Post on 23-Jun-2020
transcript
4/15/2016
1
If You Think Your HIPAA Program’s Rockin’, Wait Until OCR Comes a Knockin’:A Preview of the OCR’s HIPAA Audit Plan
What we strive for…
Reality…
4/15/2016
2
Background
The HITECH Act requires the DHHS to conduct audits of covered entities and business associates to determine compliance with HIPAA. The OCR developed protocols for how they would audit an initial target of 115 entities.
Development and Purpose of the Audit
For the OCR to develop better audit tools to assess whether entities are complying with HIPAA
For the OCR to better understand what types of PHI are out there, in what form, where and how it is stored, and what are the security measures the industry is implementing.
From each audit, the audit tool is refined to better assess compliance.Not meant to be a punitive process. Meant to be educational for both government and covered entities and business associates.
BOTTOM LINE: Due to a rush of new technologies and reliance by CEs and BAs on technology to create, store, transmit and secure PHI, the OCR wants to learn more about how these technologies work in the industry and get a better idea of what CEs and BAs are doing to comply with HIPAA.
The Good News• The initial Pilot Program has been completed. 115 entities were
identified and participated.
6
Type of Entity Entity Location OCR Region
Medicaid Plan - Region I
Allopathic & Osteopathic Physicians NY Region II
Hospital NJ Region II
Group Health Plan PA Region III
Group Health Plan DC Region III
Healthcare Clearinghouse - Region III
Nursing & Custodial Care Facilities MD Region III
Pharmacy PA Region III
SCHIP - Region III
Allopathic & Osteopathic Physicians NC Region IV
Allopathic & Osteopathic Physicians AL Region IV
Hospital KY Region IV
Group Health Plan TN Region IV
Healthcare Clearinghouse OK Region VI
Health Insurance Issuer NM Region VI
Hospital TX Region VI
Health Insurance Issuer MO Region VII
Dentist CO Region VIII
Health Insurance Issuer ND Region VIII
Laboratory SD Region VIII
4/15/2016
3
The Bad News
The current Audit tool is complex and very detailed, and the lessons learned from the OCR’s experience with the CEs and BAs:
OCR expects full cooperation from the entities. Lack of cooperation in audits and investigations give the OCR authority to impose Civil Monetary Penalties, on top of the fines described in the HIPAA rules.
OCR expects CEs and BAs to have conducted good faith, reasonable risk assessments to determine: (1) where PHI is located in the business; (2) what types of PHI; (3) who has access to PHI; (4) whether entities have updated policies and procedures; (5) whether employees and applicable contractors have been trained; (6) what security measures have been implemented.
Failure to minimally do the above gives cause for OCR to take a harder stance on HIPAA non-compliance.
More Bad News…
On March 21, 2016, Round 2 of the OCR HIPAA Audits began
A new round of federal privacy and security audits will target the business associates of healthcare providers, insurers and other HIPAA-covered entities along with the entities themselves, according to the Office for Civil Rights at HHS.
This includes about 200 desk audits and 24 more comprehensive on-site visits.
HHS' Office for Civil Rights has started sending out e-mails to obtain and verify contact information for covered entities and business associates of various types for possible inclusion in the pool of potential audit subjects.
Insights from OCR
Top three industries with most identity theft, personal information breaches (in order of highest to lowest): (1) retail; (2) finance; (3) health care.
Reports to OCR from Sept. 2009 through August 2015:
1,310 reports involving breach of PHI affecting 500 or more individuals
Theft and loss - 57%
Laptops and other portable storage device - 30%
Paper records - 22%
179,000 reports of breaches of PHI affecting fewer than 500 individuals
While theft is still the most significant issue, the OCR is finding a rise in the following:
Type of breaches - hacking/IT and improper disposal
Type of records - email, EMR and portable devices
4/15/2016
4
Insights from OCR (con’t)
OCR will immediately open up any breach reports involving > 500 individuals
CE or BA should be prepared to respond with:Determination of the root cause of the disclosure
Identification of gaps in compliance that resulted in breach
Evidence that the root cause has been addressed to insure that further breaches do not occur
Recent Enforcement Actions
Cancer Care Group (electronic)St. Elizabeth’s Medical Center (electronic)Cornell Prescription Pharmacy (paper)Anchorage (electronic)Parkview (paper)NYP/Columbia (electronic)Concentra (electronic)QCA (electronic)Aetna (electronic)
OCR Enforcement ActionsBy State
STATE NO VIOLATION RESOLVED AFTER INTAKE AND REVIEW CORRECTIVE ACTION
Alaska 11% 57% 32%
Alabama 16% 59% 25%
Arkansas 18% 58% 24%
Arizona 13% 59% 28%
California 13% 64% 23%
Colorado 12% 60% 28%
Connecticut 15% 56% 29%
District of Columbia 11% 60% 29%
Delaware 13% 61% 26%
Florida 15% 59% 25%
Georgia 15% 61% 24%
Hawaii 9% 62% 29%
Iowa 8% 75% 18%
Idaho 10% 57% 33%
Illinois 14% 60% 27%
Indiana 14% 62% 24%
Kansas 9% 73% 18%
Kentucky 15% 61% 25%
Louisiana 12% 66% 21%
Massachusetts 17% 53% 30%
Maryland 12% 63% 26%
Maine 22% 51% 27%
Michigan 12% 64% 24%
Minnesota 12% 60% 28%
Missouri 9% 71% 20%
Mississippi 21% 51% 28%
Montana 17% 58% 25%12
4/15/2016
5
OCR Enforcement Actions By State
North Carolina 16% 56% 28%
North Dakota 20% 51% 29%
Nebraska 7% 74% 18%
New Hampshire 16% 53% 31%
New Jersey 13% 63% 25%
New Mexico 13% 61% 26%
Nevada 10% 64% 26%
New York 11% 65% 24%
Ohio 12% 64% 24%
Oklahoma 16% 62% 22%
Oregon 12% 58% 31%
Pennsylvania 14% 59% 26%
Rhode Island 19% 37% 44%
South Carolina 15% 56% 28%
South Dakota 17% 56% 27%
Tennessee 15% 57% 28%
Texas 14% 62% 24%
Utah 15% 58% 27%
Virginia 14% 60% 27%
Vermont 19% 56% 26%
Washington 10% 57% 33%
Wisconsin 14% 61% 25%
West Virginia 14% 64% 22%
Wyoming 12% 59% 30%13
The OCR Audit ToolAs We Understand it at This Time
The OCR Audit Tool –Risk Assessment
CE must conduct an accurate and thorough risk assessment
Elements of Compliance:• Policy stating that risk assessment will be performed• Audit tool used by CE (including evidence that audit tool has
been revised to meet changes in CE’s business environment)• Documentation of risk assessment performed periodically
(yearly recommended)• Documentation evidencing that CE has identified all areas and
systems that contain PHI
4/15/2016
6
OCR Audit Tool -Recommended Technology
CE should consider (but not required) to implement technology, hardware, software and services to protect PHI.
Elements of Compliance:• Any technology used should consider sensitivity of the type
of data and applicable of the IT solution to the intended environment
• Written policies regarding IT system to secure PHI
OCR Audit Tool - CE Audits
CE must regularly review PHI access activity
Elements of Compliance:• Policy on audit log, access reports and security incident
tracking reports
• Evidence of audit activities
OCR Audit Tool - Security
CE must implement security measures to reduce risks and vulnerabilities to breaches
Elements of Compliance:• Policy on security measures used
• Measures should address data moved within the organization and data sent out of the organization
4/15/2016
7
OCR Audit Tool - Privacy & Security Officer
CE must designate a HIPAA Privacy and Security Officer responsible for security measures
Elements of Compliance:• Documentation showing Privacy and Security Officer
assigned• Documentation of job duties description of HIPAA Privacy
and Security Officer• Org chart showing chain of command and
communication line relevant to the HIPAA Officers
OCR Audit Tool - Security
CE must implement security measures regarding assigning access to workforce members to PHI
Elements of Compliance:• Policy on how access to PHI is assigned/set up for employees
and relevant contractors (e.g., IDs, passwords)• Policy on levels of access to PHI (including ePHI), and how
those whose jobs do not require access to PHI is not given access to PHI
• Policy on terminating access to PHI• Does IT system have capacity to set access controls (e.g., read
only, modify, full access, print, etc.)?
OCR Audit Tool - Workforce Training
CE must provide training to its workforce members on HIPAA compliance
Elements of Compliance:• Training materials
• Documentation of who is trained
4/15/2016
8
OCR Audit Tool – Workforce Training
Additionally, OCR will want to see actual evidence of workforce training
Elements of Compliance:• Policy on training
• Training materials
• Evidence of initial and periodic training.
OCR Audit Tool - Breaches
CE must have procedures on how to respond to suspected or known breaches
Elements of Compliance:• Policy on breach incidents, to include: how to identify,
document and appropriate responses and post-incident analysis (e.g., root cause analysis)
OCR Audit Tool - Breaches
CE must conduct a risk assessment of each breach event
Elements of Compliance:• Evidence of analysis of breach event in order to mitigate future
breaches
• Corrective actions (including workforce member discipline, equipment repairs, etc.)
• Notices to affected patients (timeliness of such notices as well)
• Notification to OCR within 60 days (if >500 individuals affected) or within 60 of end of year (if <500)
4/15/2016
9
OCR Recommendations -Breaches
If a breach is close to 500 affected individuals, carefully determine the exact number affected. If 501, then case will be immediately opened and survey will occur.
If a good faith risk assessment and internal audits are in place (including proper policies and training of workforce), then OCR will be easier on the CE.
If CE does not cooperate during investigation, OCR will take harder stance and may even invoke CMP law.
OCR Audit Tool - Contingency Plan
CE must have a defined contingency plan
Elements of Compliance:• Documentation of process for identifying critical applications,
data, operations, and manual and automated processes involving ePHI
• Process for backing up and recovering ePHI• Process for enabling the continuation of critical business
processes that protect the security of ePHI while operating in emergency mode
• Is contingency plan tested periodically?
OCR Audit Tool – Evaluation Plan
CE must have an evaluation plan
Elements of Compliance:• Policy on evaluating effectiveness of security measures
• Example, does software or other technology implemented adequately safeguard PHI, and if not, what changes were made?
• Are processes revised and updated in response to changes in environment and operations in the organization?
4/15/2016
10
OCR Audit Tool - BAAs
CE must enter into Business Associate Agreement as applicable
Elements of Compliance:• Policy or process for ensuring BAAs are entered into
appropriately
• OCR will request samples of BAAs.
OCR Audit Tool – Physical Access
CE must ensure facility and equipment are protected from unauthorized physical access to and tampering or theft of PHI
Elements of Compliance:• Policy regarding access to and use of facilities and
equipment that house PHI
• Should address employees, contractors, visitors.
OCR Audit Tool –Disaster/Emergency Plan
CE must have a Disaster Recovery Plan and Emergency Mode Operations Plan
Elements of Compliance:• Policy regarding access to and restoration of lost data
• Should include how to repair or modify physical components of the facility (e.g., hardware, walls, doors, locks, etc.)
4/15/2016
11
OCR Audit Tool - Workstations
CE must assess workforce workstation for risk areas
Elements of Compliance:• Assess workstations to determine risk of unauthorized access to
PHI.
• Implement safeguards (e.g., screen covers, auto log off, etc.)
• If laptops are used, are they encrypted and secured in the event they are removed off site.
• Is PHI protected from the elements (e.g., fire, water damage, etc.)
OCR Audit Tool - Disposal
CE must have a Disposal Plan
Elements of Compliance:• Policy on how to properly dispose of PHI, including
equipment that contains PHI.
OCR Audit Tool - Access
CE must have measures to authenticate users who access ePHI
Elements of Compliance:• Documentation and process regarding authenticating
(verifying) that a person is who he/she is to access ePHI(e.g., passwords, smart cards, fingerprint scan).
• Is the authentication process periodically tested for accuracy?
4/15/2016
12
OCR Audit Tool - Authorizations
CE must document and retain any signed authorization
Elements of Compliance:• Policy regarding documentation and retention of signed
authorization to release PHI.
• OCR will review patient intake forms for both inpatient and outpatient services for consent and authorization forms, if any
OCR Audit Tool – Facility Directory
If CE has facility patient directory, only limited information is disclosed
Elements of Compliance:• Name, location in facility, general condition only, religious
affiliation.• Only release such information to clergy or persons who ask
about the patient by name. • Policy and process permitting patient to object to
disclosure in directory.
OCR Audit Tool - Disclosure
CE must verity person authorized to consent to disclosure
Elements of Compliance:• Policy must evidence process on:
• How CE verifies the identity of the person authorizing disclosure
• If a public official is requesting PHI, then must show (1) ID card if in person; or (2) request on government letterhead if not in person
4/15/2016
13
OCR Audit Tool - NPP
Notice of Privacy Practices
Elements of Compliance:• Notice of Privacy Practices must meet minimum statements
under HIPAA
• See 45 CFR §164.520
• How are NPPs distributed to patients?
OCR Audit Tool – Patient Rights
Right of Individual to Request Restrictions and Right to access and Right to amend
Elements of Compliance:• Policy of patient’s right to restrict of uses and disclosures of PHI• Policy on patient’s right to access their PHI• Policy on patient’s right to amend their PHI• If CE denies access to or ability amend PHI, then process in
place for a designed reviewing official to make decision• Documentation evidencing each incident
OCR Audit Tool – Accounting of Disclosures
Right of Individual for accounting of disclosures
Elements of Compliance:• Policy of patient’s right accounting of disclosures of PHI• Documentation of why accounting is denied (e.g., impedes
law enforcement activities)• Documentation evidencing that accounting minimally contains
the following: (1) name and address of entity disclosed to; (2) brief statement as to purpose of disclosure; (3) description of PHI disclosed; (4) why it was or was not disclosed.
• OCR will request a sampling of such accounting records.
4/15/2016
14
OCR Audit Tool - Sanctioning
Sanctioning Workforce Members and Contractors
Elements of Compliance:• Policy on sanctioning (disciplining) workforce members for
violating policies and HIPAA
• Corrective actions (including termination) of contractors
• Policy on non-retaliation of workforce members for reporting HIPAA concerns
Key elements of a HIPAA Compliance Plan
• Privacy and Security policies and procedures• BAAs in place• Privacy Officer/Security Officer appointed• Workforce Training• Understanding breach reporting obligations• Periodic Security Risk Assessment• HHS Security Risk Assessment Tool at healthit.gov
“Lack of robust plan can lead to higher penalties” -OCR
Six Quick & Dirty TipsTo Help You Survive an OCR HIPAA Audit
4/15/2016
15
1. Practice & Prepare
• Before OCR comes a knockin’, conduct HIPAA risk assessments and internal audits, review findings, assess vulnerabilities and implement corrective action
• Two-Thirds of CEs audited in Phase 1 had not completed a risk assessment
• Overachievers – Impress OCR by showing them documentation that you conduct risk assessments and internal audits regularly
2. Evaluate Your Privacy & Security Policies
• Perform an in-depth assessment of your privacy and security policies & procedures or HIPAA active compliance program
• Appoint a HIPAA Compliance Officer or Coordinator
• Privacy compliance should focus on PHI access, administrative requirements, uses and disclosures
• For security compliance, focus on administrative physical and technical safeguards
3. Perform an Internal Review of Electronic Files
• Encrypting all electronic files is key – primarily patient sensitive data
• Verify and validate which electronic files are being encrypted• Perform this assessment before any external audits are
done
4/15/2016
16
4. Assess Organizational Compliance Risks
• Phase 1 of the OCR HIPAA audits revealed that two-thirds of organizations were not conducting a complete and accurate HIPAA security risk assessment• Start by inventorying all of your organization’s systems that
handle PHI• Develop remediation plans, if necessary
• HHS has a free HIPAA security risk assessment tool on their website:
• www.HealthIT.gov/security-risk-assessment
5. Compile a List of Vendors & Business Associates
• OCR will ask to see a list of all business associates that have access to your PHI
• Include anyone that works “behind the scenes” with your hospitals, health plan or providers• i.e., contractors, consultants, software vendors, data
storage companies, attorneys, third-party billers, etc.
6. Evaluate, Evaluate, Evaluate
• Inspect your HIPAA policies and procedures, especially:• Employee access• New hire employee training• ePHI policies• eFile sharing procedures• Faxing, emailing• Notice of Privacy Practices & policies• Breach mitigation• Disaster recovery• Data backup• Update policies & procedures regularly
4/15/2016
17
One Last Joke…
I’m sorry…
Thank you for your kind attention!
51
Questions?
Christopher J. Allman, JD, CPHRM
Director of Risk Management, Compliance & Insurance
Garden City Hospital
Garden City, Michigan
callman@primehealthcare.com