Privacy Update: OCR HIPAA Phase 2 Audits: What to expect & How to prepare

Size: px

Start display at page:

Download "Privacy Update: OCR HIPAA Phase 2 Audits: What to expect & How to prepare"

Primrose Clarissa Hudson
5 years ago
Views:

1 Privacy Update: OCR HIPAA Phase 2 Audits: What to expect & How to prepare Rita Bowen, MA, RHIA, CHPS, SSGB In her role of Vice President of Privacy, HIM Policy and Education, Bowen ensures new and existing client HIM policies and procedures are at code and drives the development, implementation and maintenance of MRO s privacy and training programs. She also serves as the company s Privacy and Compliance Officer (PCO). Bowen has more than 40 years of experience in Health Information Management (HIM), holding a variety of HIM director and consulting roles. Most recently, she was Senior Vice President and Privacy Officer for HealthPort, Inc., now known as CIOX Health, and served as the Enterprise Director of HIM and Privacy Officer at Erlanger Health System. Bowen is an active member of the American Health Information Management Association (AHIMA) and has served as its President and Board Chair, as a member of the Board of Directors, and on the Council on Certification. She has been honored with AHIMA s Triumph Award in the mentor category; she is also the recipient of the Distinguished Member Award from the Tennessee Health Information Management Association (THIMA). Bowen is an established author and speaker on HIM topics and has taught HIM studies at Chattanooga State and the University of Tennessee Memphis. Bowen holds a Bachelor of Medical Science degree with a focus in medical record administration and a Master s degree in Health Information/ Informatics Management Technology. 23-1

Agenda 1. Brief Introduction to the OCR and HIPAA Enforcement 2. Discuss the latest updates from the OCR related to Phase 2 of the HIPAA Audit Program 3.

2 Agenda 1. Brief Introduction to the OCR and HIPAA Enforcement 2. Discuss the latest updates from the OCR related to Phase 2 of the HIPAA Audit Program 3. Share lessons learned from previous OCR audits and resolution agreements to help enhance your organization s overall compliance program 4. Provide best practices on how to prepare and respond to an OCR audit or an OCR investigation MRO Overview 2nd Largest ROI Provider 3,700 Locations 98% % #1 KLAS Client Retention Growth / Copyright MRO Corporation

3 HIPAA Enforcement Through HIPAA, the HHS/OCR is responsible for enforcing the Rules and it does so in several ways: Investigates complaints filed with it, Conducts compliance reviews of Covered Entities; Conducts Audits of Covered Entities and Business Associates Performs education and outreach to foster compliance with the HIPAA Privacy, Security, and Breach Notification Rules requirements, and Works in conjunction with the Department of Justice (DOJ) to refer possible criminal violations of HIPAA HIPAA Enforcement Complaint - 45 CFR (a)-(b) Can be filed with the Secretary of HHS by anyone who feels that a Covered Entity (CE) or Business Associate (BA) violated theirs or someone s else s health information privacy rights or committed another violation of the HIPAA Privacy, Security, or Breach Notification Rules Sources: 45 CFR ;

4 HIPAA Enforcement pre - Omnibus Rule post Omnibus Rule How to determine whether an impermissible use or disclosure of PHI constitutes a Breach The impermissible use or disclosure of PHI is a Breach if such use or disclosure poses a significant risk of financial, reputational, or other harm to the individual. The impermissible use or disclosure of PHI is presumed to be a Breach unless the CE or BA demonstrates that there is a low probability that the PHI has been compromised based on a risk assessment 7 HIPAA Enforcement Breach Notification If an impermissible use Breach Timeline Requirements of disclosure of PHI is determined to be a Breach, CEs must provide notification of the Breach to affected individuals, the Secretary of HHS (The Secretary), state entities (under applicable state law) and, in certain Without unreasonable delay and in no case Must be provided no later than N/A circumstances, later than 60 days following to the discovery media 60 days after the end of the Breach Type To the Individual To the Secretary To the Media If Breach affects < 500 individuals of the Breach calendar year in which the Breach was discovered If Breach affects > 500 individuals Without unreasonable delay and in no case later than 60 days following the discovery of the Breaches Without unreasonable delay and in no case later than 60 days following the discovery of the Breaches Without unreasonable delay and in no case later than 60 days following the discovery of the Breaches 8 Sources: 45 CFR

HIPAA - WALL OF SHAME https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf 9 Sources: 45 CFR 160.300 160.316; 164.400-414 http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/enforcement-process/index.

5 HIPAA - WALL OF SHAME 9 Sources: 45 CFR ; Resolution of Complaints / Investigations If the evidence indicates that the CE was not in compliance, OCR will attempt to resolve the case by obtaining one or more of the following: Voluntary Compliance Corrective Action Resolution Agreement Civil Money Penalties (CMPs) Sources: 45 CFR American Institute of CPAs 23-5

6 OCR Enforcement Results over 128,937 complaints 75,705 were deemed ineligible for OCR investigation 24,126 led to OCR investigations which resulted in corrective actions 12,505 resulted in OCR intervention and the provision of technical assistance, no other action American Institute of CPAs 10,955 investigations found no violations ~866 led to OCR compliance reviews 33 resulted in the application of corrective measures that included payment of a resolution amount in lieu of civil money penalties Resolution Agreements / CMPs Date Entity Resolution Amount CMPs 4/21/2016 New York Presbyterian Hospital $2,200,000 4/20/2016 Raleigh Orthopaedic Clinic, P.A. $750,000 3/17/2016 Feinstein Institute for Medical Research $3,900,000 3/16/2016 North Memorial Health Care $1,550,000 2/16/2016 P.T., Pool & Land Physical Therapy, Inc. $25,000 2/3/2016 Lincare, Inc. $239,800 12/14/2015 The University of Washington Medicine $750,000 11/30/2015 Triple-S Management Corporation $3,500,000 11/24/2015 Lahey Hospital and Medical Center $850,000 8/31/2015 Cancer Care Group, P.C. $750,000 6/10/2015 St. Elizabeth s Medical Center $218,400 4/22/2015 Cornell Prescription Pharmacy $125,000 12/2/2014 Anchorage Community Mental Health Services $150,000 6/23/2014 Parkview Health System, Inc. $800,000 5/7/2014 New York and Presbyterian Hospital and Columbia University $4,800,000 4/22/2014 Concentra Health Services $1,725,220 4/22/2014 QCA Health Plan, Inc. $250,000 3/7/2014 Skagit County, Washington $215,000 Copyright MRO Corporation

7 Resolution Agreements / CMPs Date Entity Resolution Amount CMPs 8/14/2013 Affinity Health Plan, Inc. $1,215,780 7/11/2013 WellPoint $1,700,000 6/13/2013 Shasta Regional Medical Center $275,000 5/23/2013 Idaho State University $400,000 12/31/201 Hospice of Northern Idaho $50, /17/2012 Massachusetts Eye and Ear Infirmary and Massachusetts Eye and $1,500,000 Ear Associates, Inc. 6/26/2012 Alaska DHSS $1,700,000 4/13/2012 Phoenix Cardiac Surgery $100,000 3/13/2012 BCBST $1,500,000 7/6/2011 UCLA Health System $865,500 2/14/2011 General Hospital Corporation and Massachusetts General $1,000,000 Physicians Organization, Inc. 2/4/2011 Cignet Health of Prince George s County $4,300,000 12/3/2010 Management Services Organization Washington, Inc. $35,000 7/27/2010 Rite Aid Corporation $ Copyright MRO Corporation 2016 Top HIPAA Privacy and Security Rule Compliance Issues Identified by OCR 1. Impermissible uses and disclosures of PHI, 2. Lack of physical and technical safeguards of PHI, 3. Use or disclosure of more than the minimum necessary PHI 4. Lack of Patient Access; and 5. Lack of administrative safeguards of electronic PHI (ephi) Source:

8 Background on OCR HIPAA Audit Program HITECH Act requires that the OCR conduct periodic audits of CEs and BAs - Phase 1 of the HIPAA Audit Program focused to: 115 audits of Covered Entities Found that many of the participants lacked awareness of key Privacy and Security Rule requirements: - Notices of Privacy Practices - Patient Access - Risk Analyses on a regular basis - Secure disposal of media containing PHI Phase 2 of the OCR HIPAA Audit Program All CEs and BAs are eligible for an audit except for CEs or BAs who are involved in an ongoing OCR complaint investigation or compliance review New Audit Protocols released on April 4, 2016 NOTE: OCR has a 10 day turnaround time for all requested information!!! 23-8

9 Phase 2 of the OCR HIPAA Audit Program Launched on March 21, 2016 Contact verification s sent out around March 21, 2016 Audit Pre-Screening Questionnaires ed on or about April 4, Will be used to chose a diverse sampling of CEs and BAs that vary in size, type, corporate status, geography, and affiliations Plan is to conduct 200 audits of both CEs and BAs Phase 2 has 3 stages 1. Desk audits of CEs 2. Desk audits of BAs - Will most likely be technology-related BAs 3. On-site audits of both CEs and BAs Key Changes to Audit Program Main focus shifts from On-Site to Desk Audits, BUT o on-site full compliance audits are projected following desk audits o Complaints will still trigger full investigations in addition to entities where serious compliance issues are uncovered by desk audits o FCi Federal Inc. contracted for data security audits Audits previously outsourced now internal except security State privacy laws & rules will not be considered 23-9

10 Key Changes to Audit Program Program was delayed for creation of reporting portal & updating of audit protocols to include Omnibus changes Budget increased by $4 million in 2016 State privacy laws & rules will not be considered Phase 2 of the OCR HIPAA Audit Program First Stage will be conducted in May 2016 Chosen CEs will need to provide information about each of their BAs: - names, - type of services provided, - contact information for a first point of contact, - contact information for a second point of contact, and - website 23-10

11 Phase 2 of the OCR HIPAA Audit Program First Stage will be conducted in May 2016 Chosen CEs could be audited on: - Privacy Rule Compliance - Notice of Privacy Practices - Patient s Right to Access - Security Rule Compliance - Security Risk Analysis/Assessment - Risk Management Plan Phase 2 of the OCR HIPAA Audit Program First Stage will be conducted in May Breach Notification Rule Compliance - Breach Notification Policy - Breach Notifications to Patients - Instances where Breach Risk Assessment concluded no breach - Timeline from discovery to notification 23-11

12 Phase 2 of the OCR HIPAA Audit Program Second Stage will be conducted in June 2016 Chosen BAs could be audited on: - Security Risk Analysis/Assessment - Risk Management Plan - Breach Notification to CEs (include all above regarding Breach Notification) Phase 2 of the OCR HIPAA Audit Program Stage 3 will be conducted by the end of 2016 CEs and BAs will be chosen to participate in on-site audits via notification On-site audits will be comprehensive and will likely include a 3 5 day on-site visit by the OCR Will use newly released audit protocols Auditors prepare draft findings within 10 days/ce and BA can return comments Auditors prepare final report within 30 days 23-12

13 Updated Audit Protocols Lengthy but straightforward 89 Privacy Rule Audit Sections With many subsections 72 Security Rule Audit Sections With many subsections 19 Breach Rule Audit Sections American With Institute many of CPAs subsections \ Audit Timelines Audited Entities have 10 business days to respond via portal Documentation must be digital and current to date of request (little to no weight given to docs dated >date on request) Auditors cannot contact ask for clarification Items submitted after deadline may not be reviewed. Auditors prepare draft findings within 10 days CE can return comments 23-13

14 Audit Timelines Auditors prepare final report within 30 days Failure to respond may lead to referral for full compliance review. OCR will analyze & aggregate data to develop tools & guidance to assist with compliance self-evaluation & breach prevention List of audited entities or findings won t be posted, but they must comply with Freedom of Information Act requests Preparation Review 2106 guidance/faqa and all P&Ps regarding patient access in addition to your BA P&Ps regarding access Make sure AOD database is up-to-date and can extract data regarding patient & patient-directed requests (charges & fulfillment time) Review everything breach P&Ps, breach risk assessment/analysis, breach notifications to patients, and workforce sanctions policy 23-14

15 Preparation Make sure Security Risk Assessment and Risk Management plans are up-to date Risk analysis must not only identify the gaps, but also: o o o o o What the threats to that PHI are; How the PHI is vulnerable to impermissible use and disclosure; What those risk levels are; Is periodically updated; and Identify the location of all PHI; Include corrective actions for gaps identified Preparation Have a list of all BAs with contact info Audit BAs- start with questionnaires Prepare your workforce 23-15

16 Workforce Training/Resources Initial comprehensive, then annual training Systematic workflow Documentation Ongoing privacy & security tips Employee Newsletters Technology Applications OCR You Tube videos Competency Testing Retraining as required If you are contacted by the OCR Assemble your Response Team (or create one) Privacy and Security Officers Legal Risk Management Health Information Management Compliance Information Technology 3 American Institute of CPAs Copyright MRO \ Corporation

17 If you are contacted by the OCR Ask for any paperwork that the OCR might have Search warrants or inspection orders (if applicable) Copies of complaints List of what documents they are looking for Remember that everything submitted to the OCR pursuant to a investigation or audit is FOIA-able 3 American Institute of CPAs Copyright MRO \ Corporation 2016 Resources/Helpful Tools Administrative Safeguards HHS - Addressing Gaps in Cybersecurity: OCR Releases Crosswalk Between HIPAA Security Rule and NIST Cybersecurity Framework: HHS Guidance on Risk Analysis: ONC s Security Risk Assessment Tools: - Updated tools is due out any day now! HHS Security Rule Guidance Material:

Resources/Helpful Tools Minimum Necessary Rule HHS Guidance on the Minimum Necessary Requirement: http://www.hhs.gov/hipaa/for-professionals/privacy/guidance/minimum-necessaryrequirement/index.

18 Resources/Helpful Tools Minimum Necessary Rule HHS Guidance on the Minimum Necessary Requirement: Technical and Administrative Safeguards - HHS Guidance on Technical Safeguards: ve/securityrule/techsafeguards.pdf - HHS Guidance on Physical Safeguards: ve/securityrule/physsafeguards.pdf Thank You Copyright 2013 American Institute of CPAs. All rights reserved

Update on Administration and Enforcement of the HIPAA Privacy, Security, and Breach Notification Rules

Update on Administration and Enforcement of the HIPAA Privacy, Security, and Breach Notification Rules Marissa Gordon-Nguyen Office for Civil Rights (OCR) U.S. Department of Health and Human Services June