Vendor Compliance and

OversightSeptember 2014

Proprietary and Confidential2

Agenda

» Vendor Management Challenges

» Overview of Business Associate Oversight & Management

» OCR Audits are not your only exposure point

» What to expect in an audit

» Engaging your organization

Proprietary and Confidential3

Reduce total cost by 10% – 20% and expand total spend managed by Supply Chain

» Sourcing» Self Contracting /

Local Agreements» Identify all PPI,

Clinical Services and IT vendors

Credential 100% of vendors including prospective vendors prior to coming onboard

» Ensure value analysis decisions are sustained

» Regulatory and business verifications

» Business Associate risk assessment

» Diversity certification

Improve Patient and Employee safety via 100% onsite rep control

» Infectious disease vaccinations

» Document and policy compliant

» Appointments

Drive process improvements

» Clean vendor master without duplicate tax ID’s for feed to other systems

» Meet accreditation requirements

» More work, faster

Vendor Management Challenges

Proprietary and Confidential4

Regulatory mandate has forced a call to action in healthcare to improve vendor management: cost/value, fraud and abuse, patient safety and privacy.

Government and Industry oversight and financial pressures …

» HHS/OIG list of excluded individuals and entities

» GSA excluded party list

» OFAC regulations

» Accreditation (JC, DNV)

» Federal False Claims Act

» Federal Anti-kickback Statute (PODs)

» Sunshine Act

» ACA MU

» HIPAA Security (Omnibus)

… are forcing health systems to more

thoroughly understand who they are doing

business with …

» Sanction checks PRIOR to commencing business; repeat monthly

» On-site access, training, & vaccination verification

» Financial & legal monitoring

» ePHI risk assessment

» Physician owned distributors

» Vendor score carding

» Vendor parent-child

… that can otherwise lead to serious financial and legal ramifications.

» Federal reimbursement withholdings

» MU re-payment

» Financial penalties

» Loss of accreditation

» False claims violations

» Corrective action plan

» Costly litigation

» Image damaged with payors, employers, public

Vendor Compliance

5

Business Associate Oversight and Management

Proprietary and Confidential6

HIPAA Privacy & Security Rule

Requires that covered entities and business associates (BAs) enter into contracts to ensure that the business associates will appropriately safeguard protected health information.

DEADLINE: September 24, 2014

BUSINESS ASSOCIATES: 

• May use or disclose protected health information only as permitted or required by its business associate contract or as required by law. 

• Are directly liable under the HIPAA Rules and subject to civil and, in some cases, criminal penalties for making uses and disclosures of protected health information that are not authorized by its contract or required by law.

• Are directly liable and subject to civil penalties for failing to safeguard electronic protected health information in accordance with the HIPAA Security Rule. 

Proprietary and Confidential

How to Identify a Business Associate

PREVIOUSLY: An individual or entity, not acting as an employee, that uses

or discloses ePHI on behalf of a Covered Entity (CE)

BROADER NOW: Includes those that “create, receive, maintain or transmit ePHI” on behalf of a CE and their subcontractors

Business associates are now defined as…

Business associates beforewere defined as…

A person or entity that creates, receives, or

transmits PHI in fulfilling functions for a HIPAA-

covered entity

A person or entity that creates, receives, or transmits PHI in fulfilling functions for a

HIPAA-covered entity

Entities that “maintain” PHI for a covered entity, such as a data

storage company

Health Information

Organizations

Data transmission

providers

Sub-contractors

E-prescribing gateways

Proprietary and Confidential

Entities that offer PersonalHealth Records

8

New Categories of BAs

Data Storage

Companies

Subcontractors that create, receive,

maintain or transmit PHI on behalf of

another BA

Patient Safety Organizations (PSOs)

Health Information Organizations(HIOs)

Proprietary and Confidential

What’s the Risk of Not Being In Compliance

VIOLATION CATEGORY EACH VIOLATIONALL IDENTICAL

VIOLATIONS PER CALENDAR YEAR

Did Not Know $100 - $50,000 $1,500,000

Reasonable Cause $1,000 - $50,000 $1,500,000

Willful Neglect – Corrected $10,000 - $50,000 $1,500,000

Willful Neglect – Not Corrected $50,000 $1,500,000

Source: Department of Health and Human Resources, Federal Register.govhttp://federalregister.gov/a/2013-01073

Proprietary and Confidential

What’s the Risk of Not Being In Compliance

Recent HIPAA Settlements

• New York and Presbyterian Hospital – $3.3M

• Columbia University – $1.5M

• Parkview Health System – $800K

Proprietary and Confidential11

Business Associates and Data Breaches Nearly half of all healthcare organizations report more than 5 breaches a year, over forty percent involve third parties…

Breaches InvolvingBusiness Associates

(% Total Breaches)

Involvement of Business Associates in Breaches

(% Total Records Exposed)

BusinessAssociates

42%CoveredEntities

58%

BusinessAssociates

62%

CoveredEntities

38%

Ponemon Institute 2012 OCR Breach Statistics 2012

12

OCR Audits…Not Your Only

Exposure Point

Proprietary and Confidential13

OCR Audits Coming in 2014

• Creation of pool of covered entities eligible for audit complete

• Screening “pre-survey” to be sent to entities summer 2014 – to confirm size, type, contacts

• Selected entities will receive notification and data requests in Fall 2014 – to include identification of business associates

• Business associates in second wave

• Both desk and on-site audits

• Updated protocol will be available on website

Source: OCR presentation from HCCA 2014 Conference

Proprietary and Confidential14

2014 OIG Work Plan Include Audits

Security of portable devices containing personal health information

Controls over networked medical devices at hospitals (new)

Source: 2014 OIG Work Plan

Proprietary and Confidential15

Meaningful Use Dollars at Risk

#15. Protect electronichealth information created ormaintained by the certifiedEHR technology through the implementation of appropriatetechnical capabilities.

Source: ONC’s Guide to Privacy and Security of Health Information

Proprietary and Confidential16

(U) Cyber actors will likely increase cyber intrusions against health care systems – to include medical devices – due to mandatory transition from paper to electronic health records (EHR), lax cybersecurity standards, and a higher financial payout for medical records in the black market.

FBI Issues Warning on Breaches

Source: FBI Pin

Proprietary and Confidential

Business Associate Vendor Compliance Exposure Points

MEANINGFUL USE Stage 1

• Core Measure #15• HIPAA Data Security –

#1 reason to fail audit

HIPAA DATA BREACH / COMPLAINT

• Triggers OCR Investigation

• Can lead to investigations by IRS, FTC and FBI

OCR AUDIT of Covered Entity

• Omnibus Final Rule• Beginning Fall 2014• 20 days notification

OIG 2014 WORK PLANHIPAA Data

Security Audit

• Patient at risk for identity theft

18

Preparing for an Audit

Proprietary and Confidential19

What to Expect from an OCR Audit

Letter requesting the following with only 20 days to provide:

List of Business Associates with updated contact information

A copy of your most recent security risk assessment

Copies of your HIPAA Policies and Procedures

Proof that you have provided your employees with HIPAA training and security reminders

Your incident response plan

Proof that you have signed agreements with all your Business Associates

Proprietary and Confidential20

OCR Audit or Breach Investigation

• Policies and procedures

• Implementation of policies and procedures

• Training

• Business associate agreements

• Risk analysis documentation

• Risk management policies, procedures and implementation

• Encryption/decryption evidence

• Mobile device policies and implementation

Whether it is a random audit or breach investigation, OCR will be looking for documentation of:

Proprietary and Confidential21

Challenges of Managing Business Associates

3Organizational

support and alignment across

functions for another HIPAA regulatory initiative(e.g., clinical and IT buyers,

accounts payable, supply chain, legal,

compliance)

4Sense of

urgency, need to act to be

“audit-ready” for OCR audits and other

investigations

1Determining

which vendors are business associates

5Budget for technology

and services to identify and

provide ongoing oversight

Successfully defending against any allegation of willful neglect

or lack of oversight

2Proof of BAoversight

Proprietary and Confidential22

How Can Your Organization Prepare?

CHALLENGES SOLUTIONS

Utilize technology solutions to vet through all existing vendors, then going forward assess new vendors as they come onboard

Accomplish screening, tracking and cross-department collaboration related to BAs

Simplify HIPAA compliance by turning policy into documented procedure

Prepare for OCR audit and investigations with complete reporting to document BA oversight

Identifying BA vendors

Proof ofBA oversight

Full organizational support

Sense of urgency

Proprietary and Confidential23

How to Get Started

• BA oversight is a shared responsibility across the organization, but must identify an ultimate owner

• Create a complete, single vendor master file that is the single source of truth

• Define your BA risk categories and assign vendors

• Vet all vendors new and existing with technology solutions– Register vendors upfront to

do BA assessments just as Tax ID and Sanction checks

• Operationalize the workflow

• Perform required oversight tasks

Remember… it is an ongoing process throughout vendor lifecycle

24

Engaging Your Organization

Proprietary and Confidential25

How to Engage your Organization The Message:

HIPAA data security and Business Associate oversight

What is the risk of non-compliance?

• Risk of severe financial penalties

• High cost of data breach

• Regulatory investigation

• Criminal prosecution

• Damage reputation with community as a trusted healthcare provider

What do we need to do?• Revise policies and procedures

regarding vendor management to be in compliance with business associate requirements.

• Initial assessment of all vendors

• Oversight tasks of BA vendors

• Ongoing process with new vendors

• Implement enablers – tools, technology & service; scale

• Piece of overall vendor management process

Proprietary and Confidential26

How to Engage your Organization

BOARD

• Know your board members, their responsibilities and liabilities

• Make opportunities for them to see you as a “trusted advisor”

• Keep it high level and don’t use healthcare jargon and acronyms

• Don’t quote law and statutes

• Do tell a story

C-SUITE

• Know your audience

• Strategically engage the C-suites’ direct reports

• Don’t quote law and statutes

• Do tell a story

• Be clear in asking for help

• Define business risk

Proprietary and Confidential27

Key Issues by TitleTYPE OF RISK PURVIEW OF ISSUES

All CEOAll of those listed below, but especially profitability and reputation

Regulatory Chief Compliance Officer

Regulatory risk; being on the 'radar screen' for one issue often makes you visible for others

Security Chief Privacy Officer Similar to CIO – HIPAA privacy and security

Financial Chief Financial Officer Threats to profitability, bond rating, insurance premiums

Technology Chief Information Officer 25 – 44% of failures are related to technology safeguards

Reputational Chief Marketing Officer PR crisis and loss of “trusted community provider” status

Patient Safety Chief Nursing Officer Patient safety compromised; adverse outcomes

Operational Chief Operating OfficerThreats to business continuity, operational efficiency, risk of revocation of necessary permits, licenses, etc.

Proprietary and Confidential28

Why Act Now?

September 24 deadline to have revised BAAs for all BAs

New rules being enforced• BA audits starting this Fall

– Covered Entities have begun to get letters• Meaningful Use attestation• OIG Work Plan

Recent HIPAA Settlements

Very difficult to get policies, procedures and documentation in place…NEED TO START NOW

Proprietary and Confidential29

FAQs

*You should always consult with your legal counsel about your specific circumstance.

What are best practices for policies to identifying business associate vendors?

You should require all vendors to be registered with your organization, to provide tax id and answer business associate risk questions. Discuss with the internal champion of that vendor if any protected health information will be accessed.

A:

Q:

Some vendors are under the assumption that if they are compliant with rep credentialing requirements that they do not have to sign a BAA. Is this correct?

No, if a vendor is a BA, then a BAA agreement needs to be put in place to govern the relationship between the vendor and covered entity.

A:

Q:

We have thought that medical device vendors were not BAs. Are they BAs if the devices collect PHI?

Medical device vendors qualify as BAs if they meet the BA definition but there are some cases in which medical device companies are ‘health care providers’ under HIPAA and do not require a BAA*.

A:

Q:

30

www.vendormate.com