Overview:

In this session we will demystify HIPAA. Starting with an explanation of how and why HIPAA contains many ambiguities and conflicting information and moving through what the attendee needs to know about HIPAA's regulations, OCR whitepapers and published guidance, and OCR Resolution Agreements.

At the end of this session the attendee will understand how each fills a role in determining what constitutes HIPAA compliance, and how to understand what is really meant by the terminology commonly encountered, and misunderstood, when discussing HIPAA.

We will cover a couple of specific ambiguities and discuss some examples. We will explain and demonstrate how to work through the ambiguities, and draw a conclusion that allows you to take defensible action as you develop your compliance plan. In this section we will show you what reference materials are available, and work through at least one example of an ambiguity, and show you how to reach defensible solution. We will also explain what constituted a defensible solution and why it is important.

We will cover the concepts and terms encountered when discussion the fundamentals of HIPAA; what is HIPAA, actually, and what are you obligations under HIPAA. We will discuss the misconceptions around terms such as the Security and Privacy Regulations, what do Technical, Administrative and Physical Safeguards really mean. We will cover the ramifications of not complying with HIPAA when you have a reported breach, and discuss why a breach under HIPAA is only the beginning of the process, not the end.

After covering the generalities, the presentation will then focus on specific concepts and terms that are common to breaches that have been reported over the last few years. We will work through some of the myths encounter when discussing HIPAA, explain why they exist and demystify them to give the attendee the "truth" behind these myths.

As we work through the language of HIPAA, we will not discuss the terminology and concepts from a high level view, but rather with the goal of providing sufficient detail so the attendee will leave with actionable items. Finally, the objective of this presentation is not to make you an expert on the language of HIPAA, but rather give you the information you need to ask the right questions of your Chief Privacy and/or Security Officer(s), or consultant.

Why should you attend: One recent study of privacy and security professionals from larger providers found that more than 89% respondents found HIPAA/HITECH regulations to be complex, difficult to understand, vague or confusing. Only 11% found them easy to understand. So what chance do you have in understanding your obligations under HIPAA?

As with any area of knowledge, understanding comes only when you understand the language used in the discipline. HIPAA in no different. In many ways it is a bit more important because HIPAA is a series of regulations that are left to interpretation. So a provider or business associate must understand not only the language of the regulations but also their intent. Intent in many cases is buried inside of published guidance and within other publications from the Department of Human and Health Services, and it's Office of Civil Rights. Complicating the situation are parallel regulations promulgated under the HITECH Act, which may provide conflicting guidance.

The best analogy to the complexity of the language of HIPAA is the Internal Revenue Service and the tax code. Though the penalties surrounding HIPAA violations are much more onerous than errors in the taxes you file.

Examples of misunderstanding abound. For example; what are your requirements for staff training under HIPAA, it's not what you think. What are the ramifications of not understanding Willful Neglect? Not knowing what these terms really mean can cost you up to an additional $300,000 in fines and penalties, PER INCIDENT. And that's just at the federal level. Add in state level fines and penalties, tort actions, business disruption costs, and the numbers really add up.

Financial impact of Breached Protected Health Information. 2012 American National Standards Institute (ANSI) / The Santa Fe Group /Internet Security Alliance

Areas Covered in the Session:

• What are the Security and Privacy Regulations
• What is meant by Technical, Administrative and Physical Safeguards
• What is an OCR Resolution Agreement and why should I care
• What constitutes an adequate risk assessment
• What is meant by a "Required" and "Addressable" implementation specification
• What are my training requirements
• What is a Breach v/s a Reportable Breach
• What is a Business Associate and what are my responsibilities
• What actually changed under the final Omnibus Rule
• What is an OCR audit
• What is an OCR investigation
• What is Wilful Neglect and what does it mean to me

• CEO
• COO
• CFO
• Human Resources
• Chief Nursing Officer
• Chief Clinical Officer
• Practice Managers