Pub. 1 2012-2013 Issue 2

N E W J E R S E Y C O A L I T I O N O F A U T O M O T I V E R E T A I L E R S N E W J E R S E Y C O A L I T I O N O F A U T O M O T I V E R E T A I L E R S S U M M E R 2 0 1 2 30 31 new jersey auto retailer W W W . N J C A R . O R G new jersey auto retailer HIPAA Compliance Auditing… Is Your Dealership Prepared? BY BENJAMIN S. LUPIN W hen the Health Information Technology for Economic and Clinical Health Act (the “HI- TECH” Act) became effective in 2010, it provided changes to HIPAA that needed to be addressed by employer-sponsored group health plans. These changes also led the government to review the HIPAA rules that had been in place for years. Under the HITECH Act, the Department of Health & Human Ser- vices (HHS) has the power to perform periodic audits to ensure that covered entities (such as group health plans) and their business associates comply with HIPAA’s various requirements. And guess what — HIPAA audits are now underway. In fact, an “audit proto- col” was recently published by the HHS to assist with determining compliance with the HIPAA Privacy Rule, the HIPAA Security Rule, and the Breach Notification Rule. The “audit protocol” provides a roadmap for plan sponsors to use to get into compliance and avoid unnecessary liability. It should be noted that compliance obligations under the HIPAA Privacy and Security rules will differ between employers that offer group health plans depending on factors such as benefit offerings and funding arrangements. Therefore, all of the items identified in the “audit protocol” may not be ap- plicable to all employers that sponsor group health plans and some HIPAA compliance obligations rest with the group health plan’s insurer. This article is intended to highlight some of the more important items addressed in the audit protocol for each topic. For spe- cific guidance on how HIPAA Privacy and Security rules apply to your com- pany and your company’s group health plan, it is suggested that you discuss this topic in greater detail with your broker or other qualified professional. HIPAA Privacy Rule • Review your health plan’s HIPAA plan amendment to ensure it properly restricts uses and disclosures of protected health information (PHI) by the plan sponsor. • Analyze your HIPAA privacy notice to ensure it contains all the required elements under the Privacy Rule. • Review your HIPAA privacy policies and procedures. • Re v i ew you r H I PAA p r i va c y training documentation (including documentation showing that training was completed). • Eva lua t e compl i a nc e w it h a n individual’s right to access, amend and receive an accounting of disclosures of his or her PHI. • Observe whether administrative, technical and physical safeguards are in place to protect PHI in your workplace. • Determine whether PHI access is restricted properly under theminimum necessar y rule by reviewing job descriptions of workforce members with access to PHI and ensuring that they only have access to the PHI necessary to perform their job functions. • Determine whether PHI disclosed to certain parties (such as business associates), is limited under the minimum necessar y r ule to the amount reasonably necessary to achieve the purpose of the disclosure. HIPAA Security Rule • Evaluate the risk assessment and determine if it has been conducted on a periodic basis. • Inquire as to whether procedures exist to review information system activities, such as audit logs, access reports and security incident tracking reports and determine whether those procedures have been updated on a periodic basis. • Inquire as to whether a HIPAA security official has been designated and review the documentation of the security official’s responsibilities. • Review whether HIPAA security policies and procedures are updated periodically. • Determine whether HIPAA security training is conducted whenever there are changes in technology and practices. • Review whether security incidents have been properly identified and documented. • Inquire as to whether a process is in place to ensure business associate agreements include the required HIPAA security language. • Observe workstations that access electronic PHI (ePHI) and ensure they are located in secure areas and protected with physical security controls such as cable locks and privacy screens. • Review the method of tracking the location and movement of media and hardware containing ePHI. • For implementation specifications t ha t a r e “add r e s s able” r a t he r t han “r equ i r ed ,” de te rmi ne i f there is documentation of where t he specif icat ion was not f u l ly implemented and the rationale behind that decision. Breach Notification Rule • Determine whether a process is in place to notify individuals, the media and the Secretary of HHS when required under HITECH. • Review whether HITECH breach notification procedures are included in business associate agreements. • Review documentation of uses and disclosures that were determined to not be breaches under HITECH and the documentation supporting such determinations. Clearly, this article only discusses HIPAA audits at a very high level. Group health plans of all sizes and their business associates will want to use the specific guidance provided in the audit protocol to conduct self-assessments and deter- mine whether their HIPAA documenta- tion and procedures are in compliance with all applicable requirements. The HHS audit protocol is an unpleas- ant reminder that there are many com- plex and ongoing privacy and security compliance obligations for group health plans. All companies sponsoring group health plans will likely want to discuss HIPAA compliance with qualified pro- fessionals to limit their potential liability prior to an audit. Benjamin S. Lupin is the Director of Compliance at Corporate Synergies Group. He can be reached at Benjamin.Lupin@corpsyn.com. Nine Pillars for Creating Long-Term Dealership Profitability BY MICHAEL ROPPO, CPA D ealerships are constantly seeking ways to improve their day-to-day performance. What follows are some issues to consider when identifying best practices for your dealership. These items are essential in supporting long- term dealership profitability: 1 First and foremost are the num- bers – not “benchma rks” but Critical Performance Indicators (CPIs), which measure your busi- ness performance. How can you plan to improve performance if you don’t know how you currently measure up? 2 Your vision for your dealership. Have you translated your vision into goals and priorities that will opti- mally direct how you manage your time and the time of your dealership team members – all of them? 3 Your distinctive market position . What makes your dealership dif- ferent and better from your com- petitors and more appealing to your target customers? 4 How you generate more leads in every profit center. Are your teams working together todevelop leads and share cross-selling opportunities? 5 How you improve the rate and the way you convert leads into actual customers. Are the leads qualified, and do you analyze unsuccessful conversions for continual improve- ment? 6 The way you retain customers not only to buy from you once but to buy more from you in the future. Are you providing consistent, excellent service performance in every profit center of your dealer- ship to build customer loyalty? 7 How you lead your team. Are you developing a happy, motivated and loyal team that will achieve your specific dealership’s goals and overall business vision? 8 The way you systematize your dealership. Is every profit center of your dealership delivering con- sistent, high quality, predictable results even in your absence? 9 How you understand the decision- making process . Many people avoid making decisions because they’re afraid of failing. If results aren’t what we anticipated, do you allow yourself and others to learn from the experience, make adjust- ments and continue taking action? Planning by learning and adjusting is critical to reaching your business goals. Each pillar above requires specialized effort and gives you opportunities to see how you can improve your processes and move you closer to achieving your long-term dealership profitability goals. Michael Roppo is a CPA at The Mironov Group, LLC, and can be reached via email at mroppo@mironovgroup.com or phone by calling 800.572.7101.