Boerner Consulting, LLC Reinhart Boerner Van Deuren s.c.

Size: px

Start display at page:

Download "Boerner Consulting, LLC Reinhart Boerner Van Deuren s.c."

Anastasia Lucas
6 years ago
Views:

the Sample(s) Requested and Inquire of Management requests for the full on-site audits Discuss approaches to

by OCR 2 Privacy Rule: Notice of Privacy Practices & Content Requirements 164.520(a)(1) Right to notice 164.

1 Catherine M. Boerner, Boerner Consulting LLC Heather Fields, 1 Discuss any aggregate results of the desk audits Explore the Sample(s) Requested and Inquire of Management requests for the full on-site audits Discuss approaches to demonstrating HIPAA compliance for an audit Consider types of technical assistance that could be developed by OCR 2 Privacy Rule: Notice of Privacy Practices & Content Requirements (a)(1) Right to notice (b)(1) Required elements of the Notice of Privacy Practices Privacy Rule: Provision of Notice Electronic Notice (c)(3) The requirements for the electronic notice 3 HIPAA COW Spring Conference

2 Privacy Rule: Right to Access (a)(1) Access to protected health information (b)(1) Individual s request for access and timely action by the covered entity (b)(2) Timely action by the covered entity (c)(2) Form of access requested (c)(3) Time and manner of access (c)(4) Fees (d)(1) Making other information accessible (d)(3) Other responsibilities 4 Breach Notification Rule: Content of Notification (c)(1) Content requirements of breach notifications Breach Notification Rule: Timeliness of Notification (b) Timescale for issuing breach notifications 5 Security Rule: Security Management Process Risk Analysis (a)(1)(ii)(A) Accurate and thorough organization wide risk assessments Security Rule: Security Management Process Risk Management (a)(1)(ii)(B) Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level 6 HIPAA COW Spring Conference

7 Desk Audits underway 166 Covered Entities 43 Business Associates Don t expect Desk Audits aggregate results before September 2017 (6 months) On-site audits of both CEs and BAs in 2017, AFTER

3 7 Desk Audits underway 166 Covered Entities 43 Business Associates Don t expect Desk Audits aggregate results before September 2017 (6 months) On-site audits of both CEs and BAs in 2017, AFTER completion of the desk audit process 8 HIPAA Privacy = 48 times = Sample(s) requested HIPAA Privacy = 18 times = Inquiry of management Breach Notification = 12 times= Sampling Breach Notification = 5 times = Inquiry of management HIPAA Security = 100 times = Obtain and review documentation demonstrating 9 HIPAA COW Spring Conference

4 Samples Requested Personal Representatives recognized 2. Personal Representatives not recognized 3. Confidential Communications requested 4. Confidential Communications - accepted 5. Business Associate Contracts - language 6. Business Associate Contracts - subcontractor 7. Business Associate Contracts material breach 8. Consent for uses and disclosures 9. Authorizations for uses and disclosures is required Compound authorizations exceptions 11. Prohibition on conditioning of authorizations 12. Uses and disclosures authorization required core elements 13. Uses and disclosure for facility directory 14. Uses and disclosures for public health activities to employer 15. Uses and disclosures for health oversight activities 16. Uses and disclosures for health oversight activities - exception 12 HIPAA COW Spring Conference

5 17. Disclosures for judicial and administrative proceedings 18. Disclosures for law enforcement purposes court orders, subpoenas, discovery requests 19. Disclosures for law enforcement purposes for identification and location 20. Disclosures for law enforcement purposes PHI of a possible victim of a crime 21. Disclosure for law enforcement purposes reporting crime in emergencies Uses and disclosures about decedents 23. Uses and disclosures for cadaveric organ, eye or tissue donation 24. Uses and disclosures for specialized government functions correctional institutions 25. Uses and disclosures for specialized government functions providing public benefits 26. Disclosures for workers compensation Minimum Necessary Uses of PHI 28. Minimum Necessary Disclosures of PHI 29. Minimum Necessary Requests for PHI 30. Minimum Necessary Other content requirement 31. Limited Data Sets - Data Use Agreements 32. Limited Data Sets 33. Uses and disclosures for Fundraising 34. Verification Requirements 15 HIPAA COW Spring Conference

6 35. Provisions of Notice Health Plans 36. Provisions of Notice Certain Covered Health Care Providers acknowledgement 37. Provisions of Notice - timely 38. Documentation retention of notice 39. Right of an individual to request restriction of uses and disclosures 40. Terminating a restriction 41. Confidential communications requirements Denial of Access 43. Accepting the Amendment 44. Denying the Amendment 45. Content of the Accounting 46. Privacy Training 47. Complaints to the Covered Entity 48. Sanctions 17 Obtain and review a SAMPLE of business associate agreements. Evaluate whether the agreements are consistent with the established performance criterion entity-established POLICIES AND PROCEDURES. 18 HIPAA COW Spring Conference

7 INQUIRE OF MANAGEMENT as to whether any business associate arrangements involved onward transfers of PHI to additional business associates and subcontractors. If yes, review a SAMPLE of business associate agreements between the covered entity and such business associates for provisions requiring subsequent BAs/subcontractors to provide adequate assurances. 19 Has the covered entity come into the knowledge of a pattern or practice of the business associate that constituted a material breach of violation of the BA s obligation? If so, obtain documentation of covered entity response and evaluate against the established performance criterion. Use of SAMPLING procedures may be appropriate. 20 Obtain and review a SAMPLE of workforce members with access to PHI for their corresponding job title and description to determine whether the access is consistent with the policies and procedures. 21 HIPAA COW Spring Conference

8 Obtain and review a SAMPLE of protocols for disclosures made on a routine and recurring basis and determine if such protocols limit to the PHI to what is reasonably necessary to achieve the purpose of the disclosure, as required by 514(d)(3). 514(d)(3) Minimum Necessary Disclosures of PHI 22 Obtain and review a SAMPLE of requests made on a routine and recurring basis and determine if they are limited to the PHI reasonably necessary to achieve the purpose of the disclosure, as required by (d)(4). 514(d)(4) Minimum Necessary Requests for PHI 23 Inquiry of Management 24 HIPAA COW Spring Conference

9 1. Health plan use or disclosure of genetic information 2. Deceased individuals 3. Personal Representatives 4. Confidential Communications 5. Uses and disclosures consistent with NPP 6. Disclosures by workforce members who are victims of a crime 7. Business Associate Agreements how identified and engaged Subcontractors of Business Associates 9. Covered Entities with multiple covered functions (e.g., combination of a health plan and health care provider) restrict use and disclosure to the function being performed 10. Permitted uses and disclosure for TPO 11. Use and disclosures for research purposes 12. Notice transmission failures 13. Right to access 14. Right to access template or form letter Denial of access 16. Denial of access reviewable grounds 17. Denial of access review process 18. Personnel designation 27 HIPAA COW Spring Conference

10 Does the covered entity enter into business associate contracts as required? Do these contracts contain all required elements? INQUIRE OF MANAGEMENT how the entity identifies and engages business associates. 28 Sampling Complaints to covered entity 2. Sanctions of workforce members 3. Risk Assessments resulting in low probability of compromise 4. Risk Assessments resulting in compromise 5. Risk Assessment - regulatory exception applied 6. Risk Assessment PHI was not unsecured (rendered unusable, unreadable through use of technology) 30 HIPAA COW Spring Conference

7. Breach Notifications sent to individuals 8. Breach Notifications by alternative means 9. Breach Notification involving over 500 Notification to Secretary 10.

11 7. Breach Notifications sent to individuals 8. Breach Notifications by alternative means 9. Breach Notification involving over 500 Notification to Secretary 10. Breach Notification involving under 500 Notification to Secretary 11. Breach Notifications when Business Associate had the breach 12. Delay in notification due to law enforcement 31 Obtain a list of risk assessments, if any, conducted within the specified period where the covered entity determined there was a low probability of compromise to the PHI. Use SAMPLING methodologies to select documentation of risk assessments to assess whether the risk assessments were completed in accordance with (2). 32 Inquiry of Management 33 HIPAA COW Spring Conference

12 1. Administrative Requirements 2. Timeliness of Notifications 3. Content of Notification 4. Content of Notification format 5. Method of Notifications 34 Were individuals notified of breaches within the required time period? INQUIRE of management. 35 Obtain and review documentation demonstrating 36 HIPAA COW Spring Conference

13 1. Security violations and remediation actions 2. Latest written risk analysis 3. Prior risk analysis or two most recent written updates to the risk analysis or other record 4. Implementing appropriate security measures in response to results of risk analysis or assessment 5. Sanctions against workforce members 6. Information system activity review Key information systems capabilities and use of generated activity records 8. Assigned Security Official and responsibilities 9. Access granted to workforce members correlate with their job function/duties 10. Management review of workforce members access 11. How access requests to information systems are processed 12. How access requests to locations are processed Proper authorization of workforce members in accordance with established lines of authority 14. Clearance process prior to granting workforce members access 15. Terminations of access 16. Changes in access levels 17. Granting access paperwork 18. Newly hired granting access 19. Access reviewed 20. Modifications of access to information systems 39 HIPAA COW Spring Conference

14 21. Security awareness and training program 22. Security awareness and training program provided to entire organization and made available to independent contractors and BAs 23. How periodic security updates are conducted 24. Periodic updates are accessible and communicated 25. Procedures for guarding against, detecting, and reporting malicious software are included in security awareness and training program 26. Procedures are in place to guard against, detect, and report malicious software Workforce members that should be trained on procedures to guard against, detect, and report malicious software 28. Workforce members that were trained on malicious software 29. Procedures to monitor log-in attempts and report discrepancies 30. Workforce members and role types who should be trained on procedures for monitoring log-in attempts and reporting discrepancies 31. Procedure for creating, changing, and safeguarding passwords Training on creating, changing, and safeguarding passwords 33. Security incident P&Ps are implemented responding to, reporting, and mitigating security incidents 34. Security incident outcomes are properly documented and communicated 35. Contingency plan is implemented 36. How data is backed up 42 HIPAA COW Spring Conference

15 37. Data backup and restoration tests 38. Disaster recovery plan includes restoring any loss of data 38. Continuation of critical business processes for the protection of the security of ephi while operating in emergency mode 39. Data restore tests and test results 40. Contingency plans have been approved, reviewed and updated on a periodic basis Revisions of contingency plan 42. Contingency plan tests and related results 43. Identification of critical ephi applications and their assigned criticality levels 44. How ephi applications (data applications that store, maintain or transmit ephi) are identified 45. Periodic technical and non-technical evaluations 46. Technology change control/management and documentation of major technology changes with risk management and risk mitigation efforts 47. Business Associate agreements have security requirements Workforce members with authorized physical access to electronic systems and facilities 49. Procedures for granting individual access to entity facility 50. Visitor physical access to electronic information systems and facility where it is housed 51. Contingency operation procedures currently implemented 52. Contingency operation procedures are tested 53. Facility security plan procedures implemented 45 HIPAA COW Spring Conference

16 54. Facility access controls and validation procedures - visitors 55. Control of access to software program for modification and revision 56. Facility and software access control and validation procedures are implemented 57. Records of repairs and modifications to physical security components 58. Inventory of locations and types of workstations 59. Workstation classification 60. Workstation use P&P implemented Workstation security P&P implemented 62. Movement of hardware and electronic media containing ephi into, out of and within the facility 63. Type of security controls implemented for the facility in, out, and within movements of workforce members assigned hardware and electronic media that contain ephi. 64. How disposal of hardware, software, and ephi data is completed, managed and documented 65. How the sanitization of electronic media is completed, managed, and documented Media re-use procedures being implemented and how ephi has been removed from electronic media 67. A record of movements of hardware and electronic media and person responsible 68. How ephi data is backed up for equipment being moved to another location 69. How ephi data backups from moved equipment are stored 70. Restoration of ephi data backups for moved equipment 48 HIPAA COW Spring Conference

17 71. Implementation of access controls for electronic information systems that maintain ephi 72. A list of new workforce members from the electronic information system who was granted access to ephi 73. Access levels granted to default, generic/shared, and service accounts 74. Periodic reviews of procedures related to access controls have been conducted 75. Terminations and job transfers user access levels were removed or modified timely; Assignment, creation, and use of unique user IDs in electronic information systems for user 77. Workforce members with authority to initiate emergency access procedures 78. Implementation of automatic logoff 79. ephi being encrypted and decrypted 80. Risk-based audit controls have been implemented over all electronic information systems that contain or use ephi 81. Implementation of hardware, software and/or procedural mechanisms to record and examine activity Processes in place to protect ephi from improper alteration or destruction 83. Electronic mechanisms are implemented to authenticate ephi 84. Implementation of authentication procedures for persons or entities seeking access to ephi 85. Implementation of technical security measures to protect electronic transmissions of ephi 86. Implementation of security measures to protect electronic transmissions of ephi 51 HIPAA COW Spring Conference

18 87. Encrypted mechanism is implemented to encrypt ephi 88. Electronically transmitted ephi is encrypted 89. Standard business associate contract template(s) 90. Approval process when deviations affecting the implementation of safeguards to protect ephi are considered 91. Business associates have reported security incidents of which it was aware, including breaches of unsecured PHI Plan documents provide that the plan sponsor will reasonably and appropriately safeguard ephi created, received, maintained or transmitted to or by the plan sponsor on behalf of the group health plan 93. Plan documents of the group health plan requires the sponsor to implement administrative, physical, and technical safeguards 94. Plan documents of the group health plan ensures adequate separation between the group health plan and the plan sponsor Policies and procedures are being maintained 96. Action, activity or assessment that is required by the Security Rule 97. Policies and procedures are being maintained for six (6) years from the date of its creation or the date when it last was in effect 98. An action, activity, or assessment is being maintained for six (6) years 99. Security Rule Policies and procedures are made available to the workforce members responsible for implementing the pertaining procedures 54 HIPAA COW Spring Conference

19 100. Policies and Procedures are reviewed and updated on a periodic basis 55 Example: System Access Policy and Procedure 45 CFR (a)(3)(i) Workforce Security Administrative 45 CFR (a)(3)(ii)(A) Authorization and/or Supervision Administrative 45 CFR (a)(3)(ii)(B) Workforce Clearance Procedures Administrative 45 CFR (a)(3)(ii)(C) Termination Procedures Administrative 45 CFR (a)(4)(i) Information Access Management Administrative 45 CFR (a)(4)(ii)(B) Access Authorization Administrative 45 CFR (a)(4)(ii)(C) Access Establishment and Modification Administrative 45 CFR (a)(5)(ii)(D) Password Management Administrative 45 CFR (b) Workstation Use Physical 45 CFR (c) Workstation Security Physical 45 CFR (a)(1) Access Control Technical 45 CFR (a)(2)(i) Unique User Identification Technical 45 CFR (a)(2)(iii) Automatic Logoff Technical 45 CFR (d) Person or Entity Authentication Technical 56 HIPAA Privacy Gap Analysis HIPAA Breach Notification Process Review HIPAA Security Risk Analysis HIPAA COW Risk Assessment Tool ONC Risk Assessment Tool Mock Audits 57 HIPAA COW Spring Conference

20 Develop organization s HIPAA roadmap Create a way to easily access the policies/procedures that address each HIPAA Rule expectation (and support decision-making, as possible) Communication Plan: Who on audit team? Communication to senior leadership Communication from senior leadership Organizational charts, work-flow, data-flow 58 OCR Cyber Newsletter, Understanding the Importance of Audit Controls (January 2017) OCR Guidance for Ensuring Accessibility of Health Programs and Activities offered through Information Technology (December 2016) OCR and DOJ Guidance Letter for Child Welfare Systems (October 2016) OCR Guidance on HIPAA and Cloud Computing (October 2016) 59 Upcoming Guidance / FAQs Privacy and Security for All of Us (PMI) research program Text messaging Social Media Use of CEHRT & compliance with HIPAA Security Rule (w/onc) RA/CMP Process Update of existing FAQs to account for Omnibus and other recent developments Minimum necessary Source: OCR presentation at HCCA 2017 Compliance Institute 60 HIPAA COW Spring Conference

21 61 Catherine Boerner, JD, CHC Boerner Consulting, LLC New Berlin, WI (414) Heather Fields, JD, CHC, CCEP-I 1000 North Water Street, Suite 1700 Milwaukee, WI (414) HIPAA COW Spring Conference

HIPAA Security and Privacy Policies & Procedures

HIPAA Security and Privacy Policies & Procedures Component of HIPAA Security Policy and Procedures Templates (Updated for HITECH) Total Cost: $495 Our HIPAA Security policy and procedures template suite have 71 policies and will save you at least 400