Upload
ambrose-norris
View
221
Download
0
Tags:
Embed Size (px)
Citation preview
Vendor Compliance and
OversightSeptember 2014
Proprietary and Confidential2
Agenda
» Vendor Management Challenges
» Overview of Business Associate Oversight & Management
» OCR Audits are not your only exposure point
» What to expect in an audit
» Engaging your organization
Proprietary and Confidential3
Reduce total cost by 10% – 20% and expand total spend managed by Supply Chain
» Sourcing» Self Contracting /
Local Agreements» Identify all PPI,
Clinical Services and IT vendors
Credential 100% of vendors including prospective vendors prior to coming onboard
» Ensure value analysis decisions are sustained
» Regulatory and business verifications
» Business Associate risk assessment
» Diversity certification
Improve Patient and Employee safety via 100% onsite rep control
» Infectious disease vaccinations
» Document and policy compliant
» Appointments
Drive process improvements
» Clean vendor master without duplicate tax ID’s for feed to other systems
» Meet accreditation requirements
» More work, faster
Vendor Management Challenges
Proprietary and Confidential4
Regulatory mandate has forced a call to action in healthcare to improve vendor management: cost/value, fraud and abuse, patient safety and privacy.
Government and Industry oversight and financial pressures …
» HHS/OIG list of excluded individuals and entities
» GSA excluded party list
» OFAC regulations
» Accreditation (JC, DNV)
» Federal False Claims Act
» Federal Anti-kickback Statute (PODs)
» Sunshine Act
» ACA MU
» HIPAA Security (Omnibus)
… are forcing health systems to more
thoroughly understand who they are doing
business with …
» Sanction checks PRIOR to commencing business; repeat monthly
» On-site access, training, & vaccination verification
» Financial & legal monitoring
» ePHI risk assessment
» Physician owned distributors
» Vendor score carding
» Vendor parent-child
… that can otherwise lead to serious financial and legal ramifications.
» Federal reimbursement withholdings
» MU re-payment
» Financial penalties
» Loss of accreditation
» False claims violations
» Corrective action plan
» Costly litigation
» Image damaged with payors, employers, public
Vendor Compliance
5
Business Associate Oversight and Management
Proprietary and Confidential6
HIPAA Privacy & Security Rule
Requires that covered entities and business associates (BAs) enter into contracts to ensure that the business associates will appropriately safeguard protected health information.
DEADLINE: September 24, 2014
BUSINESS ASSOCIATES:
• May use or disclose protected health information only as permitted or required by its business associate contract or as required by law.
• Are directly liable under the HIPAA Rules and subject to civil and, in some cases, criminal penalties for making uses and disclosures of protected health information that are not authorized by its contract or required by law.
• Are directly liable and subject to civil penalties for failing to safeguard electronic protected health information in accordance with the HIPAA Security Rule.
Proprietary and Confidential
How to Identify a Business Associate
PREVIOUSLY: An individual or entity, not acting as an employee, that uses
or discloses ePHI on behalf of a Covered Entity (CE)
BROADER NOW: Includes those that “create, receive, maintain or transmit ePHI” on behalf of a CE and their subcontractors
Business associates are now defined as…
Business associates beforewere defined as…
A person or entity that creates, receives, or
transmits PHI in fulfilling functions for a HIPAA-
covered entity
A person or entity that creates, receives, or transmits PHI in fulfilling functions for a
HIPAA-covered entity
Entities that “maintain” PHI for a covered entity, such as a data
storage company
Health Information
Organizations
Data transmission
providers
Sub-contractors
E-prescribing gateways
Proprietary and Confidential
Entities that offer PersonalHealth Records
8
New Categories of BAs
Data Storage
Companies
Subcontractors that create, receive,
maintain or transmit PHI on behalf of
another BA
Patient Safety Organizations (PSOs)
Health Information Organizations(HIOs)
Proprietary and Confidential
What’s the Risk of Not Being In Compliance
VIOLATION CATEGORY EACH VIOLATIONALL IDENTICAL
VIOLATIONS PER CALENDAR YEAR
Did Not Know $100 - $50,000 $1,500,000
Reasonable Cause $1,000 - $50,000 $1,500,000
Willful Neglect – Corrected $10,000 - $50,000 $1,500,000
Willful Neglect – Not Corrected $50,000 $1,500,000
Source: Department of Health and Human Resources, Federal Register.govhttp://federalregister.gov/a/2013-01073
Proprietary and Confidential
What’s the Risk of Not Being In Compliance
Recent HIPAA Settlements
• New York and Presbyterian Hospital – $3.3M
• Columbia University – $1.5M
• Parkview Health System – $800K
Proprietary and Confidential11
Business Associates and Data Breaches Nearly half of all healthcare organizations report more than 5 breaches a year, over forty percent involve third parties…
Breaches InvolvingBusiness Associates
(% Total Breaches)
Involvement of Business Associates in Breaches
(% Total Records Exposed)
BusinessAssociates
42%CoveredEntities
58%
BusinessAssociates
62%
CoveredEntities
38%
Ponemon Institute 2012 OCR Breach Statistics 2012
12
OCR Audits…Not Your Only
Exposure Point
Proprietary and Confidential13
OCR Audits Coming in 2014
• Creation of pool of covered entities eligible for audit complete
• Screening “pre-survey” to be sent to entities summer 2014 – to confirm size, type, contacts
• Selected entities will receive notification and data requests in Fall 2014 – to include identification of business associates
• Business associates in second wave
• Both desk and on-site audits
• Updated protocol will be available on website
Source: OCR presentation from HCCA 2014 Conference
Proprietary and Confidential14
2014 OIG Work Plan Include Audits
Security of portable devices containing personal health information
Controls over networked medical devices at hospitals (new)
Source: 2014 OIG Work Plan
Proprietary and Confidential15
Meaningful Use Dollars at Risk
#15. Protect electronichealth information created ormaintained by the certifiedEHR technology through the implementation of appropriatetechnical capabilities.
Source: ONC’s Guide to Privacy and Security of Health Information
Proprietary and Confidential16
(U) Cyber actors will likely increase cyber intrusions against health care systems – to include medical devices – due to mandatory transition from paper to electronic health records (EHR), lax cybersecurity standards, and a higher financial payout for medical records in the black market.
FBI Issues Warning on Breaches
Source: FBI Pin
Proprietary and Confidential
Business Associate Vendor Compliance Exposure Points
MEANINGFUL USE Stage 1
• Core Measure #15• HIPAA Data Security –
#1 reason to fail audit
HIPAA DATA BREACH / COMPLAINT
• Triggers OCR Investigation
• Can lead to investigations by IRS, FTC and FBI
OCR AUDIT of Covered Entity
• Omnibus Final Rule• Beginning Fall 2014• 20 days notification
OIG 2014 WORK PLANHIPAA Data
Security Audit
• Patient at risk for identity theft
18
Preparing for an Audit
Proprietary and Confidential19
What to Expect from an OCR Audit
Letter requesting the following with only 20 days to provide:
List of Business Associates with updated contact information
A copy of your most recent security risk assessment
Copies of your HIPAA Policies and Procedures
Proof that you have provided your employees with HIPAA training and security reminders
Your incident response plan
Proof that you have signed agreements with all your Business Associates
Proprietary and Confidential20
OCR Audit or Breach Investigation
• Policies and procedures
• Implementation of policies and procedures
• Training
• Business associate agreements
• Risk analysis documentation
• Risk management policies, procedures and implementation
• Encryption/decryption evidence
• Mobile device policies and implementation
Whether it is a random audit or breach investigation, OCR will be looking for documentation of:
Proprietary and Confidential21
Challenges of Managing Business Associates
3Organizational
support and alignment across
functions for another HIPAA regulatory initiative(e.g., clinical and IT buyers,
accounts payable, supply chain, legal,
compliance)
4Sense of
urgency, need to act to be
“audit-ready” for OCR audits and other
investigations
1Determining
which vendors are business associates
5Budget for technology
and services to identify and
provide ongoing oversight
Successfully defending against any allegation of willful neglect
or lack of oversight
2Proof of BAoversight
Proprietary and Confidential22
How Can Your Organization Prepare?
CHALLENGES SOLUTIONS
Utilize technology solutions to vet through all existing vendors, then going forward assess new vendors as they come onboard
Accomplish screening, tracking and cross-department collaboration related to BAs
Simplify HIPAA compliance by turning policy into documented procedure
Prepare for OCR audit and investigations with complete reporting to document BA oversight
Identifying BA vendors
Proof ofBA oversight
Full organizational support
Sense of urgency
Proprietary and Confidential23
How to Get Started
• BA oversight is a shared responsibility across the organization, but must identify an ultimate owner
• Create a complete, single vendor master file that is the single source of truth
• Define your BA risk categories and assign vendors
• Vet all vendors new and existing with technology solutions– Register vendors upfront to
do BA assessments just as Tax ID and Sanction checks
• Operationalize the workflow
• Perform required oversight tasks
Remember… it is an ongoing process throughout vendor lifecycle
24
Engaging Your Organization
Proprietary and Confidential25
How to Engage your Organization The Message:
HIPAA data security and Business Associate oversight
What is the risk of non-compliance?
• Risk of severe financial penalties
• High cost of data breach
• Regulatory investigation
• Criminal prosecution
• Damage reputation with community as a trusted healthcare provider
What do we need to do?• Revise policies and procedures
regarding vendor management to be in compliance with business associate requirements.
• Initial assessment of all vendors
• Oversight tasks of BA vendors
• Ongoing process with new vendors
• Implement enablers – tools, technology & service; scale
• Piece of overall vendor management process
Proprietary and Confidential26
How to Engage your Organization
BOARD
• Know your board members, their responsibilities and liabilities
• Make opportunities for them to see you as a “trusted advisor”
• Keep it high level and don’t use healthcare jargon and acronyms
• Don’t quote law and statutes
• Do tell a story
C-SUITE
• Know your audience
• Strategically engage the C-suites’ direct reports
• Don’t quote law and statutes
• Do tell a story
• Be clear in asking for help
• Define business risk
Proprietary and Confidential27
Key Issues by TitleTYPE OF RISK PURVIEW OF ISSUES
All CEOAll of those listed below, but especially profitability and reputation
Regulatory Chief Compliance Officer
Regulatory risk; being on the 'radar screen' for one issue often makes you visible for others
Security Chief Privacy Officer Similar to CIO – HIPAA privacy and security
Financial Chief Financial Officer Threats to profitability, bond rating, insurance premiums
Technology Chief Information Officer 25 – 44% of failures are related to technology safeguards
Reputational Chief Marketing Officer PR crisis and loss of “trusted community provider” status
Patient Safety Chief Nursing Officer Patient safety compromised; adverse outcomes
Operational Chief Operating OfficerThreats to business continuity, operational efficiency, risk of revocation of necessary permits, licenses, etc.
Proprietary and Confidential28
Why Act Now?
September 24 deadline to have revised BAAs for all BAs
New rules being enforced• BA audits starting this Fall
– Covered Entities have begun to get letters• Meaningful Use attestation• OIG Work Plan
Recent HIPAA Settlements
Very difficult to get policies, procedures and documentation in place…NEED TO START NOW
Proprietary and Confidential29
FAQs
*You should always consult with your legal counsel about your specific circumstance.
What are best practices for policies to identifying business associate vendors?
You should require all vendors to be registered with your organization, to provide tax id and answer business associate risk questions. Discuss with the internal champion of that vendor if any protected health information will be accessed.
A:
Q:
Some vendors are under the assumption that if they are compliant with rep credentialing requirements that they do not have to sign a BAA. Is this correct?
No, if a vendor is a BA, then a BAA agreement needs to be put in place to govern the relationship between the vendor and covered entity.
A:
Q:
We have thought that medical device vendors were not BAs. Are they BAs if the devices collect PHI?
Medical device vendors qualify as BAs if they meet the BA definition but there are some cases in which medical device companies are ‘health care providers’ under HIPAA and do not require a BAA*.
A:
Q:
30
www.vendormate.com