HIPAA Audits and Enforcement - Using the HIPAA Audit Protocol to Improve Compliance and Avoid Penalties

Duration: 90 Minutes
Instructor: Jim Sheldon Dean
Webinar Id: 800104


One Attendee


In this session we will discuss the HIPAA Audit Protocol to see what kind of questions it has within it, and what needs to be done to be able to answer those questions. We will review the new audit processes and discuss what will be asked in an audit and how. Protocols and the questions asked at recent audits will be explained.

  • Difficulties in using the HIPAA Audit Protocol as presented on the Web will be discussed, and alternative means of using the information in the Protocol will be presented.
  • The HIPAA Audit Protocol will be explored as a tool for organizing compliance documentation and guiding compliance activities, by exporting the protocol into a spreadsheet for further research, manipulation, and analysis. The kinds of information that can be used in conjunction with the protocol will be discussed.
  • We will explain the enforcement regulations and their recent changes that increase fines and create new penalty levels, including new penalties for wilful neglect of compliance that begin at $10,000. We will discuss what information and documentation needs to be prepared in advance so that you can be ready for an audit without notice. Sample information request forms and questions asked at prior audits will be presented.
  • The session will also cover how to know if you may become the subject of an audit or enforcement action, and what you can do to help limit your exposure. We will discuss how most enforcement actions come about and what can be done to prevent incidents that lead to enforcement.
  • The HIPAA Privacy, Security, and Breach Notification regulations and how they will be audited will be explained. Documentation requirements for compliance will be explored and a framework of security policies necessary for compliance will be presented.
  • The results of prior HHS audits (and their penalties) will be discussed, including recent actions involving multi-million dollar fines and settlements. In addition, new trends in information security risks will be discussed.
  • This session will prepare health care professionals so they can organize their compliance efforts and documentation, and quickly and properly respond to audits and minimize any issues related to responding to audit requests.

Why should you attend:
  • The US Department of Health and Human Services (HHS) has begun audits of compliance with the HIPAA Privacy, Security, and Breach Notification Rules, and has published the HIPAA Audit Protocol.
  • Now information is available on how the audits are conducted and what the auditors are looking for, and if you want to stay ahead of the auditors, you will need to be able to quickly respond to audits. The best way to do that is to know what they will ask and have your documentation ready to show for each question.
  • Understanding the HIPAA Audit Protocol and using it as a basis for developing your compliance documentation is one of the best ways to guide your compliance efforts and ensure you have the documentation you need handy if you are audited.
  • If your organization is not ready, the HIPAA rules have new, significantly higher fines, including mandatory minimum fines of $10,000 for wilful neglect of compliance. All HIPAA Covered Entities and Business Associates need to be fully in compliance and prepared for an audit at any time, or risk the significant fines for non-compliance.
  • In addition, HIPAA enforcement has taken on a new importance at HHS, as shown in numerous multi-million dollar fines. The "slap-on-the-wrist" days are over and fines and settlements are being levied, with more on the way - don't let your organization be hit for an audit unprepared. And even postal inspectors are now using HIPAA to prosecute identity theft cases.
  • By using the HIPAA Audit Protocol as part of an information security management process, those responsible for health information can develop the procedures and policies that can help prevent security problems, and help prepare the organization for any incidents, audits, or enforcement actions.

Areas Covered in the Session:
  • Find out what the audit process is, what HHS OCR is likely to ask you if you are selected for an audit, and what you'll have to have prepared already when they do.
  • Learn how to make the HIPAA Audit Protocol useful to you as a way to organize and track your compliance work, and collect your documentation references.
  • Find out what you'll need to have documented to survive an audit and avoid fines.
  • Learn how to use an information security management process to evaluate risks and make decisions about how best to protect PHI and meet patient needs and desires.
  • Find out what policies and procedures you should have in place.
  • Learn about the training and education that must take place and be documented to ensure your staff uses health information properly and does not risk exposure of PHI.
  • Find out the steps that must be followed in the event of a breach of PHI.
  • Learn about how the HIPAA audit and enforcement activities are now being increased and how you must be prepared or risk significant penalties.

Who Will Benefit:
  • Compliance Director
  • CEO
  • CFO
  • Privacy Officer
  • Security Officer
  • Information Systems Manager
  • HIPAA Officer
  • Chief Information Officer
  • Health Information Manager
  • Healthcare Counsel/lawyer
  • Office Manager

Speaker Profile
Jim Sheldon-Dean is the founder and director of compliance services at Lewis Creek Systems, LLC, a Vermont-based consulting firm founded in 1982, providing information privacy and security regulatory compliance services to a wide variety of health care entities.

Sheldon-Dean serves on the HIMSS Information Systems Security Workgroup, has co-chaired the Workgroup for Electronic Data Interchange Privacy and Security Workgroup, and is a recipient of the WEDI 2011 Award of Merit. He is a frequent speaker regarding HIPAA and information privacy and security compliance issues at seminars and conferences, including speaking engagements at numerous regional and national healthcare association conferences and conventions and the annual NIST/OCR HIPAA Security Conference in Washington, D.C.

Sheldon-Dean has more than 30 years of experience in policy analysis and implementation, business process analysis, information systems and software development. His experience includes leading the development of health care related Web sites; award-winning, best-selling commercial utility software; and mission-critical, fault-tolerant communications satellite control systems. In addition, he has eight years of experience doing hands-on medical work as a Vermont certified volunteer emergency medical technician. Sheldon-Dean received his B.S. degree, summa cum laude, from the University of Vermont and his master's degree from the Massachusetts Institute of Technology.

You Recently Viewed