Loading in 2 Seconds...
Loading in 2 Seconds...
Privacy, Security and Compliance Concerns for Management and Boards November 15, 2013 Carolyn Heyman-Layne, Esq. Covering the Basics. HIPAA 42 CFR Part 2 Other potential privacy laws: Privacy Act, FERPA, AK PIPA, other State laws
November 15, 2013
Carolyn Heyman-Layne, Esq.
HIPAA is usually the minimum for confidentiality, and 42 CFR Part 2 is usually the maximum.
Contingency Operations – can be part of overall emergency response plan
Disposal & Destruction
Backup & Copy
Reuse & Recycling of Equipment
Person or Entity Authentication
Acquisition, access, use or disclosure of PHI in a manner not permitted under HIPAA, which compromises the security or privacy of the PHI.
Only applies to “unsecured PHI”, such as unencrypted data on a laptop, etc.
Privacy breach insurance is available!!!
Only covers unsecured protected health information
More than 500 affected requires notice to media
Notice within 60 days of discovery
Specific notice requirements
Notice to HHS or annual log of breaches
Protected Health Information (PHI)
Protects medical record numbers
Allows disclosures without authorization for treatment, payment and healthcare operations
Business Associate Agreements
Privacy Act of 1974 – primarily Alaska Native programs, but also Federal agencies
Alaska Personal Information Protection Act
FERPA – Family Educational Rights and Privacy Act – schools
State laws re: substance abuse, behavioral health, etc.
The more regulation, the higher the possibility of violations (intentional or unintentional)
Compliance programs help to mitigate those risks
Government has increased money and resources for enforcing the regulations
Effectively prevent, detect and correct noncompliance
Also prevent and address fraud, waste and abuse
Effective communication among all staff and leadership
Seven Elements of an Effective Compliance Program
Written policies and procedures
Compliance officer, committee and high-level oversight
Effective training and education
Effective lines of communication
Well-publicized disciplinary standards
Effective system for routine monitoring and auditing
Prompt response to compliance issues
Periodically review compliance program, employee standards and code of conduct
Ensure that employee training is conducted and documented
Manage and monitor employee reporting process
Provide ongoing training, as needed
Ensure that compliance related files are maintained as described in plan
Ensure that monitoring and auditing systems are in place and working
Make periodic reports to the Board/owners regarding compliance, even if no violations
What laws apply to your organization?
What programs are in place to ensure compliance with those laws?
Who are the key employees responsible for compliance?
How and when do compliance issues get reported?
What are the goals of the compliance program?
What are the risks to the organization?
What resources are necessary to address those risks?
Have policies and procedures been implemented to address risks and laws?
Have training programs been implemented?
Is the Board informed of changes to regulatory and industry requirements that affect risk?
Circumstances differ, but basic duty of compliance oversight exists for almost all boards.
Appropriate processes need to be in place to make sure board receives appropriate and objective info in timely manner.
If there is a specific issue, ask for more information, outside expert review, whatever is necessary and reasonable to address the issue
Ask for regular reports and updates on the situation
Form an ad hoc committee to address, as necessary – may want a regular compliance committee
After reporting, how are issues addressed?
Are corrective actions taken in response?
How does the organization evaluate and investigate suspected violations?
Are there protections for whistleblowers?
Does the organization and environment encourage reporting?
Are employees sanctioned appropriately?
Are there guidelines for reporting violations to the Board?
Does the Board receive enough information to evaluate the appropriateness of the organization’s response?
Is there a policy regarding reporting to government and outside authorities?