Presenting a live 90-minute webinar with interactive Q&A HIPAA Audits and the New Audit Protocol Developing and Ensuring HIPAA and HITECH Privacy and Security Compliance TUESDAY, FEBRUARY 5, 2013 1pm Eastern | 12pm Central | 11am Mountain | 10am Pacific Today’s faculty features: Sarah E. Swank, Principal, Ober | Kaler , Washington, D.C. Dianne J. Bourque, Member, Mintz Levin Cohn Ferris Glovsky and Popeo , Boston Joshua J. Freemire, Attorney, Ober | Kaler , Baltimore The audio portion of the conference may be accessed via the telephone or by using your computer's speakers. Please refer to the instructions emailed to registrants for additional information. If you have any questions, please contact Customer Service at 1-800-926-7926 ext. 10 .
Sound Quality If you are listening via your computer speakers, please note that the quality of your sound will vary depending on the speed and quality of your internet connection. If the sound quality is not satisfactory and you are listening via your computer speakers, you may listen via the phone: dial 1-866-328-9525 and enter your PIN when prompted. Otherwise, please send us a chat or e-mail sound@straffordpub.com immediately so we can address the problem. If you dialed in and have any difficulties during the call, press *0 for assistance. Viewing Quality To maximize your screen, press the F11 key on your keyboard. To exit full screen, press the F11 key again.
FOR LIVE EVENT ONLY For CLE purposes, please let us know how many people are listening at your location by completing each of the following steps: In the chat box, type (1) your company name and (2) the number of • attendees at your location Click the word balloon button to send •
HIPAA Audits 4 4 Strafford Webinar February 4, 20 13 S a r a h E . S w a n k , O B E R | K A L E R J o s h J . F r e e m i r e , O B E R | K A L E R D i a n n e B o u r q u e , M I N T Z L E V I N
Today’s Discussion 5 Audit protocol Preparing for an audit Responding to a letter Hot topics and vulnerabilities Questions
Office for Civil Rights Overview 6 6 Ensuring Federal financial assistance recipients comply with the national civil rights laws, such as those relating to discrimination based on race, color, national origin, disability and age Enforcing requirements and investigating complaints under the Health Insurance Portability and Accountability Act of 1996 (PL 104-191) (HIPAA) and its accompanying regulations Enforcing Federal Health Care Provider Conscience Rights Certifying Medicare applications for compliance with the national civil rights laws
OCRs Roles and Responsibilities 7 7 Investigate complaints Conduct compliance reviews Provide technical assistance Conduct outreach
8 8 OCR Complaint • Your name Form • Full address • Telephone numbers (Not required) • E-mail address (if available) • Name, full address and telephone number of the person, agency or organization you believe violated your (or someone else’s) health information privacy rights or committed another violation of the Privacy or Security Rule • Brief description of what happened. How, why, and when do you believe your (or someone else’s) health information privacy rights were violated, or how the Privacy or Security Rule otherwise was violated • Any other relevant information • Your signature and date of complaint
HIPAA Audits 9 13411 of the HITECH Act, requires HHS to provide for periodic audits to ensure covered entities and business associates are complying with the HIPAA Privacy and Security Rules and Breach Notification standards OCR engaged a professional public accounting firm (KPMG LLP) to conduct performance audits
HIPAA Audits 10 Process Letter Documents On site Draft report Review of report Final report Results are not published Long term care included in the 20 entities audited Waiting on information about the next waive of audits
HIPAA Audits 11 Privacy Rule Notice of privacy practices for PHI Rights to request privacy protection for PHI Access of individuals to PHI Administrative requirements Uses and disclosures of PHI Amendment of PHI Accounting of disclosures Security Rule Administrative, physical, and technical safeguards Breach Notification Rule.
So, What is the HIPAA Audit Program? 12 The American Recovery and Reinvestment Act of 2009, in Section 13411 of the HITECH Act, requires HHS to provide for periodic audits to ensure covered entities and business associates are complying with the HIPAA Privacy and Security Rules and Breach Notification standards. HHS implemented this requirement through a 115 audit pilot program conducted by KPMG. Pilot Program Audits began in November of 2011 and ran through December of 2012.
What is the HIPAA Audit Program 13 The initial Audit Program (AP) began with a tentative protocol and test audits of 20 entities. Following the 20 audit sample, the Audit Protocol was finalized and the remaining 95 audits were conducted. While full results remain under analysis and have not yet been published, OCR representatives have spoken with regard to initial results.
Why Is HIPAA Audit Preparation Important? 14 The HIPAA Audits are not intended to serve as an enforcement tool. They are intended to identify and correct compliance deficiencies. As we will discuss in more detail later, an auditor's discovery of an error or issue will most likely lead to a simple recommendation for corrective action. They can, however, lead to enforcement where auditor’s discover an especially grievous situation. HIPAA is generally unconcerned with your intent – while it may affect penalties, a violation or Breach is a violation or Breach even if you mean no harm (though the penalties may be harsher for intentional conduct). 14
Why Is This Important 15 HIPAA violations, however discovered, can lead to substantial penalties and burdensome Corrective Action Plans. Just in the recent past: MEEI, a eye and ear hospital, paid $1.5 million and agreed to on site independent compliance monitoring for 3 years A Massachusetts hospital settled a HIPAA investigation by paying over one million dollars and agreeing to extensive on-site compliance monitoring for the next 3 years A Maryland organization was penalized $4.3 million for failing to comply with HIPAA Privacy Rule requirements and cooperate with government investigators UCLA was fined nearly $100,000 after its employees improperly accessed medical records on Michael Jackson and Farah Fawcett 15
Who Can be Audited? 16 Every covered entity and business associate is eligible for an audit Selections in the initial round were designed to provide a “broad assessment” of the health care industry OCR selects the entities that were (and will be) audited. OCR has promised to audit “as wide a range of types and sizes of covered entities as possible; covered individual and organizational providers of health services, health plans of all sizes and functions, and health care clearinghouses…”
Understanding HIPAA Audits 17 First, things that are not the point: An audit is NOT an investigation Audits are random by design – an audit does NOT indicate that a complaint has been filed or that OCR harbors any suspicions or preconceptions of wrongdoing Audits are NOT intended to be confrontational With proper preparation, audits should NOT be a painful process
Understanding HIPAA Audits 18 OCR views the audits as a way to improve provider knowledge, compliance, and encourage best practices. As it has explained, “Audits present a new opportunity to examine mechanisms for compliance, identify best practices and discover risks and vulnerabilities that may not have come to light through OCR’s ongoing complaint investigations and compliance reviews. Though it hasn’t happened yet, OCR intends to “broadly share best practices gleaned through the audit process and guidance targeted to observed compliance challenges via this web site and other outreach portals.”
How Does it Work? 19 Providers are notified by letter (confirming the letter’s authenticity is a good start…). Audits entail a document review AND a site visit. Letter will provide substantial notice of site audit (between 30 and 90 days, according to OCR) but will offer less time to return requested documentation – 10 days.
How Does it Work? 20 Provided documentation will be reviewed prior to site visit During site visits, auditors will interview key personnel and observe processes and operations to help determine compliance. Following the site visit, auditors will develop and share with the entity a draft report. practices of the entity.
How does it work? 21 Audit reports (which have not been made public) generally describe how the audit was conducted, what the findings were and what actions the covered entity is taking in response to those findings. Prior to finalizing the report, the covered entity will have the opportunity to discuss concerns and describe corrective actions implemented to address concerns identified. The final report submitted to OCR will incorporate the steps the entity has taken to resolve any compliance issues identified by the audit, as well as describe any best
Recommend
More recommend
