methodology works in practice.Handing outside investigations and internal complaints are also key to avoiding or minimizing liability. The training will demonstrate how to respond to these events and will have another practical exercise to show how it works in practice.The course author has successfully defended eight out of eight investigations by DHHS and provided dozens of opinions as to whether a security incident was a breach, whether it was reportable, and how to handle it

Why should you attend this seminar?

Under the HITECH Act and the Omnibus Rule, covered entities and business associates must report certain breaches of PHI to the Department of Health and Human Services. These reports can result in large civil money penalties (CMP) (fines)-as high to $4.8 million to date.
Having a proper procedure to determine whether a security incident is a breach and, if so, is it reportable is absolutely crucial. Not only can it result in a CMP, it is a priority compliance issue in the HIPAA audits that are ongoing. The possibility of a CMP is illustrated by Presence Health's $475,000 settlement with the DHHS Office of Civil Rights (OCR) 2017. And it was for late reporting. God knows how bad the monetary settlement in lieu of a CMP would be if it was non-reporting rather than late reporting
The breach occurred on October 22, 2013, when paper operating room schedules - containing the protected health information of 836 individuals - went missing from a surgical facility at Joliet, Illinois-based Presence St. Joseph Medical Center.
Presence Health didn't report that fact to OCR until January 31, 2014, more than three months later. But OCR requires all organizations to report a breach within 60 days of the first person who discovers the breach.
Virtually every healthcare entity will have security incidents. Handling them properly can prevent them ripening into a breach and even if the incident is a breach, prevent having to report them to DHHS. And can help result in no penalty or a lesser penalty than a mishandled breach.
HIPAA also requires mitigation-lessening the harm of a breach. Knowing how to properly mitigate can keep a breach from being reportable and save unnecessary costs by preventing more harm from the breach.

Areas Covered in the Session:

  • HIPAA definition of a security incident.
  • Every breach is a security incident, but not every security incident is a breach of HIPAA.
  • Reporting and responding to a security incident.
  • HIPAA definition of a breach.
  • Investigating a security incident to determine whether it is a breach.
  • Practical exercise identification of security incidents and breaches?
  • Elements of an effective security incident report and response policy and procedure.
  • Who must report a security incident and to whom and when and how and why?
  • Mitigating a security incident.
  • Training your workforce on how to handle a HIPAA security incident.
  • How do you determine whether a breach is reportable?
  • Written documentation requirements.
  • Practical exercise in determining whether a breach is reportable.
  • How to provide patients/clients their right to complain.
  • Who do they complain to?
  • How do you respond to complaints?
  • How do you respond to Office for Civil Rights investigations?
  • Conclusion and question and answer.
Who can Benefit:

HIPAA compliance officers, HIPAA Security Officers, HIPAA Privacy Officers, CFOs, CEOs, COOs, CIOs, human resources directors, business office managers, administrators, medical records personnel, health information management professionals, health care attorneys, patient accounts managers, billing services, physicians, dentists, pharmacists, physical and occupational therapists, mental and behavioral health professionals, speech and language pathologists and audiologists, nurses, chiropractors, and business associates.


717-208-8666

Labels

Labels:
Location: United States

Comments

Post a Comment

Popular posts from this blog

HIPAA Compliance with the New Omnibus Rule: How to Pass an Audit to Avoid Penalties and Criminal Convictions

Compliance Key INC  -  H ipaa webinar                                           Jonathan P. Tomes Jonathan P. Tomes , J.D., is Keynote Speaker at Compliance key Inc. He is a health care attorney practicing in the greater Kansas City.   Webinar Id:   HIPHJPT001  2:30 PM PT | 03:30 PM ET    01/18/2018  Duration: 60 mins  Overview Before the HITECH Act, DHHS could audit covered entities for HIPAA compliance, but did not have to. With that Act, now the must audit those entities and business associates as well. In the first audits, the Phase I audits, DHHS came on site. The subsequent Phase II audits, however, were paper audits in which those audited had to provide documentation of their compliance. As yet, we do not know what form Phase III will take, but the necessary actions to prepar...
Post a Comment
Read more

HIPAA Compliant Fundraising Under New Rules - 2019

Compliance Key  -  H ipaa   Compliance Training HIPAA Compliant Fundraising Under New Rules - 2019 Joel Simon Joel Simon is one of the nation's leading experts on the fund raising aspects of HIPAA. Joel has been a member of the Maryland bar for 30 years, and his professional experience includes work as the assistant general counsel of a community hospital. Joel is an editor of "Fundraising Under HIPAA" published by the Association of Fundraising Professionals. He has lectured on Fund Raising under HIPAA to national audiences since the original HIPAA regulations were first proposed 17 years ago. Read More Overview Not-for-Profit organizations that are governed by HIPAA often need or want to fund raise from their patients, clients, or families. What protocols should be in place to maximize philanthropic opportunities under HIPAA? What compliance measures need to be in place and assessed to properly use protected health information for fund raisi...
Post a Comment
Read more

Classifying Medical Devices in US and EU

Compliance Key INC  -  Healthcare Compliance Webinars Overview The Food and Drug Administration (FDA) has established classifications for approximately 1,700 different generic types of devices and grouped them into 16 medical specialties referred to as panels. Each of these generic types of devices is assigned to one of three regulatory classes based on the level of control necessary to assure the safety and effectiveness of the device.The determination process, how you apply the classification process to your device, is complex and requires several levels of analysis to make the proper device classification. Proper medical device classification is the fundamental first step in submitting your device for approval anywhere in the world. This webinar will detail the medical device classification process for the United States through the FDA and will overview the very complex process for medical device classification within the EU. Specifically, this webinar will provid...
Post a Comment
Read more