Every covered entity and the business associate will experience one or more security incidents every year. Such incidents range from an employee forgetting to log off with no harm done because you caught it before any unauthorized person accessed the computer to a ransomware attack in which you must pay a six-figure ransom to access your data.
Under the HITECH Act and the Omnibus Rule, covered entities and business associates must report certain breaches of PHI to the Department of Health and Human Services. These reports can result in large civil money penalties (CMP) (fines)-as high to $4.8 million to date.
Having a proper procedure to determine whether a security incident is a breach and, if so, is it reportable is absolutely crucial. Not only can it result in a CMP, it is a priority compliance issue in the HIPAA audits that are ongoing. The possibility of a CMP is illustrated by Presence Health's $475,000 settlement with the DHHS Office of Civil Rights (OCR) 2017. And it was for late reporting. God knows how bad the monetary settlement in lieu of a CMP would be if it was non-reporting rather than late reporting
Areas Covered in the Session:
- HIPAA definition of a security incident.
- Every breach is a security incident, but not every security incident is a breach of HIPAA.
- Reporting and responding to a security incident.
- HIPAA definition of a breach.
- Investigating a security incident to determine whether it is a breach.
- Practical exercise identification of security incidents and breaches?
- Elements of an effective security incident report and response policy and procedure.
- Who must report a security incident and to whom and when and how and why?
- Mitigating a security incident.
- Training your workforce on how to handle a HIPAA security incident.
- How do you determine whether a breach is reportable?
- Written documentation requirements.
- Practical exercise in determining whether a breach is reportable.
- How to provide patients/clients their right to complain.
- Who do they complain to?
- How do you respond to complaints?
- How do you respond to Office for Civil Rights investigations?
- Conclusion and question and answer.
Who can Benefit:
HIPAA compliance officers, HIPAA Security Officers, HIPAA Privacy Officers, CFOs, CEOs, COOs, CIOs,