HIPAA Omnibus Update Rule - What it Means for Security and Breach Compliance

Why Should You Attend:

This webinar will cover the requirements for risk analysis and assessment in the HIPAA rules and provide a framework for analysis of risks for compliance with HIPAA Security Rule requirements (in §164.308(a)(1)) and the new breach determination requirements in the updated HIPAA Breach Notification Rule, and show how the two are related in a good compliance program. It will show how to go about assessing your risks and organizing your compliance plan, and show how having that information makes it easier to assess risks in the event of a breach.

For the Security Rule, this session will explain what is called for in the rule and show a way to approach the work in an organized way that saves effort and produces meaningful results, with examples of how to conduct the risk analysis.

For the updated Breach Notification Rule, the instructor will explain how the new process differs from the old “harm standard” that has been removed from the rule. If none of the defined exceptions for notification apply, the breach is reportable unless you can show, by a risk analysis, that there is a “low probability of compromise.” The risk analysis must include at least four factors:

1. What the data is, how well identified is it, and how sensitive it is
2. To whom the data was improperly disclosed
3. Whether or not the information was actually viewed or accessed
4. How the breach was mitigated.

Issues with any one of the four factors can require reporting the breach. The instructor will explain how to consider these factors.

This webinar will also include information on HIPAA Audits and how to be prepared to show that you have the right policies and procedures in place and are using them. To withstand random audits and investigations of non-compliance that may result from a breach report or complaint, thorough documentation of compliance-related activity is required. The instructor will explain how to document your compliance using the HIPAA Audit Protocol as a guide, so you can be sure to avoid trouble if HHS asks questions about your compliance.

Areas Covered in the Webinar:

• The requirements of the HIPAA Security Rule
• The elements of a HIPAA Security Risk Analysis
• The significant changes to the HIPAA Breach Notification Rule
• Use of Risk Analysis in the new HIPAA Breach Notification process.
• A framework of security policies.
• Typical policy considerations for laptops and portable devices, and their security
• How to use Risk Analysis to deal with difficult compliance issues, such as texting and social networking.
• Tools to be used for policy management and documentation.
• How to adopt policies, train on them, and conduct drills on them.
• The HIPAA Audit Protocol, and its use as a compliance tool

Who Will Benefit:

This webinar will provide valuable assistance to all personnel in medical offices, practice groups, hospitals, academic medical centers, insurers, business associates (shredding, data storage, systems vendors, billing services, etc.). The following personnel will find this session valuable:

• Compliance director
• CEO
• CFO
• Privacy Officer
• Security Officer
• Information Systems Manager
• HIPAA Officer
• Compliance Officer
• Chief Information Officer
• Health Information Manager
• Healthcare Counsel/lawyer
• Office Manager
• Contracts Manager

Instructor Profile:

Jim Sheldon-Dean, is the founder and director of compliance services at Lewis Creek Systems, LLC, a Vermont-based consulting firm founded in 1982, providing information privacy and security regulatory compliance services to a wide variety of health care entities.

Mr. Sheldon-Dean serves on the HIMSS Information Systems Security Workgroup, has co-chaired the Workgroup for Electronic Data Interchange Privacy and Security Workgroup, and is a recipient of the WEDI 2011 Award of Merit. He is a frequent speaker regarding HIPAA and information privacy and security compliance issues at seminars and conferences, including speaking engagements at numerous regional and national healthcare association conferences and conventions and the annual NIST/OCR HIPAA Security Conference in Washington, D.C.

He has more than 30 years of experience in policy analysis and implementation, business process analysis, information systems and software development. His experience includes leading the development of health care related Web sites; award-winning, best-selling commercial utility software; and mission-critical, fault-tolerant communications satellite control systems. In addition, he has eight years of experience doing hands-on medical work as a Vermont certified volunteer emergency medical technician. He received his B.S. degree, summa cum laude, from the University of Vermont and his master’s degree from the Massachusetts Institute of Technology.

Topic Background:

The new HIPAA Omnibus Update Rule is now in effect and enforceable, with some implications for compliance with the HIPAA Security and Breach Notification Rules. Compliance with the HIPAA Security Rule has always required that the risks to protected health information (PHI) be assessed and any issues be addressed by mitigation as necessary. But new changes to the HIPAA Breach Notification Rule add a new role for Risk Assessment, in determining whether or not a breach has a “low probability of compromise.” In addition, recent audits and enforcement actions have highlighted the requirement for performing a proper risk analysis as part of the management of security risks, and to satisfy documentation requirements. Now is the time to revisit your risk assessment and breach notification policies and procedures to make sure you meet the new rules.

Follow us :