2019 HIPAA Audits & Enforcement Updates

Duration: 60 Minutes
Instructor: Gina L Campanella
Webinar Id: 801551


One Attendee
Unlimited Attendees ?

The webinar will focus on identification of a breach and what the required process is to remedy a breach if it is determined one has occurred, The initial overview of HIPAA requirements and policies will help the attendee determine if his or her practice is compliant.


The collection of laws and regulations known commonly as HIPAA is comprised of two federal statutes and three federal rules:

The Health Insurance Portability and Accountability Act of 1996 ("HIPAA"),the Health Information Technology for Economic and Clinical Health Act of 2009 ("HITECH"), the Privacy Rule (found at 45 C.F.R. 164.500 et. seq.), the Security Rule (found at 45 C.F.R. 164.300 et. seq.) and the Breach Notification Rule (found at 45 C.F.R. 164.400 et. seq.).

The three rules were amended and combined in 2013 into what is known as the HIPAA Privacy, Security, Enforcement and Breach Notification: Final Omnibus Rule. The federal Office for Civil Rights ("OCR") has the duty and responsibility to investigate complaints or reports of potential HIPAA violations and to continuously monitor entities required to comply with HIPAA ("Covered Entities") for compliance. OCR began a preliminary pilot program for random compliance audits of Covered Entities in 2015.

The OCR looks at several areas of HIPAA compliance when performing an audit including:

  • Does the Covered Entity have a Notice of Privacy Practices? Is the notice complete? Is the notice posted and distributed properly?
  • What are the patients' rights to request privacy protections, access to or an accounting of disclosures of their protected heath information ("PHI")?
  • What are the Covered Entities administrative requirements for the security of PHI?
  • Does the Covered Entity have proper Authorizations for Use and Disclosure of PHI available for patient use?
  • Are there proper administrative, physical and technical safeguards in place on the premises of the Covered Entity?

All medical practices must have a designated Security Officer who is responsible for HIPAA security. The designated Security Officer should perform regular internal Compliance Risk Assessments as well as staff training sessions to ensure that all of the proper protections are in place and are functioning properly.

OCR is on schedule to begin its second round of HIPAA audits in early 2016 and plans to include many more types of Covered Entities than were included in the first phase as well as Business Associates (as defined by HIPAA) of Covered Entities.

One of the essential items that OCR will be looking for is the proper performance of an internal Compliance Risk Assessment and the implementation of any necessary plans to cure any problems that are discovered as a result of the Compliance Risk Assessment.

Although OCR will not be publicly posting any audit results, the results are not confidential and the potential financial consequences of a poor audit are substantial. Any Covered Entity or Business Associate who has not yet performed an internal Compliance Risk Assessment should plan to do so immediately and should begin to prioritize the necessary changes which result based upon the level of risk involved in each deficiency.

Why should you Attend: HIPAA compliance is one of the most cited and least understood laws in the typical medical practice. Although HIPAA has been in place for decades, it has changed rapidly in the last ten years due to the rapid proliferation of technology in medicine.

In addition to these progressive changes, the law itself underwent a major overhaul in 2013 resulting in any practice that has not updated their HIPAA materials since that time being out of compliance. The speaker will highlight the major changes that must have been implemented after the 2013 HIPAA updates. Thereafter, the attendee will learn the basic requirements for a Notice of Privacy Practices as well as when authorizations are and are not required for the use and disclosure of a patient's protected health information.

The latter half of the webinar will focus on identification of a breach and what the required process is to remedy a breach if it is determined one has occurred.

The federal Office for Civil Rights, the government entity tasked with enforcing HIPAA began a preliminary pilot program in 2015 to ensure a certain number of random compliance audits of Covered Entities.

The initial overview of HIPAA requirements and policies will help the attendee determine if his or her practice is compliant. Thereafter, the speaker will highlight what "red flags" the Office for Civil Rights looks for when determining whether to audit a practice and learn what to do in the event you are selected for a random audit.

Areas Covered in the Session:
  • Determining level of Compliance with HIPAA
  • Recognizing Areas that need to be Brought into Compliance
  • Learning how to Analyze a Breach
  • Current Trends in Enforcement Actions

Who Will Benefit:
  • Physicians
  • Health Care Providers
  • Practice Mangers
  • Administrators
  • Privacy Officers
  • Office Managers
  • Medical Record Clerks
  • Non-Clinical Health Care Employees and Contractors
  • Business Associates of Health Care Providers

Speaker Profile
Gina L. Campanella focuses on healthcare regulatory and transactional matters federally and in New Jersey, New York and Pennsylvania. Ms. Campanella has assisted clients with transactional services and regulatory compliance consulting, as well as general counsel services to small practices and large societies and medical groups alike. Clients also seek her expertise when reviewing employment agreements, formation of new practices, separation from and sale of practices, business structuring, and surgical center licensing and registration, including preparation for Department of Health, AAAHC and AAAASF surveys of licensed and Medicare deemed facilities, as well as preparation and implementation of resulting plans of correction.

Ms. Campanella graduated Magna Cum Laude from Seton Hall University with a Masters in Healthcare Administration in 2012 and earned her Juris Doctor from Seton Hall Law in 2005. Ms. Campanella lectures nationally on issues of health care law and compliance for events and organizations such as: the New Jersey Association of Osteopathic Physicians and Surgeons, the Atlantic Regional Osteopathic Conference, the New Jersey Chapter of the American College of Emergency Physicians, the New Jersey Podiatric Medical Society, the Health Care Compliance Association, the New Jersey Medical Group Management Association, the New York Medical Group management Association, Columbia University Medical School, the Advanced Emergency & Acute Care Medicine CME Conference, the CentraState Medical Center Practice Managers Group, Bassett Medical Center Medical Staff, the New Jersey State Society of Physician Assistants, Mentor Health and Skillacquire.

Ms. Campanella has been admitted to practice law in the State of New Jersey and United States District Court for the District of New Jersey since 2006, the District of Columbia since 2013, the State of New York since 2013 and the State of Pennsylvania since 2017. Ms. Campanella was recognized by New Jersey Super LawyersTM as a Rising Star in 2014, 2015, 2017 and 2018, a "Best of Bergen" attorney by Bergen Magazine in 2017, and is recognized by AVVO as a Clients' Choice Attorney in 2016, 2017 and 2018 with an AVVO rating of "10 out of 10".* Her additional certifications include earning the status of Certified HIPAA Administrator from the HIPAA Academy and she is a Fellow in the American College of Healthcare Executives.

You Recently Viewed