© Clearwater Compliance | All Rights Reserved
1
Legal Disclaimer
The existence of a link or organizational reference in any of the following materials should not be assumed as an endorsement by Clearwater Compliance LLC.
This information does not constitute legal advice and is for educational purposes only. This information is based on currentfederal law and subject to change based on changes in federal law or subsequent interpretative guidance. Since this information is based on federal law, it must be modified to reflect state law where that state law is more stringent than thefederal law or other state law exceptions apply. This information is intended to be a general information resource regarding the matters covered, and may not be tailored to your specific circumstance. YOU SHOULD EVALUATE ALL INFORMATION, OPINIONS AND RECOMMENDATIONS PROVIDED HEREIN IN CONSULTATION WITH YOUR LEGAL OR OTHER ADVISOR, AS APPROPRIATE.
Copyright NoticeAll materials contained within this document are protected by United States copyright law and may not be reproduced, distributed, transmitted, displayed, published, or broadcast without the prior, express written permission of Clearwater Compliance LLC. You may not alter or remove any copyright or other notice from copies of this content.
© Clearwater Compliance | All Rights Reserved
OCR Phase 2 Audits and How Best to Prepare
November 2, 2016
© Clearwater Compliance | All Rights Reserved
3
About Your Speaker
Michelle [email protected]
Michelle Caswell, Senior Director Legal & Compliance | JD• More than 15 years healthcare experience• Extensive experience in HIPAA Privacy, Security and Breach Notification Rules• Former HIPAA Investigator for the U.S. Department of Health and Human Services, Office
for Civil Rights• Experienced Principal Healthcare Privacy/Security Consultant, conducting compliance
audits and risk assessments; drafting policies and procedures; training staff and assisting with remediation efforts
• Licensed attorney in Georgia and Tennessee• Frequent national speaker on healthcare compliance and security
© Clearwater Compliance | All Rights Reserved
4
Overview
“How to Prepare for an OCR Audit or Investigation”
Instructional Module Duration = 60 Minutes
1. Why Bother to Prepare?2. Where are the Gaps in Compliance?3. What to do About It?
Learning Objectives Addressed in This Module:
© Clearwater Compliance | All Rights Reserved
5
Our Passion
We’re excited about what we do because…
…we’re helping organizations improve patient safety and the quality of care by safeguarding the very personal and private healthcare information of millions of fellow Americans…
… And, keeping those same organizations off the Wall of
Shame…!
© Clearwater Compliance | All Rights Reserved
6
Awards and Recognition
2015 & 2016
Exclusive
Industry Resource Provider
Software Used by NSA/CAEs
Sole Source Provider
#11 – 2015 & 2016
© Clearwater Compliance | All Rights Reserved
7
1. Why Bother To Prepare
© Clearwater Compliance | All Rights Reserved
8
Three Pillars Of HIPAA Compliance…
HITECH
HIPAA
Privacy Rule• 75 pages / 27K words• 56 Standards• 54 Implementation Specs
Security Rule• 18 pages / 4.5K words• 22 Standards• 50 Implementation Specs
Breach Notification 6 pages / 2K words• 4 Standards• 9 Implementation Specs
OMNIBUS FINAL RULE
© Clearwater Compliance | All Rights Reserved
9
Key Audit Inquiry2012
1. Inquire of management as to whether formal or informal policy and procedures exist
2. Obtain and review formal or informal policy and procedures
3. Evaluate the content in relation to the specified performance
4. Determine if the covered entity's formal or informal policy and procedures have been approved and updated on a periodic basis.
20161. Does the entity have policies and
procedures in place? 2. Determine how the entity has
implemented the requirements3. Obtain and review documentation
demonstrating that policies and procedures have been implemented
4. Evaluate and determine if practices are handled in accordance with the related policies and procedures
5. Elements to review may include…
© Clearwater Compliance | All Rights Reserved
10
Phase 2 Audits: Current Audit Protocol• As of July 11, 2016, 167 health plans, health care providers and
clearinghouses were notified of desk audits• Chosen organizations received 2 emails
1. Notification letter, timeline for response and unique link to submit via OCR’s online portal
2. Additional request to provide a listing of the entity’s BAs, and information re: an upcoming OCR webinar to explain the desk audit process
• All documentation must be current as of the date of the request• Entities had 10 business days, until July 22, 2016, to respond to
the document requests• Critical that documentation accurately reflects the program• Desk audits of business associates will follow this fall
One Shot! Had to be Super Ready
© Clearwater Compliance | All Rights Reserved
11
And It’s Not Just The Audits… What About Complaints?
From 2013-2014 –increase of 4,805 complaints per year!
© Clearwater Compliance | All Rights Reserved
12
Look How Easy It Is
© Clearwater Compliance | All Rights Reserved
13
Sample Data Request Letter
© Clearwater Compliance | All Rights Reserved
14
HIPAA Complaint
??
1.Complaint
2.Breach Notice
3.SAG HITECH Action
4.FTC Action
5.Whistleblower
6.State Action (e.g., DHCS)
7.OCR Audit
http://www.hhs.gov/ocr/privacy/hipaa/enforcement/process/index.html
Avoid the following…
Complaint
Intake & Review
Possible Privacy Rule or Security Rule Violation
Possible Criminal Violation
InvestigationResolution
• OCR finds no violation
• OCR voluntary compliance, corrective action, or other agreement
• OCR issues formal finding of violation
RESOLUTION
• The violation did not occur after April 14, 2003
• Entity is not covered by the Privacy Rule
• Complaint was not filed within 180 days and an extension was not granted
• The incident described in the complaint does no violate the Privacy Rule
DOJ Accepted by DOJ
© Clearwater Compliance | All Rights Reserved
And, Please Do Not Forget OIG’s “Internal Audit” Role
Strengthen your
Oversight
© Clearwater Compliance | All Rights Reserved
16
2. Where Are The Gaps in Compliance
© Clearwater Compliance | All Rights Reserved
17
And, then there were 41… 11 so far in 2016
Organizations Struggling with Basic Risk Analysis
© Clearwater Compliance | All Rights Reserved
18
HHS “Wall Of Shame”
7.9%
• Inadequate workforce access controls
• Inadequate policies & procedures
• Inadequate training• Inadequate or inconsistent
sanctions• Inadequate safeguards (e.g.
disposal)
© Clearwater Compliance | All Rights Reserved
19
Covered Entities On “Wall of Shame”
• Hospitals• Community Clinics• Specialty Clinics• Mental Health Clinics• State Health Plans• Private Practices• Research Organizations• Medical Centers
• Life Insurance• Emergency Responders• Health Systems• Health Plans• Employee Health Plans• Dental Practices• Physician Networks• University
Clinics/Hospitals
© Clearwater Compliance | All Rights Reserved
20
Business Associates On “Wall of Shame”
• Consultants• Plan Administrators• Social Services• Transcription Companies• Collection Services
• Medical Management• Revenue Cycle Mgmt• Disease Management• Outsourced Computing• Other CEs
© Clearwater Compliance | All Rights Reserved
21
3. What To Do About It?
© Clearwater Compliance | All Rights Reserved
22
Requirements Selected for Desk Audit Review
http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/index.html
Focus
© Clearwater Compliance | All Rights Reserved
23
OCR’s Portal – Risk Analysis
Risk Analysis1) Upload documentation of current risk analysis results.2) Consistent with §164.316(b)(ii)(iii) Upload documentation from the previous calendar year
demonstrating that documentation related to the implementation of this implementation specification is available to the persons responsible for implementation this implementation specification and that such documentation is periodically reviewed and, if needed, updated.
3) Consistent with §164.316(b)(i) upload documentation that policies and procedures demonstrating that policies and procedures related to the implementation of this implementation specification were in place and in force six (6) years prior to the date of receipt of notification.
4) Upload policies and procedures regarding the entity’s risk analysis process.5) Upload documentation of the current risk analysis and the most recent prior risk analysis.
© Clearwater Compliance | All Rights Reserved
24
OCR’s Portal – Risk Management
Risk ManagementUpload documentation demonstrating that security measures to reduce risks as the result of the current risk analysis or assessment have been implementedConsistent with §164.316(b)(i) upload documentation that policies and procedures demonstrating that policies and procedures related to the implementation of this implementation specification were in place and in force six (6) years prior to the date of receipt of notification.Upload documentation demonstrating the efforts use to manage risks from the previous calendar year.Upload policies and procedures regarding the entity’s risk management process.Upload documentation demonstrating that current and ongoing risks reviewed and updated.Consistent with §164.316(b)(ii)(iii) Upload documentation from the previous calendar year demonstrating that documentation related to the implementation of this implementation specification is available to the persons responsible for implementation this implementation specification and that such documentation is periodically reviewed and, if needed, updated.
© Clearwater Compliance | All Rights Reserved
25
OCR’s Portal – Notice of Privacy Practices & Content Requirements
Notice of Privacy Practices1) Upload a copy of all notices posted on the website and within the facility, as well as the notice
distributed to individuals, in place at the end of the previous calendar year
© Clearwater Compliance | All Rights Reserved
26
OCR’s Portal – Provision of Notice – Electronic Notice
Provision of Notice1. Upload the URL for the entity web site and the URL for the posting of the entity notice, if any.2. If the entity provides electronic notice, upload policies and procedures regarding provision of the
notice electronically.3. Upload documentation of an agreement with the individual to receive the notice via e-mail or other
electronic form.
© Clearwater Compliance | All Rights Reserved
27
OCR’s Portal – Right to Access
Right to Access1) Upload all documentation related to the first five access requests which were granted, and
evidence of fulfillment, in the previous calendar year.2) Upload all documentation related to the last five access requests for which the entity extended
the time for response to the request.3) Upload any standard template or form letter required by or used by the CE to document access
requests.4) Upload notice of privacy practices.5) Upload policies and procedures for individuals to request and upload access to protected health
information (PHI).
© Clearwater Compliance | All Rights Reserved
28
OCR’s Portal – Timeliness of Notification
Timeliness of Notification1) Using sampling methodologies, upload documentation of five breach incidents for the previous
calendar year affecting fewer than 500 individuals, documenting the date individuals were notified, the date the covered entity discovered the breach, and the reason, if any, for the delay in notification.
© Clearwater Compliance | All Rights Reserved
29
OCR’s Portal – Content of Notification
Content of Notification1) If the entity used a standard template or form letter, upload the document.2) Using sampling methodologies, upload documentation of five breach incidents affecting 500 or more
individuals for the previous calendar year.3) Upload a copy of a single written notice sent to individuals for each breach incident.
© Clearwater Compliance | All Rights Reserved
30
Do Your Homework…
http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/protocol-current/index.html
© Clearwater Compliance | All Rights Reserved
31
Safeguards – Administrative Requirements § 164.530(c)(1) Standard: Safeguards. A covered entity must have in place appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information.(2) (i) Implementation specification: Safeguards. A covered entity must reasonably safeguard protected health information from any intentional or unintentional use or disclosure that is in violation of the standards, implementation specifications or other requirements of this subpart.
(ii) A covered entity must reasonably safeguard protected health information to limit incidental uses or disclosuresmade pursuant to an otherwise permitted or required use or disclosure.
© Clearwater Compliance | All Rights Reserved
32
Safeguards – Audit Procedures
• Has the covered entity implemented administrative, technical, and physical safeguards to protect all PHI from any intentional or unintentional use or disclosure that is in violation of the standards, implementation specifications or other requirements of this subpart?
• Does the covered entity reasonably safeguard protected health information to limit incidental uses or disclosures made pursuant to an otherwise permitted or required use or disclosure?
• Obtain and review policies and procedures to determine if appropriate administrative, technical, and physical safeguards are in place.
• Obtain and review documentation of specific safeguards in place from all three categories to reasonably protect the PHI. Such documentation may include, but is not limited to, policies and procedures, photographic or documentary documentation of physical and technical safeguards, and statements from privacy and security officials.
© Clearwater Compliance | All Rights Reserved
33
Workforce Access To PHI – Minimum Necessary § 164.514(d)(2)
Standard: minimum necessary requirementsi. A covered entity must identify:
A. Those persons or classes of persons, as appropriate, in its workforce who need access to protected health information to carry out their duties; and
B. For each such person or class of persons, the category or categories of protected health information to which access is needed and any conditions appropriate to such access.
ii. A covered entity must make reasonable efforts to limit the access of such persons or classes identified in paragraph (d)(2)(i)(A) of this section to protected health information consistent with paragraph (d)(2)(i)(B) of this section.
© Clearwater Compliance | All Rights Reserved
34
Workforce Access To PHI – Audit Procedures• Has the covered entity implemented policies and procedures consistent with the
requirements of the established performance criterion to identify need for and limit use of PHI?
• Obtain and review policies and procedures for limiting access to PHI. Elements to consider include, but are not limited to:-
• Criteria for determining what level of access a person or class of persons will need• Criteria for modifying, reviewing, or terminating an individual’s access• Efforts to limit access consistent with the needs and conditions described for each
person or class of persons• Whether the policies and procedures take into account access to both PHI and ePHI.
• Obtain and review the access of a sample of workforce members with access to PHI for their corresponding job title and description to determine whether the access is consistent with the policies and procedures.
• NOTE: The rule requires that the class/job functions that need to use or disclose PHI be determined and the information be limited to what is needed for that job classification.
© Clearwater Compliance | All Rights Reserved
35
Sanctions – Administrative Requirement § 164.530(e)(1) Standard. A covered entity must have and apply appropriate sanctions against members of its workforce who fail to comply with the privacy policies and procedures of the covered entity or the requirements of this subpart.
(2) Implementation specification: Documentation. As required by paragraph (j) of this section, a covered entity must document the sanctions that are applied, if any.
© Clearwater Compliance | All Rights Reserved
36
Sanctions – Audit Procedures
• Does the covered entity apply appropriate sanctions against members of the workforce who fail to comply with the privacy policies and procedures of the entity or the Privacy Rule?
• Obtain and review policies and procedures to determine if the entity has and applies sanctions consistent with the established performance criterion.
• Obtain and review documentation of the application of sanctions to a sample of workforce members to determine whether appropriate sanctions were applied. (Note: OCR is not looking for violations in order to take enforcement action; we are restricting our analysis to whether appropriate sanctions consistent with the entity policies have been applied.)
© Clearwater Compliance | All Rights Reserved
37
Tiered Approach to Sanctions
• Nature of the incident informs severity of sanctions:
• Was the violation unintentional? Or Intentional?• What was the motivation?• Was this the employee’s first violation?• What was the content of the PHI disclosed?• Was there further disclosure or not?• What was done to mitigate further disclosure?
• Examples of Sanctions• Additional Training or Counseling• Verbal Warning• Note in Personnel File• Suspension without Pay• Reassignment or Demotion• Termination
Maintain sufficient flexibility in your Policy to allow for undefined situations
Apply consistently
© Clearwater Compliance | All Rights Reserved
38
Complaints – Administrative Requirements §164.530(d)(1)-(2)
1. Standard. A covered entity must provide a process for individuals to make complaints concerning the covered entity’s policies and procedures required by this subpart and subpart D of this part or its compliance with such policies and procedures or the requirements of this subpart or subpart D of this part.
2. Implementation specification: Documentation of complaints. As required by paragraph (j) of this section, a covered entity must document all complaints received, and their disposition, if any.
© Clearwater Compliance | All Rights Reserved
39
Complaints – Audit Procedures
• Has the covered entity documented all complaints received and their disposition consistent with the performance criteria?
• Obtain and review a sample of documentation of complaints for consistency with the established performance criterion.
• Has the covered entity documented all complaints received and their disposition consistent with the performance criteria?
• Obtain and review a sample of documentation of complaints for consistency with the established performance criterion.
© Clearwater Compliance | All Rights Reserved
40
OCR Complaint Insider Tips
• If you receive a complaint, do due diligence and investigate allegations
• Keep written records• Make contact with your OCR investigator• Know where your policies and procedures reside• Read the complaint thoroughly• Respond to each request in the data request letter• Even if you do not have something in place, say that and show
other ‘reasonable and appropriate’ safeguards
© Clearwater Compliance | All Rights Reserved
41
OCR Complaint Insider Tips
• If you have questions, or need technical assistance, reach out to your investigator
• Remember, OCR does not represent the Complainant• If you need additional time to respond to the Complaint,
request that from your investigator• Don’t wait until the last minute
© Clearwater Compliance | All Rights Reserved
42
OCR Complaint Insider Tips
• When drafting your response, keep everything in numbered order, per the data request letter
• Don’t staple every individual item• Follow up once you submit your response to ensure delivery• If you haven’t heard from your investigator for awhile once
you have already confirmed delivery, follow up• But be aware, there are a very limited amount of investigators
© Clearwater Compliance | All Rights Reserved
43
Clearwater HIPAA and Cybersecurity BootCamp™
Take Your HIPAA Privacy and Security Program to a Better
Place, Faster …
Earn up to 10.8 CPE Credits!
http://clearwatercompliance.com/bootcamps/
Designed for busy professionals, the Clearwater HIPAA and Cybersecurity BootCamp™ distills into one action-packed day, the critical information you need to know about the HIPAA Privacy and Security Final Rules and the HITECH Breach Notification Rule.
Join us for our next virtual, web-based events…Three, 3hr sessions:
• November 3rd, 10th, 17th – 2016• February 9th, 16th, 23rd - 2017 • May 4th, 11th, 18th - 2017 • August 4th, 11th, 18th - 2017
© Clearwater Compliance | All Rights Reserved
44
Other Upcoming Clearwater Events
Visit ClearwaterCompliance.com for more info!
November 9, 2016Complimentary
Webinar How to Implement a Strong Proactive
Business Risk Management
Program
November 16, 2016 Complimentary
WebinarHow to Conduct a NIST-based Risk Assessment to
Comply with HIPAA & Other Regulations
November 21, 2016 Complimentary
WebinarHow to Conduct an
OCR-Quality Risk Analysis to Comply
with HIPAA and Other Regulations
December 1, 2016 Complimentary
WebinarHow to Conduct a
HIPAA Security Compliance Self
Audit
© Clearwater Compliance | All Rights Reserved
45
Partner Webinars
Enhance Efforts to Improve Cyber Security
For AHA MembersTuesday, November 8, 2016 12:00 PM CST -
01:00 PM CST
KLAS Reports: Security Advisory Services 2016 –Which Firms Are Helping Providers Sleep at
Night?
A Complimentary Webinar from healthsystemCIO.comComing Tuesday, Nov. 29 @ 12:00 PM ET
Visit ClearwaterCompliance.com for more info!