Healthcare privacy and security practices are drawing substantial attention from enforcement agencies at all levels of government. That means organizations must develop effective procedures to respond to the almost inevitable visit or phone call from federal and state enforcement officials when they investigate patient and employee complaints.
As of July 31, the HHS Office for Civil Rights (OCR) received almost 14,500 privacy complaints under the HIPAA regulations and is receiving about 600 new complaints every month.
With the HIPAA security rule in effect, CMS established its own system for acting on complaints.
To meet these challenges, HHS has trained about 200 investigators on the regional level to pursue HIPAA complaints.
However, HIPAA is far from the only reason healthcare organizations should develop procedures for dealing with the inevitable call from government investigators. In addition to the more than 220 cases referred to the Justice Department for criminal prosecution, OCR confirmed that it is referring some privacy complaints to other regulatory agencies, including state human rights commissions, a variety of equal opportunity offices throughout government, the Department of Education, the Social Security Administration and the Department of Labor.
In other words, the HIPAA complaint system is drawing special attention to healthcare privacy and security practices and triggering investigations by local, state and federal enforcement agencies under other state and federal laws.
As important, growing concerns over identity theft are prompting tighter controls and higher accountability for all organizations - including healthcare - that handle personally identifiable information. That concern prompted the American Hospital Association recently to advise its members to review and modify their privacy practices to guard against the problem.
Virtually every state has adopted or is considering stronger privacy and security requirements to protect consumers and patients from identity theft. That means local police departments and the FBI are getting involved in data privacy and security breaches as well as state and federal healthcare regulators.
The threats of expanded investigations and civil suits over privacy and security breaches in healthcare are real and growing.
DON'T LET THEM BECOME YOUR NIGHTMARES
And don't let all your HIPAA work go to waste
Responding appropriately to government investigators in the privacy and security areas takes some thought and planning to avoid "fishing expeditions" and ensuring that your organization does not create new problems.
Responding to Government Investigations of Medical Privacy and Security Breaches will detail the key issues and actions healthcare organizations should consider in responding to privacy and data security enforcement investigations.
Participants will be briefed on:
- Planning for HHS HIPAA investigator visits and calls
- Why privacy and security complaints may require different approaches
- How and when privacy and security officers should coordinate responses
- Dealing with complaints lodged against Business Associates
- Who should be on an investigation response team
- Establishing effective lines of communication between the organization and government enforcement officials
- What employees should and should not do in responding to government investigators
- What to do when employees lodge complaints
- How CMS and OCR are coordinating enforcement of the HIPAA privacy and security rules
- How other federal and state laws may affect your response to privacy and data security investigations
and much more
Who Should Attend
- Privacy Officers
- Security Officers
- General Counsels
- Healthcare Compliance Officers
- Hospital Administrators
- Practice Managers
- IT Staff
- HR Professionals
- Healthcare Attorneys
- Healthcare Consultants
Faculty With Real World Experience in Dealing with HIPAA Complaints
Richard Meeks is the University of Washington's HIPAA Compliance Officer where he also manages the HIPAA Program Office for the university's medical centers. His prior experience includes 11 years in Health Information Management where he held positions at both the University of Washington Medical Center and Harborview Medical Center.
John R. Christiansen is a principal in Christiansen IT Law, where he focuses on the implementation and management of healthcare information technology. In his practice, John has handled a wide variety of privacy and data security investigations for healthcare clients. He is also Co-Chair of the American Bar Association's Committee on Healthcare Privacy, Security and Information Technology and past Chair of its Healthcare Informatics Committee. His most recent book is An Integrated Standard of Care for Healthcare Information Security: HIPAA, Risk Management and Beyond (2005), the definitive legal treatise on security obligations applicable to healthcare information.