HIPAA Audits and the New Audit Protocol

Size: px

Start display at page:

Download "HIPAA Audits and the New Audit Protocol"

Alexis Malone
6 years ago
Views:

1 Presenting a live 90-minute webinar with interactive Q&A HIPAA Audits and the New Audit Protocol Developing and Ensuring HIPAA and HITECH Privacy and Security Compliance TUESDAY, FEBRUARY 5, pm Eastern 12pm Central 11am Mountain 10am Pacific Today s faculty features: Sarah E. Swank, Principal, Ober Kaler, Washington, D.C. Dianne J. Bourque, Member, Mintz Levin Cohn Ferris Glovsky and Popeo, Boston Joshua J. Freemire, Attorney, Ober Kaler, Baltimore The audio portion of the conference may be accessed via the telephone or by using your computer's speakers. Please refer to the instructions ed to registrants for additional information. If you have any questions, please contact Customer Service at ext. 10.

2 Sound Quality If you are listening via your computer speakers, please note that the quality of your sound will vary depending on the speed and quality of your internet connection. If the sound quality is not satisfactory and you are listening via your computer speakers, you may listen via the phone: dial and enter your PIN when prompted. Otherwise, please send us a chat or sound@straffordpub.com immediately so we can address the problem. If you dialed in and have any difficulties during the call, press *0 for assistance. Viewing Quality To maximize your screen, press the F11 key on your keyboard. To exit full screen, press the F11 key again.

3 FOR LIVE EVENT ONLY For CLE purposes, please let us know how many people are listening at your location by completing each of the following steps: In the chat box, type (1) your company name and (2) the number of attendees at your location Click the word balloon button to send

4 HIPAA Audits 4 S t r a f f o r d W e b i n a r F e b r u a r y 4, S a r a h E. S w a n k, O B E R K A L E R J o s h J. F r e e m i r e, O B E R K A L E R D i a n n e B o u r q u e, M I N T Z L E V I N

5 Today s Discussion Audit protocol Preparing for an audit Responding to a letter Hot topics and vulnerabilities Questions 5

6 Office for Civil Rights Overview 6 Ensuring Federal financial assistance recipients comply with the national civil rights laws, such as those relating to discrimination based on race, color, national origin, disability and age Enforcing requirements and investigating complaints under the Health Insurance Portability and Accountability Act of 1996 (PL ) (HIPAA) and its accompanying regulations Enforcing Federal Health Care Provider Conscience Rights Certifying Medicare applications for compliance with the national civil rights laws

7 OCRs Roles and Responsibilities Investigate complaints Conduct compliance reviews Provide technical assistance Conduct outreach 7

8 8 OCR Complaint Form (Not required) Your name Full address Telephone numbers address (if available) Name, full address and telephone number of the person, agency or organization you believe violated your (or someone else s) health information privacy rights or committed another violation of the Privacy or Security Rule Brief description of what happened. How, why, and when do you believe your (or someone else s) health information privacy rights were violated, or how the Privacy or Security Rule otherwise was violated Any other relevant information Your signature and date of complaint

9 HIPAA Audits of the HITECH Act, requires HHS to provide for periodic audits to ensure covered entities and business associates are complying with the HIPAA Privacy and Security Rules and Breach Notification standards OCR engaged a professional public accounting firm (KPMG LLP) to conduct performance audits 9

10 Process Letter HIPAA Audits Documents On site Draft report Review of report Final report Results are not published Long term care included in the 20 entities audited Waiting on information about the next waive of audits 10

11 Privacy Rule HIPAA Audits Notice of privacy practices for PHI Rights to request privacy protection for PHI Access of individuals to PHI Administrative requirements Uses and disclosures of PHI Amendment of PHI Accounting of disclosures Security Rule Administrative, physical, and technical safeguards Breach Notification Rule. 11

12 So, What is the HIPAA Audit Program? 12 The American Recovery and Reinvestment Act of 2009, in Section of the HITECH Act, requires HHS to provide for periodic audits to ensure covered entities and business associates are complying with the HIPAA Privacy and Security Rules and Breach Notification standards. HHS implemented this requirement through a 115 audit pilot program conducted by KPMG. Pilot Program Audits began in November of 2011 and ran through December of 2012.

13 What is the HIPAA Audit Program The initial Audit Program (AP) began with a tentative protocol and test audits of 20 entities. Following the 20 audit sample, the Audit Protocol was finalized and the remaining 95 audits were conducted. While full results remain under analysis and have not yet been published, OCR representatives have spoken with regard to initial results. 13

14 Why Is HIPAA Audit Preparation Important? 14 The HIPAA Audits are not intended to serve as an enforcement tool. They are intended to identify and correct compliance deficiencies. As we will discuss in more detail later, an auditor's discovery of an error or issue will most likely lead to a simple recommendation for corrective action. They can, however, lead to enforcement where auditor s discover an especially grievous situation. HIPAA is generally unconcerned with your intent while it may affect penalties, a violation or Breach is a violation or Breach even if you mean no harm (though the penalties may be harsher for intentional conduct). 14

15 Why Is This Important 15 HIPAA violations, however discovered, can lead to substantial penalties and burdensome Corrective Action Plans. Just in the recent past: MEEI, a eye and ear hospital, paid $1.5 million and agreed to on site independent compliance monitoring for 3 years A Massachusetts hospital settled a HIPAA investigation by paying over one million dollars and agreeing to extensive on-site compliance monitoring for the next 3 years A Maryland organization was penalized $4.3 million for failing to comply with HIPAA Privacy Rule requirements and cooperate with government investigators UCLA was fined nearly $100,000 after its employees improperly accessed medical records on Michael Jackson and Farah Fawcett 15

16 Who Can be Audited? 16 Every covered entity and business associate is eligible for an audit Selections in the initial round were designed to provide a broad assessment of the health care industry OCR selects the entities that were (and will be) audited. OCR has promised to audit as wide a range of types and sizes of covered entities as possible; covered individual and organizational providers of health services, health plans of all sizes and functions, and health care clearinghouses

17 Understanding HIPAA Audits First, things that are not the point: 17 An audit is NOT an investigation Audits are random by design an audit does NOT indicate that a complaint has been filed or that OCR harbors any suspicions or preconceptions of wrongdoing Audits are NOT intended to be confrontational With proper preparation, audits should NOT be a painful process

18 Understanding HIPAA Audits 18 OCR views the audits as a way to improve provider knowledge, compliance, and encourage best practices. As it has explained, Audits present a new opportunity to examine mechanisms for compliance, identify best practices and discover risks and vulnerabilities that may not have come to light through OCR s ongoing complaint investigations and compliance reviews. Though it hasn t happened yet, OCR intends to broadly share best practices gleaned through the audit process and guidance targeted to observed compliance challenges via this web site and other outreach portals.

19 How Does it Work? Providers are notified by letter (confirming the letter s authenticity is a good start ). Audits entail a document review AND a site visit. 19 Letter will provide substantial notice of site audit (between 30 and 90 days, according to OCR) but will offer less time to return requested documentation 10 days.

20 How Does it Work? Provided documentation will be reviewed prior to site visit During site visits, auditors will interview key personnel and observe processes and operations to help determine compliance. Following the site visit, auditors will develop and share with the entity a draft report. practices of the entity. 20

21 How does it work? 21 Audit reports (which have not been made public) generally describe how the audit was conducted, what the findings were and what actions the covered entity is taking in response to those findings. Prior to finalizing the report, the covered entity will have the opportunity to discuss concerns and describe corrective actions implemented to address concerns identified. The final report submitted to OCR will incorporate the steps the entity has taken to resolve any compliance issues identified by the audit, as well as describe any best

22 What Are OCR s Expectations? Remember Audits are NOT an enforcement tool 22 OCR expects covered entities to provide the auditors their full cooperation and support and remind them of their cooperation obligations under the HIPAA Enforcement Rule. Prompt and complete cooperation

23 Audits Results No public report (yet) but discussed at the NIST conference. A webcast of that presentation can be viewed here: Unsurprisingly, a wide variety of compliance errors and shortfalls, across a wide variety of subjects. 23

24 Audits Results Generally, smaller entities had more issues than larger entities. For all entities, Security Rule compliance problems were more of an issue than Privacy Rule compliance problems. Security Rule issues often reflected IT issues: User activity monitoring; Authentication and system integrity; User access permissions; and Media reuse/destruction 24

25 Will There be More? There will certainly be more audits. The question is WHEN? HHS and OCR obligated to analyze pilot program that analysis may not even have begun. 25 Audits in 2013 appear unlikely, but, appearances can be deceiving. A good offense is your best defense

26 Preparing for an OCR Audit Don't wait until you get one of these 26

27 Preparing for an OCR Audit 27 Use the Audit Protocol to Review Your Existing Program The audit protocol covers Privacy Rule requirements for 1. Notice of privacy practices for PHI 2. Rights to request privacy protection for PHI 3. Administrative requirements 4. Uses and disclosures of PHI 5. Access of individuals to PHI 6. Amendment of PHI, and 7. Accounting of disclosures The protocol covers Security Rule requirements for administrative, physical, and technical safeguards The protocol covers requirements for the Breach Notification Rule

28 Example Preparing for an OCR Audit 28 Section Established Performance Criteria (a)(1): Security Management Process (a)(1)(ii)(a) - Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity,... Key Activity Audit Procedure Implementation Specification Conduct Risk Assessment Inquire of management as to whether formal or informal policies or practices exist to conduct an accurate assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability Required HIPAA Compliance Area Security

29 Regular self audits should be part of your compliance program Don t rely on a dusty binder of policies and procedures as your evidence of compliance At least annually, review your program in particular security and document this review 29 OCR has been clear that you are out of compliance with the regulation if you are not reviewing and updating your program on an annual basis. Conducting a Self Audit

30 Policies Addressing Privacy 30 This process will be different depending on whether or not you are a business associate or covered entity The details will be different depending on what type of covered entity you are (a health plan versus a provider) Review policies, procedures and FORMS as well as indicators of an active program, such as incident logs, training sign-in sheets, etc.

31 Policies Addressing Privacy 31 Sample activities: Notice of Privacy Practices it s going to be reviewed and the auditors will be confirming that all required elements are addressed Policies and procedures for delivering and confirming receipt of the Notice will be reviewed Policies and procedures for making the Notice available upon request will be reviewed OCR will confirm whether or not documentation of delivery of Notices has been maintained for 6 years as required by the rule

32 Policies Addressing Privacy 32 Sample activities: Access to PHI Formal and informal policies for confirming access to PHI will be reviewed. Management will be questioned regarding an individual s right of access The Notice will be reviewed for information regarding the access right

33 Policies Addressing Security Sample Activities 33 Access Control OCR will review the list of individuals with credentials to initiate emergency access procedures and evaluate whether or not these individuals have the qualifications and training to carry out their responsibilities with respect to ephi.

34 Policies Addressing Security Sample Activities 34 Workstation Use OCR will evaluate whether or not a process exists for identifying workstations by type and location and whether workstations are classified based on capabilities, connection and allowable activities.

35 Policies Addressing Breach Notification 35 Sample Activities Risk Assessment OCR will evaluate whether or not a risk assessment process exists for determining the risk of harm in the event of breach NOTE They will be looking for a new risk assessment following September 23, 2013

36 Policies Addressing Breach Notification Sample Activities 36 Notice to Individuals OCR will ask about the process for identifying and contacting next of kin if necessary in the event of a breach. OCR will also ask about the process for providing notice when there is insufficient or out-of-date contact information.

37 Other Issues Your Privacy and Security Officer should not be the only members of the workforce who can address these issues OCR will interview management to confirm that all levels of the organization are focused on compliance Document informal compliance efforts, such as security reminders, privacy newsletters, supplemental training, etc. Post Omnibus Rule: Audit preparation won t change, but the content of your policies and procedures will 37 Review and update your program regularly - at least annually or you are out of compliance OCR has been clear that audit findings may prompt enforcement in the future

38 New HIPAA Rule New Omnibus Privacy Rule published January 25, 2013 Compliance Date is September 23, 2013 Breach standard Business associates Notice of Privacy Practice Access Decedents Research New audit protocol 38

39 New Technologies, New Focus 39 Recent OCR enforcement trends have focused heavily on mobile technology Entities have been faulted for a lack of policies and procedures directly addressing mobile tech tracking, authentication, and security (including, especially, encryption) Existing audit results compliance in technology areas already a problem area for many smaller entities

40 Time to Reevaluate The new Omnibus Rule will require many entities reexamine their existing policies, procedures, business associate agreements, and physical and electronic safeguards. This is an ideal time to perform self-audits and examine enterprise compliance from an auditor s perspective. For larger entities, professional pressure testing or penetration testing of electronic systems may be warranted. 40

41 Reevaluation Steps Document, document, DOCUMENT! Auditors will engage in some personnel interviews, BUT, the primary examples of your organizational compliance will be documentation Every decision should follow documented deliberations and, where appropriate, risk assessments and cost/benefit analysis 41

42 Reevaluation Steps 42 Remember, decisions NOT to take a certain step (especially addressable security standards, such as encryption) must be at least as well documented as decisions to implement a particular process or procedure. In (unfortunate) reality, entities should document every decision NOT to implement a certain security measure as though they were defending that decision because they may be asked to do precisely that Documentation should be organized, precise, and ACCESIBLE. If you can t find it, you don t have it

43 Culture of Awareness 43 The new Omnibus Rule also provides an excellent opportunity to review organizational education. Organizational compliance activities are only as strong as the weakest link a breach cannot be timely addressed if an employee fails to report it, for instance, and extensive mobile device security procedures mean little if they are ignored in practice. Entities should keep their eyes peeled for OCR announcements including, especially, promised guidance on the best practices identified in the AP and new guidance interpreting and applying the new Omnibus Rule.

44 HIPAA TIPS Ensure issues are immediately reported within the organization Involve counsel when appropriate who advises and directs the investigation and maintains privilege Understand when you have a breach vs. an incident 44 Understand your reporting obligations Educate staff, management and leadership Create role based access Understand state law requirements

45 Common HIPAA Vulnerabilities Paper files Flash drives Lap tops Social media EHR Review of your own or others information Safeguards not in place (e.g., white boards, ER, elevator conversation) 45

46 HIPAA/HITECH Enforcement 46

47 Who owns the devices Mobile Devices Are personal devices used at work registered Virtual Privacy Network (VPN) to exchange information Back up PHI on servers Remote wipe of devices Policy and procedures Training 47

48 Curiosity Killed the Cat In 2007, George Clooney was admitted to the Palisades Medical Center in New Jersey after a motorcycle accident 27 employees looked, including physicians and nurses Information was leaked to the press 48

49 HIPAA TIPS 49 Who is responsible speaks volume.

50 HIPAA TIPS 50 Investigate Discipline Workforce Mitigate Document Notify

51 Culture of Compliance Compliance involves active engagement of leadership within an organization 51 A successful compliance program includes: Employee training Vigilant implementation of policies and procedures Regular internal audits Prompt action plan to respond to incidents. Analyze, evaluate, and correct potential risk areas

52 52 OCR Resources

53 Questions? 53 S A R A H E. S W A N K P R I N C I P A L O B E R K A L E R W A S H I N G T O N, D C ( ) s e s w a n o b e r. c o m D I A N N E B O U R Q U E M E M B E R M I N T Z L E V I N B O S T O N, M A ( ) D J B o u r q u m i n t z. c o m J O S H J. F R E E M I R E O B E R K A L E R ( ) j j f r e e m i r o b e r. c o m

HIPAA Privacy, Security and Breach Notification

HIPAA Privacy, Security and Breach Notification HCCA East Central Regional Annual Conference October 2013 Disclaimer The information contained in this document is provided by KPMG LLP for general guidance