HIPAA Audits and the New Audit Protocol Developing and Ensuring - - PowerPoint PPT Presentation

HIPAA Audits and the New Audit Protocol

Developing and Ensuring HIPAA and HITECH Privacy and Security Compliance

Today’s faculty features:

1pm Eastern | 12pm Central | 11am Mountain | 10am Pacific

The audio portion of the conference may be accessed via the telephone or by using your computer's

• speakers. Please refer to the instructions emailed to registrants for additional information. If you

have any questions, please contact Customer Service at 1-800-926-7926 ext. 10.

TUESDAY, FEBRUARY 5, 2013

Presenting a live 90-minute webinar with interactive Q&A

Sarah E. Swank, Principal, Ober | Kaler, Washington, D.C. Dianne J. Bourque, Member, Mintz Levin Cohn Ferris Glovsky and Popeo, Boston Joshua J. Freemire, Attorney, Ober | Kaler, Baltimore

Sound Quality If you are listening via your computer speakers, please note that the quality of your sound will vary depending on the speed and quality of your internet connection. If the sound quality is not satisfactory and you are listening via your computer speakers, you may listen via the phone: dial 1-866-328-9525 and enter your PIN when prompted. Otherwise, please send us a chat or e-mail sound@straffordpub.com immediately so we can address the problem. If you dialed in and have any difficulties during the call, press *0 for assistance. Viewing Quality To maximize your screen, press the F11 key on your keyboard. To exit full screen, press the F11 key again.

For CLE purposes, please let us know how many people are listening at your location by completing each of the following steps:

• In the chat box, type (1) your company name and (2) the number of

attendees at your location

• Click the word balloon button to send

FOR LIVE EVENT ONLY

4

Strafford Webinar February 4, 20 13

S a r a h E . S w a n k , O B E R | K A L E R J o s h J . F r e e m i r e , O B E R | K A L E R D i a n n e B o u r q u e , M I N T Z L E V I N

HIPAA Audits

4

5

Today’s Discussion

 Audit protocol  Preparing for an audit  Responding to a letter  Hot topics and vulnerabilities  Questions

6

Office for Civil Rights Overview

 Ensuring Federal financial assistance recipients comply

with the national civil rights laws, such as those relating to discrimination based on race, color, national origin, disability and age

 Enforcing requirements and investigating complaints

under the Health Insurance Portability and Accountability Act of 1996 (PL 104-191) (HIPAA) and its accompanying regulations

 Enforcing Federal Health Care Provider Conscience

Rights

 Certifying Medicare applications for compliance with the

national civil rights laws

6

7

OCRs Roles and Responsibilities

 Investigate complaints  Conduct compliance reviews  Provide technical assistance  Conduct outreach

7

8

OCR Complaint Form

(Not required) 8

• Your name
• Full address
• Telephone numbers
• E-mail address (if available)
• Name, full address and telephone number of the

person, agency or organization you believe violated your (or someone else’s) health information privacy rights or committed another violation of the Privacy or Security Rule

• Brief description of what happened. How, why, and

when do you believe your (or someone else’s) health information privacy rights were violated, or how the Privacy or Security Rule otherwise was violated

• Any other relevant information
• Your signature and date of complaint

9

HIPAA Audits

 13411 of the HITECH Act, requires HHS to provide

for periodic audits to ensure covered entities and business associates are complying with the HIPAA Privacy and Security Rules and Breach Notification standards

 OCR engaged a professional public accounting firm

(KPMG LLP) to conduct performance audits

10

HIPAA Audits

 Process

 Letter  Documents  On site  Draft report  Review of report  Final report

 Results are not published  Long term care included in the 20 entities audited  Waiting on information about the next waive of

audits

11

HIPAA Audits

 Privacy Rule

 Notice of privacy practices for PHI  Rights to request privacy protection for PHI  Access of individuals to PHI  Administrative requirements  Uses and disclosures of PHI  Amendment of PHI  Accounting of disclosures

 Security Rule

 Administrative, physical, and technical safeguards

 Breach Notification Rule.

12

So, What is the HIPAA Audit Program?

 The American Recovery and Reinvestment Act of 2009, in

Section 13411 of the HITECH Act, requires HHS to provide for periodic audits to ensure covered entities and business associates are complying with the HIPAA Privacy and Security Rules and Breach Notification standards.

 HHS implemented this requirement through a 115 audit

pilot program conducted by KPMG.

 Pilot Program Audits began in November of 2011 and ran

through December of 2012.

13

What is the HIPAA Audit Program

 The initial Audit Program (AP) began with a tentative

protocol and test audits of 20 entities.

 Following the 20 audit sample, the Audit Protocol was

finalized and the remaining 95 audits were conducted.

 While full results remain under analysis and have not yet

been published, OCR representatives have spoken with regard to initial results.

14

Why Is HIPAA Audit Preparation Important?

 The HIPAA Audits are not intended to serve as an enforcement tool.

They are intended to identify and correct compliance deficiencies.

 As we will discuss in more detail later, an auditor's discovery of an error

• r issue will most likely lead to a simple recommendation for corrective

action.

 They can, however, lead to enforcement where auditor’s discover an

especially grievous situation.

 HIPAA is generally unconcerned with your intent – while it may affect

penalties, a violation or Breach is a violation or Breach even if you mean no harm (though the penalties may be harsher for intentional conduct).

14

15

Why Is This Important

 HIPAA violations, however discovered, can lead to substantial

penalties and burdensome Corrective Action Plans. Just in the recent past:

 MEEI, a eye and ear hospital, paid $1.5 million and agreed to on site

independent compliance monitoring for 3 years

 A Massachusetts hospital settled a HIPAA investigation by paying

• ver one million dollars and agreeing to extensive on-site compliance

monitoring for the next 3 years

 A Maryland organization was penalized $4.3 million for failing to

comply with HIPAA Privacy Rule requirements and cooperate with government investigators

 UCLA was fined nearly $100,000 after its employees improperly

accessed medical records on Michael Jackson and Farah Fawcett

15

16

Who Can be Audited?

 Every covered entity and business associate is eligible for an

audit

 Selections in the initial round were designed to provide a

“broad assessment” of the health care industry

 OCR selects the entities that were (and will be) audited. OCR

has promised to audit “as wide a range of types and sizes of covered entities as possible; covered individual and

• rganizational providers of health services, health plans of all

sizes and functions, and health care clearinghouses…”

17

Understanding HIPAA Audits

 First, things that are not the point:

 An audit is NOT an investigation  Audits are random by design – an audit does NOT

indicate that a complaint has been filed or that OCR harbors any suspicions or preconceptions of wrongdoing

 Audits are NOT intended to be confrontational  With proper preparation, audits should NOT be a painful

process

18

Understanding HIPAA Audits

 OCR views the audits as a way to improve provider knowledge,

compliance, and encourage best practices.

 As it has explained, “Audits present a new opportunity to

examine mechanisms for compliance, identify best practices and discover risks and vulnerabilities that may not have come to light through OCR’s ongoing complaint investigations and compliance reviews.

 Though it hasn’t happened yet, OCR intends to “broadly share

best practices gleaned through the audit process and guidance targeted to observed compliance challenges via this web site and other outreach portals.”

19

How Does it Work?

 Providers are notified by letter (confirming the

letter’s authenticity is a good start…).

 Audits entail a document review AND a site visit.  Letter will provide substantial notice of site audit

(between 30 and 90 days, according to OCR) but will

• ffer less time to return requested documentation –

10 days.

20

How Does it Work?

 Provided documentation will be reviewed prior to

site visit

 During site visits, auditors will interview key

personnel and observe processes and operations to help determine compliance.

 Following the site visit, auditors will develop and

share with the entity a draft report.

 practices of the entity.

21

How does it work?

 Audit reports (which have not been made public) generally

describe how the audit was conducted, what the findings were and what actions the covered entity is taking in response to those findings.

 Prior to finalizing the report, the covered entity will have the

• pportunity to discuss concerns and describe corrective

actions implemented to address concerns identified.

 The final report submitted to OCR will incorporate the steps

the entity has taken to resolve any compliance issues identified by the audit, as well as describe any best

22

What Are OCR’s Expectations?

 Remember – Audits are NOT an enforcement tool  OCR “expects covered entities to provide the auditors their

full cooperation and support and remind them of their cooperation obligations under the HIPAA Enforcement Rule.”

 Prompt and complete cooperation

23

Audits Results

 No public report (yet) but discussed at the NIST

conference.

 A webcast of that presentation can be viewed here:

http://www.nist.gov/itl/csd/hipaa-security- conference-2012-webcast.cfm

 Unsurprisingly, a wide variety of compliance errors

and shortfalls, across a wide variety of subjects.

24

Audits Results

 Generally, smaller entities had more issues than larger

entities.

 For all entities, Security Rule compliance problems were

more of an issue than Privacy Rule compliance problems.

 Security Rule issues often reflected IT issues:

 User activity monitoring;  Authentication and system integrity;  User access permissions; and  Media reuse/destruction

25

Will There be More?

 There will certainly be more audits. The question is

WHEN?

 HHS and OCR obligated to analyze pilot program –

that analysis may not even have begun.

 Audits in 2013 appear unlikely, but, appearances can

be deceiving.

 A good offense is your best defense

26

 Don't wait until you get one of these

Preparing for an OCR Audit

27

 Use the Audit Protocol to Review Your Existing Program  The audit protocol covers Privacy Rule requirements for

1.

Notice of privacy practices for PHI

• 2. Rights to request privacy protection for PHI
• 3. Administrative requirements
• 4. Uses and disclosures of PHI
• 5. Access of individuals to PHI
• 6. Amendment of PHI, and

7.

Accounting of disclosures

 The protocol covers Security Rule requirements for administrative,

physical, and technical safeguards

 The protocol covers requirements for the Breach Notification Rule

Preparing for an OCR Audit

28

 Example

Preparing for an OCR Audit

Section Established Performance Criteria Key Activity Audit Procedure Implementation Specification

HIPAA Compliance Area

§164.308 §164.308(a)(1): Security Management Process §164.308(a)(1)(ii)(a) - Conduct an accurate and thorough assessment

• f the potential risks and

vulnerabilities to the confidentiality, integrity,... Conduct Risk Assessment Inquire of management as to whether formal or informal policies or practices exist to conduct an accurate assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability Required

Security

29

 Regular self audits should be part of your compliance program  Don’t rely on a dusty binder of policies and procedures as your

evidence of compliance

 At least annually, review your program – in particular security – and

document this review

 OCR has been clear that you are out of compliance with the regulation

if you are not reviewing and updating your program on an annual basis.

Conducting a Self Audit

30

 This process will be different depending on whether or not

you are a business associate or covered entity

 The details will be different depending on what type of

covered entity you are (a health plan versus a provider)

 Review policies, procedures and FORMS as well as

indicators of an active program, such as incident logs, training sign-in sheets, etc.

Policies Addressing Privacy

31

 Sample activities:

Notice of Privacy Practices – it’s going to be reviewed and the

auditors will be confirming that all required elements are addressed

Policies and procedures for delivering and confirming receipt of the

Notice will be reviewed

Policies and procedures for making the Notice available upon

request will be reviewed

OCR will confirm whether or not documentation of delivery of

Notices has been maintained for 6 years as required by the rule

Policies Addressing Privacy

32

 Sample activities:

Access to PHI – Formal and informal policies for

confirming access to PHI will be reviewed.

Management will be questioned regarding an

individual’s right of access

The Notice will be reviewed for information regarding

the access right

Policies Addressing Privacy

33

 Sample Activities

Access Control – OCR will review the list of individuals

with credentials to initiate emergency access procedures and evaluate whether or not these individuals have the qualifications and training to carry out their responsibilities with respect to ePHI.

Policies Addressing Security

34

 Sample Activities

Workstation Use – OCR will evaluate whether or not a

process exists for identifying workstations by type and location and whether workstations are classified based

• n capabilities, connection and allowable activities.

Policies Addressing Security

35

 Sample Activities

Risk Assessment – OCR will evaluate whether or not a

risk assessment process exists for determining the risk

• f harm in the event of breach

NOTE – They will be looking for a new risk assessment

following September 23, 2013

Policies Addressing Breach Notification

36

 Sample Activities

Notice to Individuals – OCR will ask about the process

for identifying and contacting next of kin if necessary in the event of a breach. OCR will also ask about the process for providing notice when there is insufficient or

• ut-of-date contact information.

Policies Addressing Breach Notification

37

 Your Privacy and Security Officer should not be the only members of the

workforce who can address these issues

 OCR will interview management to confirm that all levels of the organization

are focused on compliance

 Document informal compliance efforts, such as security reminders, privacy

newsletters, supplemental training, etc.

 Post Omnibus Rule: Audit preparation won’t change, but the content of your

policies and procedures will

 Review and update your program regularly - at least annually or you are out of

compliance

 OCR has been clear that audit findings may prompt enforcement in the future

Other Issues

38

New HIPAA Rule

 New Omnibus Privacy Rule published January 25,

2013

 Compliance Date is September 23, 2013

 Breach standard  Business associates  Notice of Privacy Practice  Access  Decedents  Research

 New audit protocol

39

New Technologies, New Focus

 Recent OCR enforcement trends have focused

heavily on mobile technology

 Entities have been faulted for a lack of policies and

procedures directly addressing mobile tech tracking, authentication, and security (including, especially, encryption)

 Existing audit results compliance in technology areas

already a problem area for many smaller entities

40

Time to Reevaluate

 The new Omnibus Rule will require many entities

reexamine their existing policies, procedures, business associate agreements, and physical and electronic safeguards.

 This is an ideal time to perform self-audits and examine

enterprise compliance from an auditor’s perspective.

 For larger entities, professional “pressure testing” or

“penetration testing” of electronic systems may be warranted.

41

Reevaluation Steps

 Document, document, DOCUMENT!  Auditors will engage in some personnel interviews,

BUT, the primary examples of your organizational compliance will be documentation

 Every decision should follow documented

deliberations and, where appropriate, risk assessments and cost/benefit analysis

42

Reevaluation Steps

 Remember, decisions NOT to take a certain step (especially

addressable security standards, such as encryption) must be at least as well documented as decisions to implement a particular process or procedure.

 In (unfortunate) reality, entities should document every

decision NOT to implement a certain security measure as though they were defending that decision – because they may be asked to do precisely that

 Documentation should be organized, precise, and

• ACCESIBLE. If you can’t find it, you don’t have it

43

Culture of Awareness

 The new Omnibus Rule also provides an excellent opportunity

to review organizational education.

 Organizational compliance activities are only as strong as the

weakest link – a breach cannot be timely addressed if an employee fails to report it, for instance, and extensive mobile device security procedures mean little if they are ignored in practice.

 Entities should “keep their eyes peeled” for OCR

announcements – including, especially, promised guidance on the “best practices” identified in the AP and new guidance interpreting and applying the new Omnibus Rule.

44

HIPAA TIPS

44

 Ensure issues are immediately reported within the

• rganization

 Involve counsel when appropriate who advises and

directs the investigation and maintains privilege

 Understand when you have a breach vs. an incident  Understand your reporting obligations  Educate staff, management and leadership  Create role based access  Understand state law requirements

45

Common HIPAA Vulnerabilities

45

 Paper files  Flash drives  Lap tops  Social media  EHR  Review of your own or others information  Safeguards not in place (e.g., white boards, ER,

elevator conversation)

46

HIPAA/HITECH Enforcement

46

47

Mobile Devices

 Who owns the devices  Are personal devices used at work registered  Virtual Privacy Network (VPN) to exchange

information

 Back up PHI on servers  Remote wipe of devices  Policy and procedures  Training

48

Curiosity Killed the Cat

 In 2007, George Clooney

was admitted to the Palisades Medical Center in New Jersey after a motorcycle accident

 27 employees looked,

including physicians and nurses

 Information was leaked to

the press

49

HIPAA TIPS

49

Who is responsible speaks volume.

50

HIPAA TIPS

50 Investigate Discipline Workforce Mitigate Document Notify

51

Culture of Compliance

51

 Compliance involves active engagement of

leadership within an organization

 A successful compliance program includes:

 Employee training  Vigilant implementation of policies and procedures  Regular internal audits  Prompt action plan to respond to incidents.  Analyze, evaluate, and correct potential risk areas

52

OCR Resources

52

53 S A R A H E . S W A N K P R I N C I P A L O B E R | K A L E R W A S H I N G T O N , D C ( 2 0 2 ) 3 2 6 - 5 0 0 3 s e s w a n k @ o b e r . c o m J O S H J . F R E E M I R E O B E R | K A L E R ( 4 1 0 ) 3 4 7 - 7 6 7 6 j j f r e e m i r e @ o b e r . c o m 53

Questions?

D I A N N E B O U R Q U E M E M B E R M I N T Z L E V I N B O S T O N , M A ( 6 1 7 ) 3 4 8 - 1 6 1 4 D J B o u r q u e @ m i n t z . c o m