Catherine M. Boerner, Boerner Consulting LLC Heather Fields, 1 Discuss any aggregate results of the desk audits Explore the Sample(s) Requested and Inquire of Management requests for the full on-site audits Discuss approaches to demonstrating HIPAA compliance for an audit Consider types of technical assistance that could be developed by OCR 2 Privacy Rule: Notice of Privacy Practices & Content Requirements 164.520(a)(1) Right to notice 164.520(b)(1) Required elements of the Notice of Privacy Practices Privacy Rule: Provision of Notice Electronic Notice 164.520(c)(3) The requirements for the electronic notice 3 HIPAA COW Spring Conference 2017 1
Privacy Rule: Right to Access 164.524(a)(1) Access to protected health information 164.524(b)(1) Individual s request for access and timely action by the covered entity 164.524(b)(2) Timely action by the covered entity 164.524(c)(2) Form of access requested. 164.524(c)(3) Time and manner of access 164.524(c)(4) Fees 164.524(d)(1) Making other information accessible 164.524(d)(3) Other responsibilities 4 Breach Notification Rule: Content of Notification 164.404(c)(1) Content requirements of breach notifications Breach Notification Rule: Timeliness of Notification 164.404(b) Timescale for issuing breach notifications 5 Security Rule: Security Management Process Risk Analysis 164.308(a)(1)(ii)(A) Accurate and thorough organization wide risk assessments Security Rule: Security Management Process Risk Management 164.308(a)(1)(ii)(B) Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level 6 HIPAA COW Spring Conference 2017 2
7 Desk Audits underway 166 Covered Entities 43 Business Associates Don t expect Desk Audits aggregate results before September 2017 (6 months) On-site audits of both CEs and BAs in 2017, AFTER completion of the desk audit process 8 HIPAA Privacy = 48 times = Sample(s) requested HIPAA Privacy = 18 times = Inquiry of management Breach Notification = 12 times= Sampling Breach Notification = 5 times = Inquiry of management HIPAA Security = 100 times = Obtain and review documentation demonstrating 9 HIPAA COW Spring Conference 2017 3
Samples Requested 10 1. Personal Representatives recognized 2. Personal Representatives not recognized 3. Confidential Communications requested 4. Confidential Communications - accepted 5. Business Associate Contracts - language 6. Business Associate Contracts - subcontractor 7. Business Associate Contracts material breach 8. Consent for uses and disclosures 9. Authorizations for uses and disclosures is required 11 10. Compound authorizations exceptions 11. Prohibition on conditioning of authorizations 12. Uses and disclosures authorization required core elements 13. Uses and disclosure for facility directory 14. Uses and disclosures for public health activities to employer 15. Uses and disclosures for health oversight activities 16. Uses and disclosures for health oversight activities - exception 12 HIPAA COW Spring Conference 2017 4
17. Disclosures for judicial and administrative proceedings 18. Disclosures for law enforcement purposes court orders, subpoenas, discovery requests 19. Disclosures for law enforcement purposes for identification and location 20. Disclosures for law enforcement purposes PHI of a possible victim of a crime 21. Disclosure for law enforcement purposes reporting crime in emergencies 13 22. Uses and disclosures about decedents 23. Uses and disclosures for cadaveric organ, eye or tissue donation 24. Uses and disclosures for specialized government functions correctional institutions 25. Uses and disclosures for specialized government functions providing public benefits 26. Disclosures for workers compensation 14 27. Minimum Necessary Uses of PHI 28. Minimum Necessary Disclosures of PHI 29. Minimum Necessary Requests for PHI 30. Minimum Necessary Other content requirement 31. Limited Data Sets - Data Use Agreements 32. Limited Data Sets 33. Uses and disclosures for Fundraising 34. Verification Requirements 15 HIPAA COW Spring Conference 2017 5
35. Provisions of Notice Health Plans 36. Provisions of Notice Certain Covered Health Care Providers acknowledgement 37. Provisions of Notice - timely 38. Documentation retention of notice 39. Right of an individual to request restriction of uses and disclosures 40. Terminating a restriction 41. Confidential communications requirements 16 42. Denial of Access 43. Accepting the Amendment 44. Denying the Amendment 45. Content of the Accounting 46. Privacy Training 47. Complaints to the Covered Entity 48. Sanctions 17 Obtain and review a SAMPLE of business associate agreements. Evaluate whether the agreements are consistent with the established performance criterion entity-established POLICIES AND PROCEDURES. 18 HIPAA COW Spring Conference 2017 6
INQUIRE OF MANAGEMENT as to whether any business associate arrangements involved onward transfers of PHI to additional business associates and subcontractors. If yes, review a SAMPLE of business associate agreements between the covered entity and such business associates for provisions requiring subsequent BAs/subcontractors to provide adequate assurances. 19 Has the covered entity come into the knowledge of a pattern or practice of the business associate that constituted a material breach of violation of the BA s obligation? If so, obtain documentation of covered entity response and evaluate against the established performance criterion. Use of SAMPLING procedures may be appropriate. 20 Obtain and review a SAMPLE of workforce members with access to PHI for their corresponding job title and description to determine whether the access is consistent with the policies and procedures. 21 HIPAA COW Spring Conference 2017 7
Obtain and review a SAMPLE of protocols for disclosures made on a routine and recurring basis and determine if such protocols limit to the PHI to what is reasonably necessary to achieve the purpose of the disclosure, as required by 514(d)(3). 514(d)(3) Minimum Necessary Disclosures of PHI 22 Obtain and review a SAMPLE of requests made on a routine and recurring basis and determine if they are limited to the PHI reasonably necessary to achieve the purpose of the disclosure, as required by 164.514(d)(4). 514(d)(4) Minimum Necessary Requests for PHI 23 Inquiry of Management 24 HIPAA COW Spring Conference 2017 8
1. Health plan use or disclosure of genetic information 2. Deceased individuals 3. Personal Representatives 4. Confidential Communications 5. Uses and disclosures consistent with NPP 6. Disclosures by workforce members who are victims of a crime 7. Business Associate Agreements how identified and engaged 25 8. Subcontractors of Business Associates 9. Covered Entities with multiple covered functions (e.g., combination of a health plan and health care provider) restrict use and disclosure to the function being performed 10. Permitted uses and disclosure for TPO 11. Use and disclosures for research purposes 12. Notice e-mail transmission failures 13. Right to access 14. Right to access template or form letter 26 15. Denial of access 16. Denial of access reviewable grounds 17. Denial of access review process 18. Personnel designation 27 HIPAA COW Spring Conference 2017 9
Does the covered entity enter into business associate contracts as required? Do these contracts contain all required elements? INQUIRE OF MANAGEMENT how the entity identifies and engages business associates. 28 Sampling 29 1. Complaints to covered entity 2. Sanctions of workforce members 3. Risk Assessments resulting in low probability of compromise 4. Risk Assessments resulting in compromise 5. Risk Assessment - regulatory exception applied 6. Risk Assessment PHI was not unsecured (rendered unusable, unreadable through use of technology) 30 HIPAA COW Spring Conference 2017 10
7. Breach Notifications sent to individuals 8. Breach Notifications by alternative means 9. Breach Notification involving over 500 Notification to Secretary 10. Breach Notification involving under 500 Notification to Secretary 11. Breach Notifications when Business Associate had the breach 12. Delay in notification due to law enforcement 31 Obtain a list of risk assessments, if any, conducted within the specified period where the covered entity determined there was a low probability of compromise to the PHI. Use SAMPLING methodologies to select documentation of risk assessments to assess whether the risk assessments were completed in accordance with 164.402(2). 32 Inquiry of Management 33 HIPAA COW Spring Conference 2017 11
1. Administrative Requirements 2. Timeliness of Notifications 3. Content of Notification 4. Content of Notification format 5. Method of Notifications 34 Were individuals notified of breaches within the required time period? INQUIRE of management. 35 Obtain and review documentation demonstrating 36 HIPAA COW Spring Conference 2017 12
1. Security violations and remediation actions 2. Latest written risk analysis 3. Prior risk analysis or two most recent written updates to the risk analysis or other record 4. Implementing appropriate security measures in response to results of risk analysis or assessment 5. Sanctions against workforce members 6. Information system activity review 37 7. Key information systems capabilities and use of generated activity records 8. Assigned Security Official and responsibilities 9. Access granted to workforce members correlate with their job function/duties 10. Management review of workforce members access 11. How access requests to information systems are processed 12. How access requests to locations are processed 38 13. Proper authorization of workforce members in accordance with established lines of authority 14. Clearance process prior to granting workforce members access 15. Terminations of access 16. Changes in access levels 17. Granting access paperwork 18. Newly hired granting access 19. Access reviewed 20. Modifications of access to information systems 39 HIPAA COW Spring Conference 2017 13
21. Security awareness and training program 22. Security awareness and training program provided to entire organization and made available to independent contractors and BAs 23. How periodic security updates are conducted 24. Periodic updates are accessible and communicated 25. Procedures for guarding against, detecting, and reporting malicious software are included in security awareness and training program 26. Procedures are in place to guard against, detect, and report malicious software 40 27. Workforce members that should be trained on procedures to guard against, detect, and report malicious software 28. Workforce members that were trained on malicious software 29. Procedures to monitor log-in attempts and report discrepancies 30. Workforce members and role types who should be trained on procedures for monitoring log-in attempts and reporting discrepancies 31. Procedure for creating, changing, and safeguarding passwords 41 32. Training on creating, changing, and safeguarding passwords 33. Security incident P&Ps are implemented responding to, reporting, and mitigating security incidents 34. Security incident outcomes are properly documented and communicated 35. Contingency plan is implemented 36. How data is backed up 42 HIPAA COW Spring Conference 2017 14
37. Data backup and restoration tests 38. Disaster recovery plan includes restoring any loss of data 38. Continuation of critical business processes for the protection of the security of ephi while operating in emergency mode 39. Data restore tests and test results 40. Contingency plans have been approved, reviewed and updated on a periodic basis 43 41. Revisions of contingency plan 42. Contingency plan tests and related results 43. Identification of critical ephi applications and their assigned criticality levels 44. How ephi applications (data applications that store, maintain or transmit ephi) are identified 45. Periodic technical and non-technical evaluations 46. Technology change control/management and documentation of major technology changes with risk management and risk mitigation efforts 47. Business Associate agreements have security requirements 44 48. Workforce members with authorized physical access to electronic systems and facilities 49. Procedures for granting individual access to entity facility 50. Visitor physical access to electronic information systems and facility where it is housed 51. Contingency operation procedures currently implemented 52. Contingency operation procedures are tested 53. Facility security plan procedures implemented 45 HIPAA COW Spring Conference 2017 15
54. Facility access controls and validation procedures - visitors 55. Control of access to software program for modification and revision 56. Facility and software access control and validation procedures are implemented 57. Records of repairs and modifications to physical security components 58. Inventory of locations and types of workstations 59. Workstation classification 60. Workstation use P&P implemented 46 61. Workstation security P&P implemented 62. Movement of hardware and electronic media containing ephi into, out of and within the facility 63. Type of security controls implemented for the facility in, out, and within movements of workforce members assigned hardware and electronic media that contain ephi. 64. How disposal of hardware, software, and ephi data is completed, managed and documented 65. How the sanitization of electronic media is completed, managed, and documented 47 66. Media re-use procedures being implemented and how ephi has been removed from electronic media 67. A record of movements of hardware and electronic media and person responsible 68. How ephi data is backed up for equipment being moved to another location 69. How ephi data backups from moved equipment are stored 70. Restoration of ephi data backups for moved equipment 48 HIPAA COW Spring Conference 2017 16
71. Implementation of access controls for electronic information systems that maintain ephi 72. A list of new workforce members from the electronic information system who was granted access to ephi 73. Access levels granted to default, generic/shared, and service accounts 74. Periodic reviews of procedures related to access controls have been conducted 75. Terminations and job transfers user access levels were removed or modified timely; 49 76. Assignment, creation, and use of unique user IDs in electronic information systems for user 77. Workforce members with authority to initiate emergency access procedures 78. Implementation of automatic logoff 79. ephi being encrypted and decrypted 80. Risk-based audit controls have been implemented over all electronic information systems that contain or use ephi 81. Implementation of hardware, software and/or procedural mechanisms to record and examine activity 50 82. Processes in place to protect ephi from improper alteration or destruction 83. Electronic mechanisms are implemented to authenticate ephi 84. Implementation of authentication procedures for persons or entities seeking access to ephi 85. Implementation of technical security measures to protect electronic transmissions of ephi 86. Implementation of security measures to protect electronic transmissions of ephi 51 HIPAA COW Spring Conference 2017 17
87. Encrypted mechanism is implemented to encrypt ephi 88. Electronically transmitted ephi is encrypted 89. Standard business associate contract template(s) 90. Approval process when deviations affecting the implementation of safeguards to protect ephi are considered 91. Business associates have reported security incidents of which it was aware, including breaches of unsecured PHI 52 92. Plan documents provide that the plan sponsor will reasonably and appropriately safeguard ephi created, received, maintained or transmitted to or by the plan sponsor on behalf of the group health plan 93. Plan documents of the group health plan requires the sponsor to implement administrative, physical, and technical safeguards 94. Plan documents of the group health plan ensures adequate separation between the group health plan and the plan sponsor 53 95. Policies and procedures are being maintained 96. Action, activity or assessment that is required by the Security Rule 97. Policies and procedures are being maintained for six (6) years from the date of its creation or the date when it last was in effect 98. An action, activity, or assessment is being maintained for six (6) years 99. Security Rule Policies and procedures are made available to the workforce members responsible for implementing the pertaining procedures 54 HIPAA COW Spring Conference 2017 18
100. Policies and Procedures are reviewed and updated on a periodic basis 55 Example: System Access Policy and Procedure 45 CFR 164.308(a)(3)(i) Workforce Security Administrative 45 CFR 164.308(a)(3)(ii)(A) Authorization and/or Supervision Administrative 45 CFR 164.308(a)(3)(ii)(B) Workforce Clearance Procedures Administrative 45 CFR 164.308(a)(3)(ii)(C) Termination Procedures Administrative 45 CFR 164.308(a)(4)(i) Information Access Management Administrative 45 CFR 164.308(a)(4)(ii)(B) Access Authorization Administrative 45 CFR 164.308(a)(4)(ii)(C) Access Establishment and Modification Administrative 45 CFR 164.308(a)(5)(ii)(D) Password Management Administrative 45 CFR 164.310(b) Workstation Use Physical 45 CFR 164.310(c) Workstation Security Physical 45 CFR 164.312(a)(1) Access Control Technical 45 CFR 164.312(a)(2)(i) Unique User Identification Technical 45 CFR 164.312(a)(2)(iii) Automatic Logoff Technical 45 CFR 164.312(d) Person or Entity Authentication Technical 56 HIPAA Privacy Gap Analysis HIPAA Breach Notification Process Review HIPAA Security Risk Analysis HIPAA COW Risk Assessment Tool ONC Risk Assessment Tool Mock Audits 57 HIPAA COW Spring Conference 2017 19
Develop organization s HIPAA roadmap Create a way to easily access the policies/procedures that address each HIPAA Rule expectation (and support decision-making, as possible) Communication Plan: Who on audit team? Communication to senior leadership Communication from senior leadership Organizational charts, work-flow, data-flow 58 OCR Cyber Newsletter, Understanding the Importance of Audit Controls (January 2017) OCR Guidance for Ensuring Accessibility of Health Programs and Activities offered through Information Technology (December 2016) OCR and DOJ Guidance Letter for Child Welfare Systems (October 2016) OCR Guidance on HIPAA and Cloud Computing (October 2016) 59 Upcoming Guidance / FAQs Privacy and Security for All of Us (PMI) research program Text messaging Social Media Use of CEHRT & compliance with HIPAA Security Rule (w/onc) RA/CMP Process Update of existing FAQs to account for Omnibus and other recent developments Minimum necessary Source: OCR presentation at HCCA 2017 Compliance Institute 60 HIPAA COW Spring Conference 2017 20
61 Catherine Boerner, JD, CHC Boerner Consulting, LLC New Berlin, WI (414) 427-8263 cboerner@boernerconsultingllc.com Heather Fields, JD, CHC, CCEP-I 1000 North Water Street, Suite 1700 Milwaukee, WI 53202 (414) 298-8166 hfields@reinhartlaw.com 62 HIPAA COW Spring Conference 2017 21