HIPAA Privacy, Security and Breach Notification HCCA East Central Regional Annual Conference October 2013 Disclaimer The information contained in this document is provided by KPMG LLP for general guidance and is intended to offer the user general information of interest. The information provided is not intended to replace or serve as substitute for any audit, advisory, tax or other professional advice, consultation or service. You should consult with a KPMG professional in the respective audit, advisory, tax or other professional area to obtain such services. The application of laws and regulations may vary depending on specific facts or circumstances. In no event shall KPMG, its related partners, managing directors, principals, agents or employees be liable for any direct, indirect, incidental, special, exemplary, punitive, consequential or other damages whatsoever (including but not limited to, liability for loss of use, data or profits), without regard to the form of any action, including but not limited to, contract, negligence or other tortious actions, arising out of or in connection with this information or any copying, display or other use hereof. 1 1
Table of contents Healthcare Insurance Portability and Accountability Act (HIPAA) key concepts Omnibus Updates The Office of Civil Rights (OCR) audits Audit results analysis HIPAA privacy audit findings and observations analysis HIPAA security audit findings and observations analysis HIPAA breach notification audit findings and observations analysis Lessons learned Leading practices 2 HIPAA Key Concepts 2
Program background Health Information Technology for Economic and Clinical Health (HITECH) Act, Section 13411 Audits The American Recovery and Reinvestment Act of 2009, in Section 13411 of the HITECH Act, requires the US Department of Health and Human Services (HHS) to provide for periodic audits to ensure covered entities and business associates are complying with the HIPAA Privacy and Security Rules and Breach Notification Standards. Transaction Code Sets and Identifiers Formatting and processing of healthcare claims related transactions Privacy Protection of patient rights and information from undue exposure Security Safeguarding of the technology systems that process health information 4 Key concept: Business associates PHI disclosures may be made to a business associate, and the business associate may create or receive PHI, provided that satisfactory, documented assurance is obtained that the business associate will appropriately safeguard the information. A BA has direct responsibility to maintain Privacy and Security and if they use third parties, they must obtain satisfactory assurance from those third parties. 5 3
Key concepts: HIPAA security Ensure confidentiality, integrity and availability of electronic protected health information (ephi), i.e., protect technology and processes Standards set a minimum baseline of controls and safeguards CEs should develop information protection and security programs based on: Performance of a risk assessment Acceptable level of risk that organizations are willing to tolerate BA s contract vehicle with CE s should specify this obligation. 6 HIPAA security basics Key concepts: HIPAA security standards Standards are supported by Implementation Specifications 20 Required vs. 22 Addressable Specifications Addressable specification options: Implement addressable specifications Implement alternative security measures Implement combination of both Not implement specifications or alternatives Decision must be based on risk assessment and documented and retained for 6 years Examples include: Workforce Security Access Authorization Facility Access Controls Facility Security Plan Transmission Security Encryption Application and data workflows for the control and necessary use determination need to be completed. 7 4
Omnibus Updates Omnibus Final Rule Issued January 17, 2013, Effective March 26, 2013 Compliance Date: September 23, 2013 Major Changes: Expands Liability Business Associates/Subcontractors and Agents of Covered Entities Presumption of Breach unless low probability of data compromise CE must make assessment of risk following breach Use PHI for marketing and fundraising (opt-out) Individual s right of access to electronic PHI Enforcement Penalties 9 5
Revised Definition of Breach Prior definition: Acquisition, access, use or disclosure of PHI in a manner not permitted by Privacy Rule which compromises the security or privacy of the PHI Interim final rule defined compromise Poses a significant risk of financial, reputational or other harm 10 Revised Definition of Breach An acquisition, access, use or disclosure of PHI in a manner not permitted is presumed to be a breach Unless the CE or BA can demonstrate (via documentation) that there is a low probability that the PHI has been compromised 11 6
Conduct a risk assessment to determine probability of compromise Factors that must be weighed in assessing probability of compromise The nature and extent of the PHI involved The unauthorized person who used the PHI or to whom the disclosure was made Was the PHI actually acquired or viewed, and Has the risk to the PHI been mitigated 12 The Office of Civil Rights Audits 7
Overview & objective of the audits Overview ARRA requires HHS to provide for periodic audits to ensure covered entities and business associates are complying with the HIPAA Privacy and Security Rules and Breach Notification standards. Program Objectives OCR piloted a program to perform up to 150 audits* of covered entities to assess privacy and security compliance. Key objectives of the program are: Assess HIPAA compliance efforts by a range of covered entities. Examine mechanisms for compliance Identify leading practices Discover risks and vulnerabilities OCR will broadly share leading practices gleaned through the audit process and guidance targeted to observed compliance challenges on its web site and other outreach portals. * Pilot program ultimately completed 115 audits in 2012 14 Who is being audited? Every covered entity and business associate is eligible for an audit. Selections in the initial round were designed to provide a broad assessment of a complex and diverse health care industry. OCR is responsible for selection of the entities which was intended to audit as wide a range of types and sizes of covered entities Business Associates will be included in future audits. 15 8
HIPAA key data points $194 per record average cost of a breach $1000 average cost of breach per patient based on recent class-action lawsuits, plus legal fees/credit monitoring 498 number of organizations reporting breaches of over 500 individuals to OCR since 2009 $1.5M fine for large southern payor organization; $17M total costs from breach $.46 cost/first class stamp for notification per individual for breach $ TBD Reputational Costs Sources: Ponemon Institute Sutter Health/Tricare Class Action Filings http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html 16 Audit Results Analysis 9
Auditees by entity type Identified below is the targeted mix of auditees by level and type. This mix of organizations allowed the program to gain an understanding of the level of HIPAA compliance from a crosssection of the overall industry. Level 1 Level 2 Level 3 Level 4 Total Health Plans 13 12 11 11 47 Healthcare Providers 11 16 10 24 61 Healthcare Clearinghouses 2 3 1 1 7 Total 26 31 22 36 115 18 Overall audit results analysis Findings and observations 13 entities (2 Providers, 9 Health Plans, and 2 Clearinghouses) had no findings or observations. 64% of the selected audit protocol pertained to Privacy, 28% pertained to Security and 8% pertained to Breach Notification. 60% of the findings and observations were in the audited Security protocol No clear trends in the Privacy findings and observations; the challenges were wide-spread. Providers had more findings and observations than Health Plans and Clearinghouses. 19 10
Overall audit results analysis Findings and observations (continued) There are several overarching trends in the audit results noted in the 115 entities audited. There were 979 audit findings and observations across all entities: 293 Privacy audit findings and observations; 592 Security audit findings and observations; and, 94 Breach Notification audit findings and observations. 58 of 59 providers having observations had at least one finding or observation in HIPAA Security. 47 of 59 providers having observations, 20 out of 35 health plans having observations and 2 out of 7 clearinghouses having observations did not have a complete and accurate risk assessment. Almost every entity that met without a finding or observation within an area that is defined as an Addressable Implementation Specification within the HIPAA Security rule, did so by fully implementing the addressable specification. Level 4 entities continue to struggle with HIPAA Privacy and Security and Breach Notification. 20 Overall audit results analysis cause analysis Unaware of the requirement In connection with 39% (115 of 293) of Privacy audit findings and observations the entities said they were unaware of the requirement. 75% (86 of the 115) were on areas of the audit protocol where the performance criteria was derived directly from the HIPAA Privacy Rule. Top Privacy areas with this cause: Notice of Privacy Practices; Access of Individuals; Minimum Necessary; and, Authorizations. 21 11
Overall audit results analysis cause analysis Unaware of the requirement (continued) In connection with 27% (163 of 592) of Security audit findings and observations the entities said they were unaware of the requirement. 94% (153 of 163) were on areas of the audit protocol where the criteria was derived directly from the HIPAA Security Rule. Top Security areas with this cause: Risk Analysis; Media movement and disposal; and, Audit controls and monitoring. In connection with 12% (11) of the Breach Notification audit findings and observations. All 11 findings were on areas of the audit protocol where the criteria was derived directly from the Breach Notification Rule. 22 HIPAA privacy, security and breach notification Audit findings and observations Audit Findings and Observations by Rule Audit Findings and Observations by Level Audit Findings and Observations by Type of Covered Entity 23 12
HIPAA privacy, security and breach notification Audit findings and observations (continued) Audit Findings and Observations Distribution 24 HIPAA Privacy Audit Findings and Observations Analysis 13
HIPAA privacy audit findings and observations Percentage of Findings and Observations by Area of Focus 26 HIPAA privacy audit findings and observations (continued) Findings and Observations by Area and Type of Entity 27 14
HIPAA privacy audit findings and observations (continued) Findings and Observations by Level 28 Individual HIPAA privacy area of focus Audit findings and observations Access of Individual to PHI Findings and Observations Administrative Requirements Findings and Observations 29 15
Individual HIPAA privacy area of focus Audit findings and observations (continued) Uses and Disclosures of PHI Findings and Observations 30 Individual HIPAA privacy area of focus Audit findings and observations (continued) Notice of Privacy Practices for PHI Findings and Observations Notice of Privacy Practices for PHI Unaudited Observations* *The graph on the bottom includes an analysis of observations from additional areas of the Notice of Privacy Practice content requirements that were not included in the audit protocol at the time. Notice of Privacy Practices Letters were provided to covered entities indicating deficiencies noted in the content. 31 16
HIPAA Security Audit Findings and Observations Analysis HIPAA security audit findings and observations Percentage of Audit Findings and Observations by Area of Focus 33 17
HIPAA security audit findings and observations (continued) Total Audit Findings and Observations by Area of Focus and Entity Type 34 HIPAA security audit findings and observations (continued) Total Security Audit Findings and Observations by Area of Focus and Level of Entity 35 18
HIPAA Breach Notification Audit Findings and Observations Analysis Breach notification audit findings and observations Audit Findings and Observations by Requirement and Type of Entity 37 19
Breach notification audit findings and observations (continued) Audit Findings and Observations by Requirement and Level of Entity 38 Lessons Learned: Preparing for an Audit 20
Next steps to consider Plan ahead for impact of HIPAA across the organization Determine possible common responsibilities and oversight of IT, Information Security, and Internal Audit Assess overlap between controls oversight and management Clearly identify and alert Lines of Business affected by HIPAA Coordinate with impacted departments (IT, HR, Business, IA) and create an ongoing dialogue Have a communication plan ready and engage senior leadership Conduct a robust Assessment with an Annual or Bi-Annual reassessment for compliance Perform self-assessments using the OCR Audit Protocols Conduct mock interviews of staff to prepare them for the Audit If compliance issues exist, use a risk based approach to identify remediation priorities 40 Next steps to consider (continued) Perform Data discovery to trace the lifecycle of PHI at your organization Determine control and safeguard catalogue for HIPAA prior to remediation know what you re going after Know where high risk PHI exists Determine whether data encrypted and if not, how is it protected Ensure that you know where system generated information, such as audit logs, exist and the lead time requested to extract the information Where gaps are identified, establish effective technical safeguards over PHI (encryption, access management, restriction for required use only) Consider internal employee health information in evaluation (Group Health Plan) Assess your ability to combine HIPAA compliance activities with other compliance activities like PCI (Unified Compliance) to increase the effectiveness & efficiency of your compliance programs 41 21
Given what we know a practical approach to getting ready Create a regulatory binder that contains the OCR and HHS guidance for the Audit and what/where/how list to access the required documents within your organization The regulatory binder should include the following items: The Audit Protocol found at http://ocrnotifications.hhs.gov/hipaa.html List of contracts within your organization to assist in document retrieval for all aspects of the Audit, namely, privacy, security and breach notification. This area is especially important given the recent updates to the omnibus HITECH rules. Recent Risk Assessment. The guidance indicates that an annual risk assessment is most appropriate. Policies and Procedures related to the Privacy and Security Rules Notice of Privacy Practices Monitoring/Audit log reports 42 Contact details Richard Archer Partner KPMG LLP rearcher@kpmg.com 412-232-1590 43 22
2013 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. NDPPS 155003 The KPMG name, logo and cutting through complexity are registered trademarks or trademarks of KPMG International. 23