HIPAA COMPLIANCE AUDITS & OCR UPDATE Presentation to LHIMA April 2016 By Mariela Twiggs, MS, RHIA, CHP, FAHIMA
AGENDA • OCR’s Task List • OCR’s Guidance • OCR’s Enforcement Activities • Phase 2 Audits • Preparation • Workforce Training
OCR Completed Tasks • Omnibus Final Rule • CLIA Final Rules • Model Notices of Privacy Practices • Sample BA Provisions • Guide to Privacy & Security of Electronic Health Information (Version 2) • Developer Portal • Redesigned Website • Access Guidance & FAQs (more to come) • Updated Audit Protocols
OCR Task List • HITECH Act Accounting of Disclosures Methods for sharing penalty amounts with harmed individuals • Omnibus Final Rule Breach Safe Harbor Update Breach Risk Assessment Tool Minimum Necessary Update More on Marketing • Security Rule Guidance Updates • Privacy & Security Safeguards for Precision Medicine Initiative
OCR Guidance Access (2016) Business Associates (2003) Clinical Laboratory Improvement Amendments (CLIA) (2014) Decedents (also FAQs) De‐Identification Emergency Response (2014) (also decision tool & FAQs) Genetic Information (GINA) Government Access (2003) Health Information Technology (Privacy & Security Framework for Electronic Exchange of Individually Identifiable Health Information) HIV & HIPAA Incidental Uses & Disclosures (2002) Law Enforcement Marketing (2003) & Marketing: Refill Reminders Minimum Necessary (2003) National Instant Criminal Background Check System (NICS) (2016) Notice of Privacy Practices (2003) & Model Notices (2014) Patient Safety Confidentiality & PSQIA Personal Representatives (recently updated) Public Health (2003) Research (2013) Same Sex Marriage (Defense of Marriage Act‐ DOMA) Student Immunizations (also FAQs) Substance Abuse Treatment Programs Uses & Disclosures for Treatment, Payment or Healthcare Operations (2003) Workers’ Compensation Laws (2003) Workplace Wellness Programs
Complaints to OCR (to Feb. 2016) 128,937 Privacy Rule Complaints (96% closed; 4% open) 19% (24,126) Corrective Action Others open, no violation, not enforceable or early intervention 940 Security Rule Complaints (67% closed)‐ 2015 data 568 Referrals to Dept. of Justice for criminal investigations
Top 5 Entity Types & Issues • Entity Type 1) Private Practices 2) General Hospitals 3) Outpatient Facilities 4) Pharmacies 5) Health Plans • Issues 1) Impermissible Use/Disclosure of PHI 2) Lack of Safeguards of PHI 3) Lack of Patient Access to PHI 4) Use or Disclosure of More than Minimum Necessary of PHI 5) Lack of Administrative Safeguards of Electronic PHI
Recent OCR Settlements 1. Feinstein Institute for Medical Research (Manhasset, NY)‐ $3.9 million‐ 13,000 patients‐ laptop stolen from an employee’s car (2016) 2. North Memorial Health Care (Robbinsdale, MN)‐ $1.55 million‐ 9,497 patients‐ unencrypted, password‐protected laptop was stolen from a business associate’s locked vehicle (2016) 3. P.T., Pool & Land Physical Therapy, Inc. (Los Angeles)‐ $25,000‐ numerous patients‐ impermissible disclosure of PHI when it posted patient testimonials, including full names and photos, to its website without patient authorizations (2016) 4. Lincare (ntl. home health agency)‐ $239,800‐ 278 patients‐ employee left records behind after moving residences (2016) CMP‐ not RA 5. Univ. of WA Med‐ $750,000‐ failed to implement P&Ps to prevent, detect, contain, and correct security violations‐ inadequate Risk Analysis (2015) 6. Triple S (San Juan, PR)‐ $2.5M‐ widespread noncompliance‐ investigated after multiple breach notifications (2015) 7. Lahey Med. Ctr. (Burlington, MA)‐ $850,000‐ 599 patients‐ stolen laptop connected to PACS system‐ widespread noncompliance with Security Rule (2015) 8. Cancer Care Group (Indiana)‐ $750,000‐ 55,000 patient‐ stolen laptop & media with no encryption, no risk analysis & no P&Ps (2015) 9. St. Elizabeth Medical Center (Brighton, MA)‐ $218,400‐ 500 patients‐ workforce members submitted complaint regarding poor safeguards of Internet‐based document sharing application & flash drive/laptop breaches (2015) 10. Cornell Prescription Pharmacy (Denver)‐ $125,000‐ 1610 patients‐ News media reported medical records in dumpster accessible to public (2015) 31 RAs & 2 CMPs $28,239,200 to Feb. 2016
Key Changes to Audit Program • Main focus shifts from On‐Site to Desk Audits, BUT 10 – 25 on‐site full compliance audits are projected following desk audits Complaints will still trigger full investigations in addition to investigations of entities where serious compliance issues are uncovered by desk audits FCI Federal Inc. contracted for data security audits • Audits previously outsourced – now internal except security • Program was delayed for creation of reporting portal & updating of audit protocols to include Omnibus changes • Budget increased by $4 million in 2016 • State privacy laws & rules will not be considered
Timelines & Audited Entities • Covered Entities & Business Associates 200 CEs (providers, health plans & clearinghouses) in Round 1 (letters in May) 50 Business Associates in Round 2 (letters in June or July) • Emailed requests for contact/address verification in March (to CEs) • Currently distributing Pre‐Audit Questionnaires at (least 500) http://www.reginfo.gov/public/do/PRAViewIC?ref_nbr=201405‐0945‐ 002&icID=211635 • Along with request of Business Associates List http://www.hhs.gov/hipaa/for‐professionals/compliance‐ enforcement/audit/batemplate/index.html • Selection of CEs a sampling based on size, type, public/private, single/multi, geography and affiliations Entities currently involved with OCR enforcement excluded • Selection of BAs to come from CE lists Primarily technology‐related • If selected, written notification via email explaining process & documentation requests
Focus of Desk Audits • Privacy Rule Audit Notice of Privacy Practices Patient’s Right to Access • Breach Notification Audit Breach Notification Policy Breach Notifications to Patients Instances where Breach Risk Assessment concluded no breach Timeline from discovery to notification • Security Rule Audit Security Risk Analysis/Assessment Risk Management Plan • Business Associate Audit Security Risk Analysis/Assessment Risk Management Plan Breach Notification to CEs (include all above regarding Breach Notification)
Timelines Cont’d • Audited Entities have 10 business days to respond via portal • Documentation must be digital and current to date of request (little to no weight given to docs dated >date on request) • Auditors cannot contact ask for clarification • Items submitted after deadline may not be reviewed. • Auditors prepare draft findings within 10 days • CE can return comments • Auditors prepare final report within 30 days • Failure to respond may lead to referral for full compliance review. • OCR will analyze & aggregate data to develop tools & guidance to assist with compliance self‐evaluation & breach prevention • List of audited entities or findings won’t be posted, but they must comply with Freedom of Information Act requests
Onsite Audits & Audit Protocols • Onsite audits will be scheduled by email notification • 3 – 5 days dependent upon size • Will use newly released audit protocols http://www.hhs.gov/hipaa/for‐ professionals/compliance‐ enforcement/audit/protocol‐current/index.html • http://www.dwt.com/files/Uploads/Documents/Ad visories/CompareAuditProtocol1.pdf (redline of old to new) • Auditors prepare draft findings within 10 days • CE can return comments • Auditors prepare final report within 30 days
Preparation • Review 2016 guidance/FAQs and all P&Ps regarding patient access in addition to your BA P&Ps regarding access. All instances where access was denied will be reviewed. • Make sure AOD database is up‐to‐date and can extract data regarding patient & patient‐directed requests (charges & fulfillment time) • Review “everything breach”‐ policies, procedures, breach risk assessments, breach notifications to patients, & staff sanctions policy. Make sure every incident was has a corresponding breach risk assessment. Make sure OCR reporting is up‐to‐date. (60 days for large breaches; 60 days + year’s end for small breaches < 500 patients) • Make sure Security Risk Assessment & Risk Management plans up‐to date. • Risk analysis must not only identify the gaps, but also: Identify the location of all PHI; What the threats to that PHI are; How the PHI is vulnerable to impermissible use and disclosure; What those risk levels are; Is periodically updated; and Includes corrective actions for gaps identified • Have a template ready listing of BAs with contact info • Audit BAs‐ start with questionnaires. • Prepare your workforce.
Workforce Training & Resources • Initial comprehensive, then annual training Systematic workflow Documentation • Ongoing privacy & security tips Employee Newsletters Technology Applications • OCR You Tube videos https://www.youtube.com/user/USGovHHSOCR • Competency Testing AHIOS CRIS Test HITNOTS.com Quizzes • Retraining for privacy & security incidents
Recommend
More recommend
