Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
EHR20.COM
866- 276-8309
OCR/HHS HIPAA Phase 2
Audit Update
Thank you for joining us today
27 July, 2016
1
To purchase reprints of this document, please email [email protected].
DIY TOOLKIT Tools, Best Practices
and Checklist
EDUCATION Online Training, Webinars and
Customized Workshop
CONSULTING Professional services
to help you with your
Compliance needs
WHO WE ARE …
Assist healthcare organizations develop and implement practices to secure IT systems and comply with
HIPAA/HITECH regulations
2
Disclaimer Consult your attorney
ALL WEBINARS ARE RECORDED AND AVAILABLE AS AN “ON DEMAND” SUBSCRIPTION
3
This webinar has been provided for educational and informational purposes only and is not intended and should not be construed to constitute legal advice. Please consult your attorneys in connection with any fact-specific situation under federal law and the applicable state or local laws that may impose additional obligations on you and your company.
1 HIPAA & HITECH Basics
2 Recent HHS Settlements
3 Phase 1 Overview
7 Key Takeaways
4 Phase 2 Launch
6 Phase 2 Desk Audit
TODAY’S AGENDA
4
8 Questions & Answers
5 Phase 2 Program Overview
TERMS YOU MAY HEAR …
5
Acronyms
HHS
HIPAA
PHI
OCR
HITECH
HITECH MODIFICATIONS TO HIPAA
• Creating incentives for developing a meaningful use of electronic
health records
• Changing the liability and responsibilities of Business Associates
• Redefining what a breach is
• Creating stricter notification standards
• Tightening enforcement
• Raising the penalties for a violation
• Creating new code and transaction sets (HIPAA 5010, ICD10)
Since 2011 Medicare/Medicaid have paid more than 20+ billion as incentive for adopting EHR
6
PROTECTED HEALTH INFORMATION BASICS Review
PHI Health
Data
PII Patient
Identifiable
Information
1. Medical records:
• electronic and paper
case histories
• treatment records
• tests
• charts
• progress reports
• X-rays
• MRI's
2. Claims
3. Payments
4. Eligibility
5. Other health plan related
insurance data
1. Name
2. Address
3. Dates related to an individual
4. Telephone numbers
5. Fax number
6. Email address
7. Social Security number
8. Medical record number
9. Health plan beneficiary number
10. Account number
11. Certificate/license number
12. Any vehicle or other device serial
13. Device identifiers or serial numbers
14. Web URL
15. Internet Protocol (IP) address
16. Finger or voice prints
17. Photographic images
18. Any other characteristic that would
uniquely identify the individual
7
PII when combined with health data becomes PHI
HIPAA/HITECH RULES Review
8
Privacy
• Confidentiality of PHI
Security
• Protection of ePHI
Breach
• Notification
Covered Entities
Business Associates
9
Multiple alleged HIPAA violations result in $2.75 million settlement with
the University of Mississippi Medical Center (UMMC) - July 21, 2016
Widespread HIPAA vulnerabilities result in $2.7 million settlement with
Oregon Health & Science University - July 18, 2016
Business Associate’s Failure to Safeguard Nursing Home Residents’ PHI
Leads to $650,000 HIPAA Settlement – June 29, 2016
Unauthorized Filming for “NY Med” Results in $2.2 Million Settlement with
New York Presbyterian Hospital – Apr’ 21, 2016
and many more …
Civil Money Penalties in 2016
Penalties
Violation category Each violation All such violations( of
an identical provision in a calendar year)
Did Not Know $100–$50,000 $1,500,000
Reasonable Cause 1,000–50,000 $1,500,000
Willful Neglect-Corrected
10,000–50,000 $1,500,000
Willful Neglect-Not Corrected
50,000 $1,500,000
11
OCR
Audit
Program
Civil Money
Penalties
Phase 2 Program Overview
Onsite
Audit
5 1
Communication
from OCR
Pre-audit
Questionnaire
2 3
Desk Audit
4
Potential
Compliance
Review
6
12
Sample
Selection
Summary: Phase 1 Audit Results “Bad news travels fast”
• KPMG conducted 115 CE audit during
2012
• Published OCR audit program protocol
– Security Criteria: 78
– Privacy Criteria: 81
– Breach Notification Criteria: 10
• Phase 2 program
– Covered entities and BAs in scope
“It takes many good deeds to build a good reputation, and only one bad one to lose it.”
Benjamin Franklin 13
14
How does HHS notify healthcare Organizations?
OCR Audit Protocol
15
1) Privacy Rule requirements:
(1.1) Notice of privacy practices for PHI
(1.2) Rights to request privacy protection for PHI
(1.3) Access of individuals to PHI
(1.4) Administrative requirements
(1.5) Uses and disclosures of PHI
(1.6) Amendment of PHI
(1.7) Accounting of disclosures.
2) Breach Notification Requirements
3) Security Rule requirements:
(3.1) Administrative
(3.2) Physical
(3.3) Technical safeguards
Phase 2 Desk Audit Update
16
On July 11, 2016 OCR has notified 167 Covered Entities of
selection to participate in the HIPAA desk audits
• Include both Covered Entities(CE) and Business Associates(BA)
• Be comprised of 200-250 audits in total
• Over 200 desk audits
• Smaller number of comprehensive on-site audits Phase II designed
to enable OCR to examine mechanisms for compliance
- Identify industry best practices
- Discover risks and vulnerabilities not surfaced through
enforcement activities
- Enable OCR to get out in front of problems before they result in
breaches
Phase 2 Audit: Selection Process
17
OCR identified pools of CEs that represent a wide range of health
care providers, health plans, health care clearinghouses, to better
assess HIPAA compliance across the industry.
• Sampling criteria included size, affiliations, location, public or
private, etc.
• Health plans were divided into group plans and issuers and
providers were further categorized by type
o hospital, practitioner, elder care/SNF, health system,
pharmacy
• OCR then ran a randomized selection algorithm that drew from
each of the categories, resulting in 167 CEs.
Phase 2: Next Steps
18
• The covered entity desk audits are now underway, and will continue
through the end of the year
• Desk audit scope is limited to a total of 7 controls drawn from the
Security Rule, the Privacy Rule, and the Breach Notification Rule.
Entities will either be audited on SR controls or PR & BNR
compliance
• Onsite audits will begin in early 2017
• Onsite audits will evaluate auditees against comprehensive set of
HIPAA compliance controls.
• A desk auditee subject may be subject to an onsite audit
Phase 2: Next Steps
19
Covered entities have 10 business days to provide their responses:
• Responses should contain the specified documentation-- applicable
policies, procedures, evidence of implementation
• Complete and relevant materials
The desk audits of BAs will commence in late September
• The same rules and expectations apply to the BA auditees
• The selection pool of the BAs largely drawn from the Bas identified by
CEs
Phase 2: Documentation Submission
Process
20
Sent to selected auditees via email
• Comprised of two separate requests o one listing policies, procedures,
and/or other related documentation o one requesting a list of all the CE’s
BAs
Specify the documentation elements to be provided
• BA listings must be returned electronically, via email, to OCR
within 10 business days
All other items must be submitted using the secure online portal link
provided in the notification email
If a CE does not have the requested documentation, it must submit
an explanation for the deficiency in its response
Phase 2: What happens after the audit ?
21
After review of submitted documentation:
• OCR will develop and share draft findings with the entity. Entity
may respond to draft findings—such written responses will be
included in the final audit report
• Final audit reports will describe how the audit was conducted,
present any findings, and contain entity responses to the draft
findings
• Under OCR’s separate, broad authority to open compliance
reviews, OCR could decide to open a separate compliance
review in a circumstance where significant threats to the privacy
and security of PHI are revealed through the audit
Phase 2: Requirements Selected for
Desk Audit Review
22
Privacy Rule
Notice of Privacy Practices & Content
Requirements [§164.520(a)(1) & (b)(1)]
Provision of Notice – Electronic
Notice [§164.520(c)(3)]
Right to Access [§164.524(a)(1), (b)(1),
(b)(2), (c)(2), (c)(3), (c)(4), (d)(1), (d)(3)]
Breach Notification Rule Timeliness of Notification [§164.404(b)]
Content of Notification [§164.404(c)(1)]
Security Rule
Security Management Process -- Risk
Analysis [§164.308(a)(1)(ii)(A)]
Security Management Process -- Risk
Management [§164.308(a)(1)(ii)(B)]
How to organize for an OCR/HHS Audit?
HHS/OCR Audit
Policies and
procedures
Docume-ntation
Training
BA Agreemen
t and Contracts
Risk Analysis
and Mgmt.
1. Policies and Procedures Physical Security Policy
Maintenance record
Disposal
Access
Information Security Policy
Access Policy
Sanction Policy
Contingency Plan Policy
Security Incident Procedure/Breach
24
• Master Security Policy
• Master Privacy Policy
• Master Breach Policy
2. Documentation
Privacy and Security Notices
Health Record Request Log
Training Logs
PHI/Chart Access Review
25
Potentially up to 6 years worth of documentation are required
3. Training
Senior Management
CIO
Privacy and Security Officers
Workforce handling PHI
IT Team
26
Training/Communication are key part of interview outcomes
4. BA Agreements
A person or entity that performs certain functions or
activities that involve the use or disclosure of protected
health information
27
Keep an up-to-date list of BA vendors
5. Sample Risk Analysis Template
Likelihood High Medium Low
Imp
act
High
Unencrypted laptop
ePHI
Lack of auditing on
EHR systems
Missing security patches
on web server hosting
patient information
Medium
Unsecured wireless
network in doctor’s
office
Outdated anti-virus
software
External hard drives not
being backed up
Low Sales presentation on
USB thumb drive
Web server backup
tape not stored in a
secured location
Weak password on
internal document server
28
Planning ahead is key to successfully managing a HHS/OCR audit.
KEY TAKEAWAYS
• Desk Audits are underway!
• OCR will base its audit only on the documents submitted in the specified
electronic process.
• Business Associates desk audits will commence in the Fall, and the selection
pool will be comprised largely of the BAs identified by the CEs in their
document responses
• Comprehensive onsite audits of both CEs and BAs will begin in early 2017
• Policies, documentation and risk analysis are key areas of focus during OCR
audit
• There is no silver bullet for audit preparation. It is a journey of continuous
assessment and improvement
29
REFERENCES
HHS Civil Money Penalties
HHS Wall of Shame
HIPAA Audit Phase 2 Program – FAQ
OCR Phase 2 Audit – Q & A
30 #HIPAASocial
CALL US
866-276 8309 SERVICE
LOCATION
150, Cornerstone
Dr. Cary, NC
SOCIALIZE
FIND US
Twitter: @ehr_20 Facebook: ehr20
31
for your attention
Thank You
32
Please don’t hesitate to ask
Questions
33