Privacy & Security Audits: How to Prepare and Ensure Compliance

Privacy & Security Audits: How to Prepare and Ensure Compliance

FierceHealthITAn eBook from the editors ofOctober 2014

Three Keys to HIPAA Success: Document, Document, Document

7 New Threats to Security and Privacy

How to Survive a HIPAA Audit

Stakes Rise for HIPAA Audits and Investigations

2

6

9

12

share:

Thank you to our sponsor:

http://www.facebook.com/sharer/sharer.php?u=http://www.fiercehealthit.com/offer/securityprivacyaudits?source=share

https://twitter.com/intent/tweet?source=webclient&text=Check+out+this+@FierceHeatlhIT+eBook+on+compliance+for+security+and+privacy+audits:+http://www.fiercehealthit.com/offer/securityprivacyaudits?source=share

https://www.linkedin.com/shareArticle?mini=true&url=http://www.fiercehealthit.com/offer/securityprivacyaudits?source=share

http://plus.google.com/share?url=http://www.fiercehealthit.com/offer/securityprivacyaudits?source=share

mailto:?body=I%20thought%20you%20might%20be%20interested%20in%20this%20ebook:%20http://www.fiercehealthit.com/offer/securityprivacyaudits?source=share &subject=FierceHeatlhIT%20eBook:%20Security & Privacy Audits: How to Prepare and Ensure Compliance





Privacy & Security Audits: How to Prepare and Ensure Compliance // October 2014

An eBook from the editors ofshare: FierceHealthIT

Three Keys to HIPAA Success: Document, Document, DocumentBy Annette M. Boyle

When it comes to the Health Insurance Portability and Accountability Act (HIPAA), healthcare organizations want two outcomes: To avoid a reportable data breach and to emerge unscathed from an audit by the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR).

The key to both lies in proper, thorough and ongoing documentation.

A comprehensive risk assessment is the first step in ensuring patient privacy and data security in accordance with HIPAA. Every covered entity must do a risk assessment each year—but that’s the bare minimum, says

Judi Hofman, privacy and information security officer for the four-hospital St. Charles Health System in central Oregon.

“If the risk assessment is not a living document and process, you can be in jeopardy of something dropping out of sight,” Hofman says. She recommends looking at the assessment on a quarterly basis to see if the IT security team and end users have made progress in mitigating the identified risks and then documenting that review and the steps taken as a result.

The assessment must systematically identify and address risks. Former OCR Director Leon Rodriguez has said that inadequate risk analyses were one of the most common weaknesses seen in audits conducted during the pilot program. Special attention should be paid to emerging vulnerabilities—a quick update to last year’s risk assessment will not suffice.

Identify threat level Hofman notes that every identified vulnerability should be classified as high-, medium- or low-risk, and work plans should focus on quickly mitigating high-risk concerns.

“Reading a privacy and security policy is like reading War and Peace. For those sections that people struggle with, we’ve created

frequently asked question documents.”

NANCY DAVIS, SYSTEM DIRECTOR OF PRIVACY, MINISTRY HEALTH CARE, MILWAUKEE, WISCONSIN












>>Three Keys to HIPAA Success: Document, Document, Document

Whether OCR comes to the organization in connection with a breach investigation or conducts a desk audit as part of the permanent HIPAA security audit program, “they will ask for the risk assessment, the work plans and all documentation that shows someone worked on the gaps. If that documentation doesn’t exist, the organization is at risk of failing some HIPAA security implementation obligations,” Hofman says.

If it does exist, healthcare organizations should keep it somewhere convenient and well organized so there’s no last minute scramble or potential for losing previous years’ risk assessments or work plans that can demonstrate continuous improvement on a comprehensive, well planned path to security. Once OCR notifies a healthcare organization of an audit, they have just 15 days to respond with the appropriate documentation, according to Steven Gravely, healthcare

practice group leader for international law firm Troutman Sanders.

Having a sound risk assessment and documenting how the gaps have been addressed is just the first step. “Even if a hospital complies with HIPAA in terms of how they do things, they need to have policies and procedures they can produce that show that doing A, B and C correctly is a corporate policy,” says Hofman. “That’s the second thing OCR will ask for.”

It’s also important to document which gaps identified in the risk assessment do not have associated work plans and why. “You have to prioritize where to focus your efforts,” says Hofman. “You can’t get to everything at once, so you need to document the decisions on how you roll out work plans and why you are not mitigating one risk when you are addressing another.”

Ministry Health Care Report to Leadership Metrics

METRICS 4th Q 2013 1st Q 2014 2nd Q 2014 3rd Q 2014

Number of Privacy Investigations

Number of Reportable OCR Privacy Breaches

Reportable Breach Rate

OCR Investigations Letters (External)

Workforce Member Sanctions Level III – Final Written Warning Level II – Written Warning - Serious Level I – Written Warning – Minor/First Offense

Helpline-EthicsPoint Compliance Calls – Privacy Concerns

Courtesy of Ministry Health Care, Milwaukee, Wisconsin












>> Three Keys to HIPAA Success: Document, Document, Document

Focus internal attention Clear and consistent documentation helps keep internal audiences focused on HIPAA, too. “We’ve gotten much higher visibility this year by tracking metrics in quarterly reports that are presented to the system president and also go to the board of directors and senior leadership,” says Nancy Davis, system director of privacy for Ministry Health Care, a network of 16 hospitals, clinics and other healthcare organizations in Wisconsin.

Davis’ two-page reports show trends in number of breaches, investigations, reportable breaches and OCR letters. She also tracks the number of workforce sanctions, such as terminations, written warnings and conversations, as well the number of helpline calls with privacy concerns. She includes interesting internal and external cases to foster discussion as well as training updates and information on new tools created.

“Reading a privacy and security policy is like reading War and Peace,” Davis notes. “For those sections that people struggle with, we’ve created frequently-asked-question documents that respond to questions employees would actually ask in a way that makes the policy easier to understand.” So far, Davis has developed FAQs that discuss the HIPAA issues for law enforcement, advanced directives, minors and images.

Respond in a timely manner Even great documentation and heightened attention to privacy and information security cannot prevent all

incidents or reportable breaches. When an incident occurs, timely response matters both to limit potential exposure and to stay in compliance. Healthcare organizations have 60 days from the discovery of a breach affecting 500 or more people to report the breach to HHS. For breaches involving fewer than 500 individuals, covered entities have 60 days after the end of the calendar year in which the breaches were discovered to provide notice.

Large hospitals and systems experience numerous security incidents every day. While just a small percentage will turn out to be reportable breaches, healthcare organizations must track every security event and follow up to determine its severity.

“Many hospitals don’t have systems in place, so they can’t detect every security incident or they don’t have the bandwidth to follow up as they should. They might inadvertently miss a data breach simply because they didn’t have the capacity to fully identify it,” Gravely says.

To keep that scenario from playing out at Ministry Health Care, Davis says she’s been looking at external applications to help detect breaches. “Because of the increase in volume and intensity of incidents, we’re purchasing software to manage investigations,” she says. Quickly identifying an incident and following up on it can keep a minor intrusion from becoming a huge data breach and a regulatory and public relations nightmare. n






Synchronize compliance programs across your health care organization with Optum Compliance Suite.

Leveraging years of experience in health care, Optum™ provides a flexible, scalable

technology platform to support your organization’s total compliance management

needs across clinical, financial and regulatory functions.

With Optum Compliance Suite, you can:

• Evaluate program effectiveness and implement corrective-action plans

• Identify risks and improve traceability for audit inquiries

• Manage incidents, complaints and third-party vendor compliance

Learn more at optum.com.

Or, contact us at 1-800-765-6073 to speak to a representative, or email us at [email protected] to schedule a demo or a free risk assessment of your organization’s compliance risk level.

OPTPRJ6533







7 New Threats to Security and Privacy Privacy and security officers: Here’s why you need to update last year’s risk assessments

By Annette M. Boyle and Brenda L. Mooney

New risks have upped the ante for HIPAA security and privacy officers and increased fines have many on edge. Particularly in the aftermath of the Community Health Systems (CHS) breach, which put 4.5 million patient records at risk across 29 states and 206 hospitals, last year’s risk assessments look woefully inadequate for many healthcare systems and practices. What’s worrying privacy and security officers this year?

Seven issues stand out:

1 International Crime Rings In late August, the Federal Bureau of

Investigation alerted healthcare providers that criminal hackers throughout the world were targeting the U.S. healthcare system, according to Steve Gravely,

healthcare practice leader at international law firm Troutman Sanders, based in Richmond, Virginia.

“The threat environment has materially changed in the last six months. No one’s system is hack-proof and a lot of hospitals haven’t done tabletop exercises to practice their response and crisis communication in case of a large scale data breach, mainly because the risk was so low before.”

Nancy Davis, system director of privacy for Ministry Health Care in Milwaukee, agrees that most healthcare systems would be caught flat-footed if hacked by a sophisticated criminal ring. “All the things that a privacy officer would do would not typically include the technical security safeguards like contracting for firewalls. No sooner do you develop safeguards, then there are organizations with unlimited resources that can develop ways to crack them.”

The costs of major breaches are daunting, too. “In the absolute best case, it costs at least $1 per person to remediate, though some estimates for remediation of the CHS breach exceed $75 million. Credit card

“The threat environment has materially changed in the last six months.”

STEVE GRAVELY, HEALTHCARE PRACTICE GROUP LEADER, TROUTMAN SANDERS, RICHMOND, VIRGINIA












>> 7 New Threats to Security and Privacy

monitoring wouldn’t be enough. This kind of breach has repercussions far beyond what the average patient can manage,” Davis says.

Credit card monitoring has little value when criminal elements have all of the information needed for identity theft—name, address, birthdate, telephone and Social Security numbers. Breached organizations would be on the hook for a sizable fine from the Department of Health and Human Services’ Office of Civil Rights, lawsuits and settlements, improved security costs and identity theft protection for affected patients.

2 Meaningful Use Regulations Organizations that have taken federal Meaningful

Use payments also take on greater risk. The Centers for Medicare & Medicaid Services (CMS) “is not kidding around when auditing for Meaningful Use,” says Judi Hofman, privacy and security officer at St. Charles Health System, a four-hospital network in central Oregon.

“They will ask for the most current documentation for attestation, and if you’re not documenting progress, you’ll be at risk of having to return the Meaningful Use dollars, which could be $1 million, $5 million or more,” she says. “People forget that funding for Meaningful Use is tied to their HIPAA risk assessment.”

3 The Cloud Increasing use of cloud storage creates new risks,

too, notes Gravely. “Hackers have successfully penetrated systems in some cases with inside help. Not

necessarily people on the hospital staff but perhaps a cloud provider or data host employee. Those people don’t have loyalty to your hospital, so it’s a totally different dynamic.”

Even the best firewall and encryption will not protect a healthcare organization from attack by an insider or third party with authorized access or the ability to circumvent security measures.

4 Mobile Devices Laptops, smartphones and tablets aren’t exactly

new risks, but their ubiquity increases the likelihood that an employee will forget one in an unlocked car or leave one open in a public spot, Gravely says. As a result, the number of incidents and possible breaches has skyrocketed.

And mobile apps increasingly have access to sensitive systems, including electronic health records and databases. Employees are walking around with more data in their pockets than anyone imagined at the dawn of mobile devices.

“As mobile phones became a business device, clinical staff now carry with them access to your entire network,” says Linda Reed, CIO at Morristown, New Jersey-based Atlantic Health System. The five-hospital system uses remote device wiping and developed and deployed a virtual desktop product that allows physicians to access information stored on their computer and in the hospital’s networks without downloading any personal health data to their mobile device.












5 Business Associates Business associate agreements require much

more attention than in previous years. As of Sept. 22, 2014, the HIPAA Privacy, Security, Enforcement and Breach Notification Rules require covered entities to bring all their business associate agreements into compliance with the modified rules that went into effect in 2013.

“Business associate agreements were perfunctory in the past; not so anymore,” Davis says. “Business associates are starting to understand that they are responsible for breaches under the new rules and are not as quick to sign our template and are pushing back on notification times and indemnification statement.”

The 2013 modification of the rules classified many more vendors and organizations as business associates and some healthcare organizations may still not have identified and signed agreements with all of the new business associates they have under the law.

6 State Laws Even as privacy and security officers start to get

comfortable with the updated HIPAA regulations, new state laws keep matters in flux.

“In response to changing state law, we are looking at integrating behavioral health records in the electronic health record where that was not an option in the past. We’re trying to fully understand and negotiate around the changes and stay on the right side of federal and state law,” Davis says.

7 Increasing Number of Breaches The sheer volume of breaches creates additional

risks, particularly as organizations strive to do more with fewer people. “The volume of security incidents is really exploding; there are more and more possible situations where there could have been a breach, and it’s outpacing the ability of hospitals to vet and run the incidences to ground,” Gravely says.

The risks could be in human resources, facilities or almost any other department. Greater attention to breaches “is bringing to light the need for better intrusion detection,” Hofman says. “More and more corporations, banks and healthcare organizations are exposed, which is making boards of directors and CEOs ask more questions of their CIOs and privacy and security officers.” n

>> 7 New Threats to Security and Privacy

“No sooner do you develop safeguards, then there are organizations with unlimited resources that can develop ways to crack them.”

NANCY DAVIS, SYSTEM DIRECTOR OF PRIVACY, MINISTRY HEALTH CARE, MILWAUKEE












How to Survive a HIPAA Audit University of Kentucky HealthCare’s Brett Short shares tips from the OCR privacy and security audit trenches

By Annette M. Boyle

No hospital compliance officer wants to start the day with a text like the one Brett Short received.

Short is the chief compliance officer at the University of Kentucky HealthCare in Lexington, Kentucky, which

runs three hospitals and more than 80 clinics. He was scanning the Office of Civil Rights’ (OCR) listserv when he received a text from the healthcare system’s privacy officer. She had just taken a call from an auditor with KPMG, a government contractor for the first round of HIPAA audits, who asked: “Did you get our letter? The ten days are up tomorrow and we haven’t heard from you regarding the audit.”

FierceHealthcare spoke with Short to learn what happened next, the lessons he learned from the audit experience and what changes are in store for the next round of OCR’s Health Information Portability & Accountability Act audits.

FierceHealthIT: You didn’t learn that you were

being audited until the deadline to submit documents was around the corner. How did you get everything together so quickly?

Short: We explained that we never received the audit letter and that there are 30,000 people at the email address they used to contact us. So they gave us a few extra days. We put a lot of resources into assembling the documents.

Primarily, though, we were able to respond fast enough because we check ourselves regularly. We review the standards that we have to adhere to and make sure our policies and procedures are up-to-date and our security practices reflect our current risks. And we document everything.

FHIT: What happened during the audit?

Short: The information on the OCR site about the HIPAA audits is very accurate and the auditors did an excellent job of communicating their expectations at the beginning of the process and during periodic meetings when we discussed their findings. They reviewed the












>> How to Survive a HIPAA Audit

documentation requested, looked at our policies and procedures, interviewed officials, observed our activities and documented the findings.

We expected all that. But after the privacy and security assessments by separate teams, we got a surprise—a multi-page letter asking us about our anti-fraud efforts. So we had to explain our risk assessment for fraud and the procedures we use to identify, respond to and educate employees about fraud.

FHIT: What lessons did you learn and what did you change as a result of your experience with this audit?

Short: My staff makes fun of me for having binders for everything, but if auditors knock on the door, I want to be able to give them the information they need in 15 minutes. We compile monthly reports with different data elements and pull those together quarterly, along with effectiveness metrics, to identify trends. If we see an emerging risk, we address it right away.

We also do a yearly review on the content of our education program based on the trends we have seen and determine if we need to get more information to employees on specific topics. We also use software to track complaints and investigations and compile

the metrics. And, of course, we do an annual risk assessment.

We were pleased with the outcome of the audit, but I want to make sure we are always ready for another.

FHIT: What procedures would you recommend for managing a privacy and security audit?

Short: First, you need to prepare to manage a huge amount of documentation before and during an onsite visit. From the very beginning, number each request and refer to them by number. Track everything you provide with a date- and time-stamp and note who received the documentation. The auditors may ask for the same document multiple times.

Then, you need to prepare your people for the audit. Remind your employees and compliance team about your hospital or healthcare system’s policy on inquiries and investigations. Help everyone who is likely to be involved, including human resources, internal auditors and the IT department staff, so they know what to expect and understand how important this is. Make sure your privacy or security officer accompanies the auditors on every interview and takes notes.

FHIT: Do you have any tips to help other healthcare organizations prepare for the next round of HIPAA audits?

Short: I’ve got five: First, you have to have a commitment to patient privacy from top down, bottom up and middle outward.

“If auditors knock on the door, I want to be able to give them the information they need in 15 minutes.”












Second, you must be the champion of the program. You need to understand the standards and be able to demonstrate those standards. Look at the elements of the compliance program and ensure you have the right program and right documentation to be effective.

Third, review yourself regularly. Do monthly reports and quarterly reviews. Keep the program current and responsive to your risks and trends.

Once you have those three items in place for your program, apply them to your business associates. Ask them whether they know what a breach is, how they train their employees on HIPAA, how they would report a breach. Trying to figure that stuff out after something bad has happened is not where you want to be.

Finally, keep in mind none of this is “once and done.” These aren’t completed tasks; they need constant attention. You establish policies and institute security procedures, review how they are working, find issues, fix them and go back and test. It’s ongoing.

FHIT: The second round of audits has been delayed while OCR prepares an online portal that organizations can use to submit documents, which should make things easier for organizations. What other changes do you see coming up?

Short: I’ve got to say that looking at the highlighted changes for the next round, they really listened to the entities that went through the last set of audits.

When Linda Sanches, the senior adviser for health information privacy at HHS, spoke at the March Health Care Compliance Association meeting, I didn’t notice that she mentioned fraud attestations as part of the audits. It looks like that may have been driven more by KPMG’s professional standards for a performance audit than by OCR. So I wouldn’t expect that to be a part of the new round of audits.

And now they’re verifying emails, so there should be fewer lost letters and surprise calls. n

>> How to Survive a HIPAA Audit













By Annette M. Boyle and Brenda L. Mooney

Healthcare organizations that didn’t get a HIPAA pre-audit questionnaire from the U.S. Department of Health and Human Services Office of Civil Rights (OCR) this summer breathed a sigh of relief. But they may find themselves back on edge following recent changes to the program.

Originally planned to kick off this fall, “the audit program is being delayed so that OCR can update some of their technology to allow entities to enter data through a portal,” says Angela Dinh Rose, director of health information management practice excellence for the American Health information Management Association (AHIMA). The portal will allow organizations that receive the pre-screening surveys to respond and submit documents online. To that end, questionnaires are still going out, and organizations now could be selected for comprehensive audits rather than the narrow desk audits OCR originally announced.

When exactly the next round of audits will begin remains uncertain. “OCR continues to work to develop a permanent audit program and will address the scope and timing of future audits in that context,” Rachel

Seeger, senior advisor for public affairs and outreach at OCR, tells FierceHealthIT. “Organizations should stay tuned to OCR’s listservs for more information.”

Although OCR has not yet set a firm date, Rose predicts, based on the activities to date, the audits will start in 2015 and carry over to 2016.

And, she adds, more of the audits will be comprehensive, on-site events than projected.

“Originally, OCR announced that they would conduct 400 targeted desk audits, 350 of covered entities and 50

“You’ll be audited on what was in place at the time of the notification letter, so make sure your risk assessment is up-to-date and your

policies and procedures reflect what you’re doing—before you get a letter.”

MARK DILL, DIRECTOR OF INFORMATION SECURITY, CLEVELAND CLINIC, OHIO












>> Stakes rise for HIPAA audits and investigations

of business associates,” Rose says. Those audits were expected to be split so that 150 organizations would have security audits, 100 would have privacy standards reviews and 100 would be audited for breach standards.

“The latest information is that OCR will conduct fewer than 200 desk audits and the balance will now cover compliance with both the Privacy Rule and the Security Rule, including breach notifications,” Rose says.

Healthcare organizations will first see the questionnaires or pre-audit screening tool. “That first set of paperwork is mostly about profiles [and] describing your system, so that they don’t interview our main campus and then randomly select a hospital on the east side of Cleveland that’s part of our system,” says Mark Dill, director of information security at Ohio-based Cleveland Clinic, which includes eight community hospitals and additional facilities in Florida, Nevada and Toronto.

Organizations selected for an audit from the prescreened pool will have 15 days from date of notification to provide requested documentation. “You’ll be audited on what was in place at the time of

the notification letter,” Dill says. “So make sure your risk assessment is up-to-date and your policies and procedures reflect what you’re doing—before you get a letter.”

Adds Rose: “Don’t have an update party and get all new signatures.”

Areas of audit focusOCR will look more closely at compliance issues it identified in the previous round of audits. Those include risk analysis and risk management, security and control of portable electronic devices, proper disposal of protected health information, physical access controls, training, lack of senior leadership attention and culture of compliance, according to Seeger.

“In all audit rounds, people fell short on risk assessment. It’s not a ‘once and done’ matter; you have to make sure it stays current,” Rose says.

Beyond scheduled reviews, Seeger says that certain internal changes are likely to trigger a new look at risks. Healthcare organizations should “take a careful assessment when implementing changes to information systems, especially when those changes involve updates to Web-based applications or portals that are used to provide access to consumers’ health data using the Internet,” she notes.

The audits will also be affected by OCR’s experience with data breaches. “For breaches affecting 500 or more individuals, loss and theft continue to be the leading cause,” which has made encryption a high

“The days of a laptop being stolen and not encrypted are gone. Encryption isn’t mandated by the Omnibus Rule, but it might as well be.”

ANGELA DINH ROSE, DIRECTOR OF HIM PRACTICE EXCELLENCE, AHIMA













priority, according to Seeger. Through mid-September, 113 healthcare organizations had reported breaches affecting more than 500 patients in 2014. Theft or loss accounted for 59 of those, half of which were lost or stolen laptops or other portable electronic devices, according to OCR’s website.

“The days of a laptop being stolen and not encrypted are gone. Encryption isn’t mandated by the Omnibus Rule, but it might as well be,” Rose says.

Covered entities seem to have stepped up to the new requirements for business associates. Seeger notes that, while OCR continues to see some issues, anecdotally at least, many healthcare organizations and business associates have come into compliance this year, though hard data is not yet available to document improvement.

Enforcement picks upOrganizations not selected for an audit still need to be prepared, says Dill, because investigations happen to even the most careful organizations. OCR has said repeatedly it will significantly increase its investigations of complaints and compliance reviews.

If OCR comes knocking in response to a complaint or reported breach, “the number of patients affected would certainly increase the scope of the audit and what they’ll look for,” says Michelle Carter, privacy officer and manager of the health information management department at the 189-bed Holland (Michigan) Hospital. “Any audit has to be taken seriously, so you need to keep an incident log on every situation and document how you handled it.” Keep track of how you followed up, what kind of education you provided

Recent HIPAA Settlements

Announcement Date Organization Issue Settlement

June 2014 Parkview Health System Records dumping $800,000

May 2014 New York Presbyterian/ Columbia University Data breach $4,800,000

April 2014 Concentra Health Services Stolen, unencrypted laptop $1,725,000

April 2014 QCA Health Plan of Arkansas Stolen, unencrypted laptop $250,000

March 2014 Skagit County Public Health Compliance

Source: CMS













and whether you had the same outcomes in similar situations, for example.

OCR investigations can result in substantial penalties, particularly, as Carter notes, when a security breach puts a large number of patient records at risk. In 2012 and 2013, OCR entered into 10 resolution agreements that included monetary settlements totaling almost $9 million and extensive corrective action plans.

While this represents a very small fraction of the complaints and compliance reviews that OCR investigates, Seeger says, it is an increase in the number of high-impact cases that OCR resolved through resolution agreements and corrective action plans.

The pace has picked up further in 2014 with five settlements announced in the first six months of the year that total more than $7.7 million. Healthcare

organizations and their business associates should expect the number and cost of investigations to continue to rise. “OCR will continue this uncompromising enforcement posture into the future,” Seeger says.

The largest settlement to date involved New York-Presbyterian Hospital and Columbia University. The two institutions agreed to pay $4.8 million in connection with a data breach that exposed the protected health information of close to 7,000 patients.

OCR has yet to announce settlements associated with a Community Health Systems breach reported this summer that exposed the data of 4.5 million patients or with the July theft of an unencrypted laptop from the department of surgery at Temple University that had personal health information of 3,780 patients. n






Documents

Privacy & Security Audits: How to Prepare and Ensure Compliance