HIPAA COMPLIANCE AUDITS & OCR UPDATE Presentation to LHIMA - - PowerPoint PPT Presentation

hipaa compliance audits amp ocr update
SMART_READER_LITE
LIVE PREVIEW

HIPAA COMPLIANCE AUDITS & OCR UPDATE Presentation to LHIMA - - PowerPoint PPT Presentation

Jan 03, 2023 164 likes •339 views

HIPAA COMPLIANCE AUDITS & OCR UPDATE Presentation to LHIMA April 2016 By Mariela Twiggs, MS, RHIA, CHP, FAHIMA AGENDA OCRs Task List OCRs Guidance OCRs Enforcement Activities Phase 2 Audits Preparation

slide-1
SLIDE 1

HIPAA COMPLIANCE AUDITS & OCR UPDATE

Presentation to LHIMA April 2016 By Mariela Twiggs, MS, RHIA, CHP, FAHIMA

slide-2
SLIDE 2

AGENDA

  • OCR’s Task List
  • OCR’s Guidance
  • OCR’s Enforcement Activities
  • Phase 2 Audits
  • Preparation
  • Workforce Training
slide-3
SLIDE 3

OCR Completed Tasks

  • Omnibus Final Rule
  • CLIA Final Rules
  • Model Notices of Privacy Practices
  • Sample BA Provisions
  • Guide to Privacy & Security of Electronic

Health Information (Version 2)

  • Developer Portal
  • Redesigned Website
  • Access Guidance & FAQs (more to come)
  • Updated Audit Protocols
slide-4
SLIDE 4

OCR Task List

  • HITECH Act
  • Accounting of Disclosures
  • Methods for sharing penalty amounts with harmed

individuals

  • Omnibus Final Rule
  • Breach Safe Harbor Update
  • Breach Risk Assessment Tool
  • Minimum Necessary Update
  • More on Marketing
  • Security Rule Guidance Updates
  • Privacy & Security Safeguards for Precision Medicine

Initiative

slide-5
SLIDE 5

OCR Guidance

Access (2016) Business Associates (2003) Clinical Laboratory Improvement Amendments (CLIA) (2014) Decedents (also FAQs) De‐Identification Emergency Response (2014) (also decision tool & FAQs) Genetic Information (GINA) Government Access (2003) Health Information Technology (Privacy & Security Framework for Electronic Exchange of Individually Identifiable Health Information) HIV & HIPAA Incidental Uses & Disclosures (2002) Law Enforcement Marketing (2003) & Marketing: Refill Reminders Minimum Necessary (2003) National Instant Criminal Background Check System (NICS) (2016) Notice of Privacy Practices (2003) & Model Notices (2014) Patient Safety Confidentiality & PSQIA Personal Representatives (recently updated) Public Health (2003) Research (2013) Same Sex Marriage (Defense of Marriage Act‐ DOMA) Student Immunizations (also FAQs) Substance Abuse Treatment Programs Uses & Disclosures for Treatment, Payment or Healthcare Operations (2003) Workers’ Compensation Laws (2003) Workplace Wellness Programs

slide-6
SLIDE 6

Complaints to OCR (to Feb. 2016)

128,937 Privacy Rule Complaints (96% closed; 4% open)

  • 19% (24,126) Corrective Action
  • Others open, no violation, not enforceable or early intervention

940 Security Rule Complaints (67% closed)‐ 2015 data 568 Referrals to Dept. of Justice for criminal investigations

slide-7
SLIDE 7

Top 5 Entity Types & Issues

  • Entity Type

1) Private Practices 2) General Hospitals 3) Outpatient Facilities 4) Pharmacies 5) Health Plans

  • Issues

1) Impermissible Use/Disclosure of PHI 2) Lack of Safeguards of PHI 3) Lack of Patient Access to PHI 4) Use or Disclosure of More than Minimum Necessary of PHI 5) Lack of Administrative Safeguards of Electronic PHI

slide-8
SLIDE 8

Recent OCR Settlements

1. Feinstein Institute for Medical Research (Manhasset, NY)‐ $3.9 million‐ 13,000 patients‐ laptop stolen from an employee’s car (2016) 2. North Memorial Health Care (Robbinsdale, MN)‐ $1.55 million‐ 9,497 patients‐ unencrypted, password‐protected laptop was stolen from a business associate’s locked vehicle (2016) 3. P.T., Pool & Land Physical Therapy, Inc. (Los Angeles)‐ $25,000‐ numerous patients‐ impermissible disclosure of PHI when it posted patient testimonials, including full names and photos, to its website without patient authorizations (2016) 4. Lincare (ntl. home health agency)‐ $239,800‐ 278 patients‐ employee left records behind after moving residences (2016) CMP‐ not RA 5.

  • Univ. of WA Med‐ $750,000‐ failed to implement P&Ps to prevent, detect, contain, and correct

security violations‐ inadequate Risk Analysis (2015) 6. Triple S (San Juan, PR)‐ $2.5M‐ widespread noncompliance‐ investigated after multiple breach notifications (2015) 7. Lahey Med. Ctr. (Burlington, MA)‐ $850,000‐ 599 patients‐ stolen laptop connected to PACS system‐ widespread noncompliance with Security Rule (2015) 8. Cancer Care Group (Indiana)‐ $750,000‐ 55,000 patient‐ stolen laptop & media with no encryption, no risk analysis & no P&Ps (2015) 9.

  • St. Elizabeth Medical Center (Brighton, MA)‐ $218,400‐ 500 patients‐ workforce members

submitted complaint regarding poor safeguards of Internet‐based document sharing application & flash drive/laptop breaches (2015)

  • 10. Cornell Prescription Pharmacy (Denver)‐ $125,000‐ 1610 patients‐ News media reported medical

records in dumpster accessible to public (2015)

$28,239,200 to Feb. 2016 31 RAs & 2 CMPs

slide-9
SLIDE 9

Key Changes to Audit Program

  • Main focus shifts from On‐Site to Desk Audits,

BUT

  • 10 – 25 on‐site full compliance audits are projected following

desk audits

  • Complaints will still trigger full investigations in addition to

investigations of entities where serious compliance issues are uncovered by desk audits

  • FCI Federal Inc. contracted for data security audits
  • Audits previously outsourced – now internal

except security

  • Program was delayed for creation of reporting

portal & updating of audit protocols to include Omnibus changes

  • Budget increased by $4 million in 2016
  • State privacy laws & rules will not be considered
slide-10
SLIDE 10

Timelines & Audited Entities

  • Covered Entities & Business Associates
  • 200 CEs (providers, health plans & clearinghouses) in Round 1 (letters

in May)

  • 50 Business Associates in Round 2 (letters in June or July)
  • Emailed requests for contact/address verification in March (to CEs)
  • Currently distributing Pre‐Audit Questionnaires at (least 500)

http://www.reginfo.gov/public/do/PRAViewIC?ref_nbr=201405‐0945‐ 002&icID=211635

  • Along with request of Business Associates List

http://www.hhs.gov/hipaa/for‐professionals/compliance‐ enforcement/audit/batemplate/index.html

  • Selection of CEs a sampling based on size, type, public/private,

single/multi, geography and affiliations

  • Entities currently involved with OCR enforcement excluded
  • Selection of BAs to come from CE lists
  • Primarily technology‐related
  • If selected, written notification via email explaining process &

documentation requests

slide-11
SLIDE 11

Focus of Desk Audits

  • Privacy Rule Audit
  • Notice of Privacy Practices
  • Patient’s Right to Access
  • Breach Notification Audit
  • Breach Notification Policy
  • Breach Notifications to Patients
  • Instances where Breach Risk Assessment concluded no breach
  • Timeline from discovery to notification
  • Security Rule Audit
  • Security Risk Analysis/Assessment
  • Risk Management Plan
  • Business Associate Audit
  • Security Risk Analysis/Assessment
  • Risk Management Plan
  • Breach Notification to CEs (include all above regarding Breach

Notification)

slide-12
SLIDE 12

Timelines Cont’d

  • Audited Entities have 10 business days to respond via portal
  • Documentation must be digital and current to date of

request (little to no weight given to docs dated >date on request)

  • Auditors cannot contact ask for clarification
  • Items submitted after deadline may not be reviewed.
  • Auditors prepare draft findings within 10 days
  • CE can return comments
  • Auditors prepare final report within 30 days
  • Failure to respond may lead to referral for full compliance

review.

  • OCR will analyze & aggregate data to develop tools &

guidance to assist with compliance self‐evaluation & breach prevention

  • List of audited entities or findings won’t be posted, but they

must comply with Freedom of Information Act requests

slide-13
SLIDE 13

Onsite Audits & Audit Protocols

  • Onsite audits will be scheduled by email notification
  • 3 – 5 days dependent upon size
  • Will use newly released audit protocols

http://www.hhs.gov/hipaa/for‐ professionals/compliance‐ enforcement/audit/protocol‐current/index.html

  • http://www.dwt.com/files/Uploads/Documents/Ad

visories/CompareAuditProtocol1.pdf (redline of old to new)

  • Auditors prepare draft findings within 10 days
  • CE can return comments
  • Auditors prepare final report within 30 days
slide-14
SLIDE 14

Preparation

  • Review 2016 guidance/FAQs and all P&Ps regarding patient access in

addition to your BA P&Ps regarding access.

  • All instances where access was denied will be reviewed.
  • Make sure AOD database is up‐to‐date and can extract data

regarding patient & patient‐directed requests (charges & fulfillment time)

  • Review “everything breach”‐ policies, procedures, breach risk

assessments, breach notifications to patients, & staff sanctions policy.

  • Make sure every incident was has a corresponding breach risk assessment.
  • Make sure OCR reporting is up‐to‐date. (60 days for large breaches; 60 days +

year’s end for small breaches < 500 patients)

  • Make sure Security Risk Assessment & Risk Management plans up‐to

date.

  • Risk analysis must not only identify the gaps, but also:
  • Identify the location of all PHI; What the threats to that PHI are; How the PHI is

vulnerable to impermissible use and disclosure; What those risk levels are; Is periodically updated; and Includes corrective actions for gaps identified

  • Have a template ready listing of BAs with contact info
  • Audit BAs‐ start with questionnaires.
  • Prepare your workforce.
slide-15
SLIDE 15

Workforce Training & Resources

  • Initial comprehensive, then annual training
  • Systematic workflow
  • Documentation
  • Ongoing privacy & security tips
  • Employee Newsletters
  • Technology Applications
  • OCR You Tube videos

https://www.youtube.com/user/USGovHHSOCR

  • Competency Testing
  • AHIOS CRIS Test
  • HITNOTS.com Quizzes
  • Retraining for privacy & security incidents
slide-16
SLIDE 16

Questions mtwiggs@mrocorp.com Resources (white papers, articles & blogs) at www.mrocorp.com

THANK YOU!