Auditing and Monitoring for HIPAA Compliance. HCCA COMPLIANCE INSTITUTE 2003 April, Presented by: Suzie Draper Sheryl Vacca, CHC

Similar documents
HIPAA Security and Privacy Policies & Procedures

HIPAA Federal Security Rule H I P A A

MANUAL OF UNIVERSITY POLICIES PROCEDURES AND GUIDELINES. Applies to: faculty staff students student employees visitors contractors

Implementing an Audit Program for HIPAA Compliance

HIPAA Privacy & Security Training. Privacy and Security of Protected Health Information

HIPAA 101: What All Doctors NEED To Know

HIPAA Compliance: What it is, what it means, and what to do about it. Adam Carlson, Security Solutions Consultant Intapp

Integrating HIPAA into Your Managed Care Compliance Program

Red Flags/Identity Theft Prevention Policy: Purpose

HIPAA Security. 1 Security 101 for Covered Entities. Security Topics

Hospital Council of Western Pennsylvania. June 21, 2012

IT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I

Information Security Policy

Putting It All Together:

Security and Privacy Governance Program Guidelines

The HIPAA Security & Privacy Rule How Municipalities Can Prepare for Compliance

Boerner Consulting, LLC Reinhart Boerner Van Deuren s.c.

Information Technology General Control Review

ORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers

HIPAA COMPLIANCE CALIFORNIA STATE UNIVERSITY, LOS ANGELES. Audit Report October 29, 2010

How Secure Do You Feel About Your HIPAA Compliance Plan? Daniel F. Shay, Esq.

NCQA and HIPAA. The Fifth National HIPAA Summit. A match made in? Sharon King Donohue, JD General Counsel, Chief Privacy Officer November 1, 2002

HIPAA Privacy, Security and Breach Notification

HIPAA How to Comply with Limited Time & Resources. Jonathan Pantenburg, MHA, Senior Consultant August 17, 2017

HIPAA Compliance Checklist

Consumer Protection & System Security Update. Bill Jenkins and Cammie Blais

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

Implementing and Enforcing the HIPAA Security Rule

HIPAA Privacy and Security. Kate Wakefield, CISSP/MLS/MPA Information Security Analyst

The Relationship Between HIPAA Compliance and Business Associates

EXHIBIT A. - HIPAA Security Assessment Template -

USER CORPORATE RULES. These User Corporate Rules are available to Users at any time via a link accessible in the applicable Service Privacy Policy.

Policy and Procedure: SDM Guidance for HIPAA Business Associates

HIPAA Security Manual

CYBERSECURITY IN THE POST ACUTE ARENA AGENDA

WHITE PAPER. HIPAA Breaches Continue to Rise: Avoid Becoming a Casualty

01.0 Policy Responsibilities and Oversight

HIPAA ( ) HIPAA 2017 Compliancy Group, LLC

Steffanie Hall, RHIA HIM Director/Privacy Officer 1201 West 12 th Emporia, Kansas ext

Policy. Policy Information. Purpose. Scope. Background

Healthcare Privacy and Security:

[DATA SYSTEM]: Privacy and Security October 2013

Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use

The ABCs of HIPAA Security

CERT Symposium: Cyber Security Incident Management for Health Information Exchanges

HIPAA & Privacy Compliance Update

Living with HIPAA: Compendium of Next steps from Rural Hospitals to Large Health Systems to Physician Practices

SECURITY & PRIVACY DOCUMENTATION

Security and Privacy Breach Notification

HIPAA/HITECH Privacy & Security Checklist Assessment HIPAA PRIVACY RULE

8 COMMON HIPAA COMPLIANCE ERRORS TO AVOID

The HITRUST CSF. A Revolutionary Way to Protect Electronic Health Information

Internet, , Social Networking, Mobile Device, and Electronic Communication Policy

Information Technology Security Plan Policies, Controls, and Procedures Protect: Identity Management and Access Control PR.AC

Not Just Another Day of HIPAA

HIPAA FOR BROKERS. revised 10/17

Virtua Health, Inc. is a 501 (c) (3) non-profit corporation located in Marlton, New Jersey ( Virtua ).

HIPAA AND SECURITY. For Healthcare Organizations

HIPAA Compliance & Privacy What You Need to Know Now

Checklist for Applying ISO 27000, PCI DSS v2 & NIST to Address HIPAA & HITECH Mandates. Ali Pabrai, MSEE, CISSP (ISSAP, ISSMP)

Data Inventory and Classification, Physical Devices and Systems ID.AM-1, Software Platforms and Applications ID.AM-2 Inventory

Audit and Compliance Committee - Agenda

WASHINGTON UNIVERSITY HIPAA Privacy Policy # 7. Appropriate Methods of Communicating Protected Health Information

The HIPAA Omnibus Rule

Employee Security Awareness Training Program

HIPAA For Assisted Living WALA iii

HPE DATA PRIVACY AND SECURITY

HIPAA Implementation: Steps to Creating a Budget for HIPAA Compliance

Critical HIPAA Privacy & Security Crossover Areas

HIPAA Security Checklist

HIPAA Security Checklist

Data Compromise Notice Procedure Summary and Guide

Summary of Gartner COMPARE Survey of HIPAA Readiness Conducted Feb-March 2003

A Checklist for Compliance in the Cloud 1. A Checklist for Compliance in the Cloud

HIPAA-HITECH: Privacy & Security Updates for 2015

Privacy Policy on the Responsibilities of Third Party Service Providers

Security Audit What Why

DAVID J BEHINFAR, JD., LLM., CHC, CHRC, CCEP, HCISPP, CIPP/US P23: AN EFFECTIVE PRIVACY PROGRAM BUILT THROUGH STRATEGIC VISION AND LEADERSHIP SUPPORT

PREPARING FOR SOC CHANGES. AN ARMANINO WHITE PAPER By Liam Collins, Partner-In-Charge, SOC Audit Practice

COBIT 5 With COSO 2013

ISO / IEC 27001:2005. A brief introduction. Dimitris Petropoulos Managing Director ENCODE Middle East September 2006

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

HIPAA Security. An Ounce of Prevention is Worth a Pound of Cure

Security Rule for IT Staffs. J. T. Ash University of Hawaii System HIPAA Compliance Officer

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

Request for Proposal HIPAA Security Risk and Vulnerability Assessment. May 1, First Choice Community Healthcare

Secure Messaging Mobile App Privacy Policy. Privacy Policy Highlights

Data Backup and Contingency Planning Procedure

UTAH VALLEY UNIVERSITY Policies and Procedures

Social Media and Texting: A Growing Concern

Department of Public Health O F S A N F R A N C I S C O

HIPAA. Developed by The University of Texas at Dallas Callier Center for Communication Disorders

IT Security in a Meaningful Use Era C&SO HIMSS Meeting

Projecting and Budgeting Costs and Savings of HIPAA Compliance

HIPAA/HITECH Act Update HCCA South Central Regional Annual Conference December 2, Looking Back at 2011

Remote Access to a Healthcare Facility and the IT professional s obligations under HIPAA and the HITECH Act

The simplified guide to. HIPAA compliance

efolder White Paper: HIPAA Compliance

HIPAA COMPLIANCE AND DATA PROTECTION Page 1

LifeWays Operating Procedures

Transcription:

Auditing and Monitoring for HIPAA Compliance HCCA COMPLIANCE INSTITUTE 2003 April, 2003 Presented by: Suzie Draper Sheryl Vacca, CHC 1

The Elements of Corporate Compliance Program There are seven key elements of an effective healthcare provider corporate compliance program, as recommended by the OIG. 1. Written Policies & Procedures 2. Designation of a Compliance Officer and Compliance Committee 3. Training and Education 4. Effective Lines of Communication 5. Disciplinary Guidelines 6. Auditing and Monitoring 7. Responding to Detected Offenses and Developing Corrective Action Initiatives DHHS adhered to these principles when developing the regulatory scheme for HIPAA compliance 2

The HIPAA Compliance Program Health Insurance Portability & Accountability Act of 1996 (HIPAA) requires the elements of a Compliance Program that safeguards health information. 3

Health Insurance Portability & Accountability Act of 1996 HIPAA Title I Healthcare Portability Title II Administrative Simplification Titles III, IV, V Transaction Standards Standard Code Sets Unique Health Identifiers Security Standards Electronic Signature Standards Information Between Health Plans Privacy Establish standards and requirements for the transmission of certain health information Reduce health care fraud and abuse Guarantee security of health information Require privacy legislation surrounding the use of individually identifiable health information 4

Health Insurance Portability & Accountability Act of 1996 Health Care Provider Hospitals Physicians Pharmacies Multi-Plan Organization Corporate Parent Separate Health Plans Various State regulations Multi-Line Insurance Company Health, Life, Disability, etc. Shared Job Functions Examples of Covered Entities Underwriting for both health and other policies Claims adjudication HMO Products Combine treatment & payment Uniform Privacy Variations in Business Unit Processes Regulations Standards 5

HIPAA s Current Status and Deadlines Transaction and privacy standards are final Additional privacy guidelines finalized 8/14/02 Transaction and code set modifications proposed 5/31/02 Final security standards are expected in?? 2002 Employer identifier was finalized on 5/31/02; timeline for other identifiers is uncertain Public Law 107-105 provides an extension for standard transactions and code sets until 10/16/03 for covered entities filing an extension request with HHS HIPAA Rule Privacy Transaction Standards Code Sets Unique Identifiers Employers Unique Identifiers Individual Unique Identifiers Plans, Providers Effective Date April 2001 & modified August 2002 October 2000 October 2000 July 2002 On hold Proposed Compliance Deadline April 14, 2003 October 16, 2002 October 16, 2002 July 30, 2004 NA NA EXTENSION REQUESTS FOR 10/16/03 Security Standards April 21, 2003 April 21, 2005 6

Auditing & Monitoring Auditing & Monitoring for HIPAA Compliance 7

Auditing & Monitoring Integrating HIPAA requirements into the Auditing and Monitoring Process Mission & Objectives Risk Risk Assessment Audit Audit Plan Plan Audit Audit Testing Testing Reports & Feedback Safeguarding Health Information Key Subject Matter Experts Compliance Oversight- Privacy Official, Enterprise wide Information Security Structure Identify key high risk areas relating to use and disclosure of PHI Compliance Issues Management Style Compliance Structure Due Diligence of Compliance with Third Party Agreements Risk/Control Management Focus Compliance priorities Self Analysis Best Practices/ Benchmarks Controls/Substantive Testing Detail/Summary Reports Recommendations Performance Assessment Special Audits 8

Auditing & Monitoring HIPAA Compliance Mission and Objectives: Safeguarding Protected Health Information ( PHI ) Identifying risk of improper use and disclosure Discussions with Key Subject Matter Experts ( SMEs ) Review of HIPAA policies and procedures Develop foundation for understanding of HIPAA compliance opportunities and risks 9

Auditing & Monitoring HIPAA Compliance Risk Assessment Used to identify, measure and prioritize compliance risks to help internal auditor evaluate and test critical internal controls Requires key SMEs in such departments as Compliance, Human Resources, Claims, Billing, Marketing, Research and other areas that use and disclose PHI Provides a dynamic corporate audit plan that identifies proposed audit coverage and knowledge resource requirements pertaining to security and privacy requirements Internal Auditor recognized as value added business advisor 10

Auditing & Monitoring HIPAA Compliance Risk Assessment (cont.) Evaluate privacy office structure and HIPAA implementation plans to address administrative functions, use and disclosure of PHI, individual rights afforded, and business associate requirements An understanding of relationships with third parties such as Business Associates Due diligence in response to Business Associates, Chain of Trust and Trading Partners violation of their third party agreements Identification of control weaknesses that may cause violations of security and privacy requirements 11

Auditing & Monitoring Development of Corporate Audit Plan high I Greater Need for Audit Procedures II Risk IIV VV III low Control high 12

Auditing & Monitoring HIPAA Compliance Audit Testing - Audits should focus on areas of vulnerability identified in the initial assessment - Determine the effectiveness of an institution s HIPAA policies & procedures Work with the HIPAA Privacy Official, Security & TCI SMEs in evaluating and testing the effectiveness of the HIPAA implementation plan policies, procedures and business processes Benchmark by selecting high risk departments and reviewing their policies and procedures to determine if there is a gap between those policies and procedures and HIPAA requirements - 13

Auditing & Monitoring HIPAA Compliance Audit Testing (cont.) Create ongoing assessment checklists which allow your organization to constantly monitor exposure through use of: HIPAA Implementation Work Plans and DHHS Compliance Guidance Reports Statutes and Regulations distribution Journals and Newsletters distribution Implement corporate-wide ongoing self-evaluation process to monitor and validate the effectiveness of the program HIPAA Compliance Department to provide each department with self-monitoring tools to measure against the HIPAA requirements HIPAA Compliance Department can facilitate enforcement of departments self-evaluation processes 14

Auditing & Monitoring Reports and Feedback - Recommend corrective measures, including the development of revised policies and procedures, to meet HIPAA requirements - Significant findings and action taken should be documented and communicated to the Audit Committee, Privacy Office and Committee and Board of Trustees - Performance assessment of trends identified as control weaknesses and compliance violations - Reaudit as necessary based upon initial findings and associated risk - Conduct Special Audits, as needed, i.e. follow up after notification of violation of BA agreement not to disclose PHI 15

Auditing & Monitoring HIPAA Compliance Areas It is recommended the following areas be evaluated during an internal HIPAA audit (not inclusive): Accounting Actuarial Administration Agents/Brokers Audit Billing Business Office Claims Compliance Contracts Corporate Office Enrollment Facility Management Human Resources Information Technology Legal Marketing Medical Staff Purchasing Records Sales Treatment Underwriting 16

Privacy Administrative Administrative Requirements Requirements Uses Uses & Disclosures Disclosures of of PHI PHI Individual Individual Rights Rights Business Business Associates Associates Organizational Considerations Privacy Official Privacy Policies & Procedures Employee Education Organizational Considerations Minimum Necessary Authorized Uses & Disclosures Special Considerations Access to Records Request for Restrictions Disclosure Accounting Amendment of Records Identification Written Agreement Non-compliance Process Due Diligence 17

Administrative: Auditing & Monitoring - Privacy - Determine if a Privacy Official has been appointed. - Determine that employees have been trained on the organization s privacy policies and general HIPAA requirements. - Review procedures relating to disclosing or transmitting member information. - Determine if there is a process to monitor HIPAA compliance. - Determine if there is a process in place to address individual complaints about privacy violations. - Determine if there is a process in place for the organization to take corrective action for violations. - Determine if there is a policy in place to address employee discipline and a process to accomplish this for privacy violations. 18

Auditing & Monitoring - Privacy Use and Disclosure of PHI: - Evaluate if there are procedures or processes in place to check that if an individual has given the organization written permission to make a disclosure, if necessary. - Determine if a process is in place to identify appropriate uses of PHI. - Determine if a process is in place that identifies routine and non-routine disclosures of PHI. - Determine if a minimum necessary policy is in place for the organization to respond to requests for and disclosures of PHI. - Determine if a verification process is in place. - Determine if any policies and procedures exist with respect to the organization s group health plan and if so, whether there are any processes in place that restrict the disclosure of employee health information and address the plan document. 19

Auditing & Monitoring - Privacy Use and Disclosure of PHI (cont.): - Determine if the organization has a system to track disclosures as required. - Determine if a policy exists to determine if authorizations are valid. - Determine if a policy or process is in place to require minimum necessary use and disclosure, noting exceptions (e.g., physician requests, individual requests). - Determine if there is a process in place to designate the record set for an individual. - Determine if departments have a policy that addresses deleting all PHI from member information before disclosing the information outside the company. - Determine if there is a process in place to obtain patient authorization for marketing and fundraising activities. 20

Individual Rights: Auditing & Monitoring - Privacy - Determine if there is a process in place that requires the organization to permit individuals the right to access, copy and amend their protected health information. - Determine if there is a process in place that requires the organization to respond to requests for restrictions on disclosure. - Determine if there is a policy in place that addresses accounting for individual PHI disclosure. - Determine if there is a policy in place to address individuals requests not to be in a facility directory. 21

Auditing & Monitoring - Privacy Business Associates: - Determine if there is a process in place to address Business Associate Agreements. - Determine if there is a process in place to identify and maintain current lists of Business Associates. - Determine if there is a policy in place to address non-compliance with Business Associate Agreements. 22

Security Administrative Procedures Physical Safeguards Technical Security Services Data Integrity Confidentiality Availability Certification Chain of Trust Partner Agreement Formal Mechanism for Processing Records Information Access Control Business Continuity Plan Internal Audit Personnel Security Security Configuration Management Security Incident Procedures Security Management Process Termination Procedures Training Assigned Security Responsibility Media Controls Physical Access Controls Policy/Guideline on Work Station Use Security Work Station Location Security Awareness Training Access Control Audit Controls Authorization Control Data Authentication Entity Authentication Technical Security for Network Communications Network Access Integrity Confidentiality 23

Auditing & Monitoring - Security Administrative Procedures - Evaluate documented administrative procedures pertaining to the selection and execution of security measures that protect data and manage the conduct of personnel in relation to the protection of data. Physical Safeguards - Evaluate the physical computer systems and related buildings and equipment for protection from fire and other natural environmental hazards, including intrusion. Technical security services - Evaluate the processes in place that protect information and control individual access to information. Technical security mechanisms - Evaluate the processes in place that guard against unauthorized access to data that is transmitted over a communications network. Electronic signatures - Evaluate if there are electronic signatures, and if in place, determine if they are used on electronic documents to bind it to a particular entity. 24

Auditing & Monitoring - TCI Monitoring Activities During HIPAA Implementation: Measure implementation progress against detailed HIPAA readiness workplans: - Check implementation progress against established deadlines. - Review electronic testing plans and results of tests. - Run code scans to determine whether prohibited codes have been eliminated. 25

Auditing & Monitoring - TCI Ongoing Monitoring Activities: - Determine if there are edit mechanisms in place to flag noncompliant transactions. Test system edits. - Perform ongoing testing of transactions to confirm that the HIPAA transaction requirements (e.g., new transactions, addenda to existing transactions) are implemented. - Perform coding reviews on a periodic basis. Compare an electronic file of HIPAA compliant codes to an electronic file of codes used and test for discrepancies. Alternatively, review log books for new code requests. - Review the budget to determine if it needs to be updated for additional remediation. 26

Sheryl Vacca, Director Deloitte & Touche, LLP svacca@deloitte.com 714-436-7710 or Suzie Draper Intermountain Health Care Corporate Compliance Administrator 801-442-6516 916-498-7156 Questions and Answers 27

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback