Privacy Update: OCR HIPAA Phase 2 Audits: What to expect & How to prepare

Similar documents
Update on Administration and Enforcement of the HIPAA Privacy, Security, and Breach Notification Rules

HIPAA Audit Don t just bet the odds Good luck is a residue of preparation. Jack Youngblood

HIPAA-HITECH: Privacy & Security Updates for 2015

HIPAA/HITECH Act Update HCCA South Central Regional Annual Conference December 2, Looking Back at 2011

Update on HIPAA Administration and Enforcement. Marissa Gordon-Nguyen, JD, MPH October 7, 2016

Breach Notification Remember State Law

Into the Breach: Breach Notification Requirements in the Wake of the HIPAA Omnibus Rule

Lessons Learned from Recent HIPAA Enforcement Actions, Breaches, and Pilot Audits

Inside the OCR Investigation/Audit Process 2018 PBI HEALTH LAW INSTITUTE TUESDAY, MARCH 13, 2017 GREGORY M. FLISZAR, J.D., PH.D.

Agenda. Hungry, Hungry HIPAA: Security, Enforcement, Audits, & More. Health Law Institute

HIPAA How to Comply with Limited Time & Resources. Jonathan Pantenburg, MHA, Senior Consultant August 17, 2017

HIPAA Privacy, Security Lessons from 2016 and What's Next in 2017

HIPAA ( ) HIPAA 2017 Compliancy Group, LLC

The ABCs of HIPAA Security

DATA PRIVACY & SECURITY THE CHANGING HIPAA CLIMATE

HIPAA & Privacy Compliance Update

HIPAA in 2017: Hot Topics You Can t Ignore. Danika Brinda, PhD, RHIA, CHPS, HCISPP March 16, 2017

David C. Marshall, Esq. PACAH 2017 Spring Conference April 27, 2017

Putting It All Together:

The Relationship Between HIPAA Compliance and Business Associates

HIPAA Compliance: What it is, what it means, and what to do about it. Adam Carlson, Security Solutions Consultant Intapp

HIPAA Privacy, Security and Breach Notification

What s New with HIPAA? Policy and Enforcement Update

Hospital Council of Western Pennsylvania. June 21, 2012

The HIPAA Omnibus Rule

Update on Administration and Enforcement of the HIPAA Privacy, Security, and Breach Notification Rules

University of Wisconsin-Madison Policy and Procedure

Security and Privacy Breach Notification

HIPAA COMPLIANCE WHAT YOU NEED TO DO TO ENSURE YOU HAVE CYBERSECURITY COVERED

MANUAL OF UNIVERSITY POLICIES PROCEDURES AND GUIDELINES. Applies to: faculty staff students student employees visitors contractors

The HIPAA Security & Privacy Rule How Municipalities Can Prepare for Compliance

A HIPAA Compliance and Enforcement Update from the HHS Office for Civil Rights Session #24, 10:00 a.m. 11:00 a.m. March 6, 2018 Roger Severino, MSPP,

All Aboard the HIPAA Omnibus An Auditor s Perspective

Enforcement of Health Information Privacy & Security Standards Federal Enforcement Through Recent Cases and Tools to Measure Regulatory Compliance

Security and Privacy Governance Program Guidelines

Privacy Breach Policy

Security Lessons Learned from HIPAA Enforcement

3/24/2014. Agenda & Objectives. HIPAA Security Rule. Compliance Institute. Background and Regulatory Overlay. OCR Statistics/

Clearwater HIPAA Security Assessment Software. Demonstration

HIPAA Security and Privacy Policies & Procedures

01.0 Policy Responsibilities and Oversight

HIPAA Privacy & Security Training. Privacy and Security of Protected Health Information

WHITE PAPER. HIPAA Breaches Continue to Rise: Avoid Becoming a Casualty

Getting OCR Audit-Ready in 7 Steps:

Boerner Consulting, LLC Reinhart Boerner Van Deuren s.c.

HIPAA Security & Privacy

Technology Workshop HIPAA Security Risk Assessment: What s Next? January 9, 2014

A Panel Discussion. Nancy Davis

HIPAA Tips and Advice for Your. Medical Practice

HIPAA Security. An Ounce of Prevention is Worth a Pound of Cure

Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use

Policy. Policy Information. Purpose. Scope. Background

How to Respond to a HIPAA Breach. Tuesday, Oct. 25, 2016

HIPAA COMPLIANCE CALIFORNIA STATE UNIVERSITY, LOS ANGELES. Audit Report October 29, 2010

Information Governance, the Next Evolution of Privacy and Security

How Secure Do You Feel About Your HIPAA Compliance Plan? Daniel F. Shay, Esq.

HITRUST Common Security Framework - Are you prepared?

Critical HIPAA Privacy & Security Crossover Areas

Standards and Procedures Alaska Medicaid

Standards and Procedures Alaska Medicaid 2/24/2017. Written Policies. Procedures

HIPAA Compliance Officer Training By HITECH Compliance Associates. Building a Culture of Compliance

Auditing and Monitoring for HIPAA Compliance. HCCA COMPLIANCE INSTITUTE 2003 April, Presented by: Suzie Draper Sheryl Vacca, CHC


HIPAA FOR BROKERS. revised 10/17

I HAVE ALL THESE RECORDS. NOW WHAT? Serving Durham, Wake, Cumberland and Johnston Counties

Neil Peters-Michaud, CHAMP Cascade Asset Management ITAM Awareness Month December 2016

Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use

HIPAA Enforcement Update: Learning From Mistakes of Others to Improve Your Compliance

Incident Response: Are You Ready?

(c) Apgar & Associates, LLC

Steffanie Hall, RHIA HIM Director/Privacy Officer 1201 West 12 th Emporia, Kansas ext

Federal Breach Notification Decision Tree and Tools

HIPAA Cloud Computing Guidance

HIPAA 101: What All Doctors NEED To Know

DON T GET STUNG BY A BREACH! WHAT'S NEW IN HIPAA PRIVACY AND SECURITY

NE HIMSS Vendor Risk. October 9, 2015 MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS

HIPAA COMPLIANCE AND DATA PROTECTION Page 1

Security Rule for IT Staffs. J. T. Ash University of Hawaii System HIPAA Compliance Officer

Security and Privacy-Aware Cyber-Physical Systems: Legal Considerations. Christopher S. Yoo University of Pennsylvania July 12, 2018

CERT Symposium: Cyber Security Incident Management for Health Information Exchanges

If a HIPAA Breach Happens, Are You Ready?

HIPAA Comes of Age: 21 Years of Privacy and Security

Advanced HIPAA /19/2016. Today s Agenda. What is the HIPAA Privacy Rule? Abbie Miller, MCS-P

HIPAA Audits and the New Audit Protocol

Technology General Controls and HIPAA Security Compliance: Covering the Bandwidth in One Audit

Patient Access & Charging for Medical Records. General Right to Access. Requests for Access. Charging for Copies

HCISPP HealthCare Information Security and Privacy Practitioner

When the Other Brother Steps Up: State Privacy Enforcement Actions

HIPAA For Assisted Living WALA iii

Update from HIMSS National Privacy & Security. Lisa Gallagher, VP Technology Solutions November 14, 2013

CYBERSECURITY. Recent OCR Actions & Cyber Awareness Newsletters. Claire C. Rosston

Cybersecurity in Higher Ed

Credit Card Data Compromise: Incident Response Plan

Policy and Procedure: SDM Guidance for HIPAA Business Associates

Privacy & Information Security Protocol: Breach Notification & Mitigation

HIPAA Security Awareness Training

HIPAA Privacy, Security and Breach Notification 2017

DAVID J BEHINFAR, JD., LLM., CHC, CHRC, CCEP, HCISPP, CIPP/US P23: AN EFFECTIVE PRIVACY PROGRAM BUILT THROUGH STRATEGIC VISION AND LEADERSHIP SUPPORT

ENCRYPTION: ADDRESSABLE OR A DE FACTO REQUIREMENT?

10/18/2016. Preparing Your Organization for a HHS OIG Information Security Audit. Models for Risk Assessment

Transcription:

Privacy Update: OCR HIPAA Phase 2 Audits: What to expect & How to prepare Rita Bowen, MA, RHIA, CHPS, SSGB In her role of Vice President of Privacy, HIM Policy and Education, Bowen ensures new and existing client HIM policies and procedures are at code and drives the development, implementation and maintenance of MRO s privacy and training programs. She also serves as the company s Privacy and Compliance Officer (PCO). Bowen has more than 40 years of experience in Health Information Management (HIM), holding a variety of HIM director and consulting roles. Most recently, she was Senior Vice President and Privacy Officer for HealthPort, Inc., now known as CIOX Health, and served as the Enterprise Director of HIM and Privacy Officer at Erlanger Health System. Bowen is an active member of the American Health Information Management Association (AHIMA) and has served as its President and Board Chair, as a member of the Board of Directors, and on the Council on Certification. She has been honored with AHIMA s Triumph Award in the mentor category; she is also the recipient of the Distinguished Member Award from the Tennessee Health Information Management Association (THIMA). Bowen is an established author and speaker on HIM topics and has taught HIM studies at Chattanooga State and the University of Tennessee Memphis. Bowen holds a Bachelor of Medical Science degree with a focus in medical record administration and a Master s degree in Health Information/ Informatics Management Technology. 23-1

Agenda 1. Brief Introduction to the OCR and HIPAA Enforcement 2. Discuss the latest updates from the OCR related to Phase 2 of the HIPAA Audit Program 3. Share lessons learned from previous OCR audits and resolution agreements to help enhance your organization s overall compliance program 4. Provide best practices on how to prepare and respond to an OCR audit or an OCR investigation MRO Overview 2nd Largest ROI Provider 3,700 Locations 98% 2002 20% #1 KLAS Client Retention Growth 2013 2014 2015/2016 4 Copyright MRO Corporation 2016 23-2

HIPAA Enforcement Through HIPAA, the HHS/OCR is responsible for enforcing the Rules and it does so in several ways: Investigates complaints filed with it, Conducts compliance reviews of Covered Entities; Conducts Audits of Covered Entities and Business Associates Performs education and outreach to foster compliance with the HIPAA Privacy, Security, and Breach Notification Rules requirements, and Works in conjunction with the Department of Justice (DOJ) to refer possible criminal violations of HIPAA HIPAA Enforcement Complaint - 45 CFR 160.306(a)-(b) Can be filed with the Secretary of HHS by anyone who feels that a Covered Entity (CE) or Business Associate (BA) violated theirs or someone s else s health information privacy rights or committed another violation of the HIPAA Privacy, Security, or Breach Notification Rules Sources: 45 CFR 160.300 160.316; 164.400-414 http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/enforcement-process/index.html http://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html 23-3

HIPAA Enforcement pre - Omnibus Rule post Omnibus Rule How to determine whether an impermissible use or disclosure of PHI constitutes a Breach The impermissible use or disclosure of PHI is a Breach if such use or disclosure poses a significant risk of financial, reputational, or other harm to the individual. The impermissible use or disclosure of PHI is presumed to be a Breach unless the CE or BA demonstrates that there is a low probability that the PHI has been compromised based on a risk assessment 7 HIPAA Enforcement Breach Notification If an impermissible use Breach Timeline Requirements of disclosure of PHI is determined to be a Breach, CEs must provide notification of the Breach to affected individuals, the Secretary of HHS (The Secretary), state entities (under applicable state law) and, in certain Without unreasonable delay and in no case Must be provided no later than N/A circumstances, later than 60 days following to the discovery media 60 days after the end of the Breach Type To the Individual To the Secretary To the Media If Breach affects < 500 individuals of the Breach calendar year in which the Breach was discovered If Breach affects > 500 individuals Without unreasonable delay and in no case later than 60 days following the discovery of the Breaches Without unreasonable delay and in no case later than 60 days following the discovery of the Breaches Without unreasonable delay and in no case later than 60 days following the discovery of the Breaches 8 Sources: 45 CFR 164.400-414 http://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html 23-4

HIPAA - WALL OF SHAME https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf 9 Sources: 45 CFR 160.300 160.316; 164.400-414 http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/enforcement-process/index.html http://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html Resolution of Complaints / Investigations If the evidence indicates that the CE was not in compliance, OCR will attempt to resolve the case by obtaining one or more of the following: Voluntary Compliance Corrective Action Resolution Agreement Civil Money Penalties (CMPs) Sources: 45 CFR 160.300 160.426 http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/enforcement-process/index.html American Institute of CPAs 23-5

OCR Enforcement Results over 128,937 complaints 75,705 were deemed ineligible for OCR investigation 24,126 led to OCR investigations which resulted in corrective actions 12,505 resulted in OCR intervention and the provision of technical assistance, no other action American Institute of CPAs 10,955 investigations found no violations ~866 led to OCR compliance reviews 33 resulted in the application of corrective measures that included payment of a resolution amount in lieu of civil money penalties Resolution Agreements / CMPs Date Entity Resolution Amount CMPs 4/21/2016 New York Presbyterian Hospital $2,200,000 4/20/2016 Raleigh Orthopaedic Clinic, P.A. $750,000 3/17/2016 Feinstein Institute for Medical Research $3,900,000 3/16/2016 North Memorial Health Care $1,550,000 2/16/2016 P.T., Pool & Land Physical Therapy, Inc. $25,000 2/3/2016 Lincare, Inc. $239,800 12/14/2015 The University of Washington Medicine $750,000 11/30/2015 Triple-S Management Corporation $3,500,000 11/24/2015 Lahey Hospital and Medical Center $850,000 8/31/2015 Cancer Care Group, P.C. $750,000 6/10/2015 St. Elizabeth s Medical Center $218,400 4/22/2015 Cornell Prescription Pharmacy $125,000 12/2/2014 Anchorage Community Mental Health Services $150,000 6/23/2014 Parkview Health System, Inc. $800,000 5/7/2014 New York and Presbyterian Hospital and Columbia University $4,800,000 4/22/2014 Concentra Health Services $1,725,220 4/22/2014 QCA Health Plan, Inc. $250,000 3/7/2014 Skagit County, Washington $215,000 Copyright MRO Corporation 2016 23-6

Resolution Agreements / CMPs Date Entity Resolution Amount CMPs 8/14/2013 Affinity Health Plan, Inc. $1,215,780 7/11/2013 WellPoint $1,700,000 6/13/2013 Shasta Regional Medical Center $275,000 5/23/2013 Idaho State University $400,000 12/31/201 Hospice of Northern Idaho $50,000 2 9/17/2012 Massachusetts Eye and Ear Infirmary and Massachusetts Eye and $1,500,000 Ear Associates, Inc. 6/26/2012 Alaska DHSS $1,700,000 4/13/2012 Phoenix Cardiac Surgery $100,000 3/13/2012 BCBST $1,500,000 7/6/2011 UCLA Health System $865,500 2/14/2011 General Hospital Corporation and Massachusetts General $1,000,000 Physicians Organization, Inc. 2/4/2011 Cignet Health of Prince George s County $4,300,000 12/3/2010 Management Services Organization Washington, Inc. $35,000 7/27/2010 Rite Aid Corporation $1 000 000 Copyright MRO Corporation 2016 Top HIPAA Privacy and Security Rule Compliance Issues Identified by OCR 1. Impermissible uses and disclosures of PHI, 2. Lack of physical and technical safeguards of PHI, 3. Use or disclosure of more than the minimum necessary PHI 4. Lack of Patient Access; and 5. Lack of administrative safeguards of electronic PHI (ephi) Source: http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/data/enforcement-highlights/index.html 23-7

Background on OCR HIPAA Audit Program HITECH Act requires that the OCR conduct periodic audits of CEs and BAs - Phase 1 of the HIPAA Audit Program focused to: 115 audits of Covered Entities Found that many of the participants lacked awareness of key Privacy and Security Rule requirements: - Notices of Privacy Practices - Patient Access - Risk Analyses on a regular basis - Secure disposal of media containing PHI Phase 2 of the OCR HIPAA Audit Program All CEs and BAs are eligible for an audit except for CEs or BAs who are involved in an ongoing OCR complaint investigation or compliance review New Audit Protocols released on April 4, 2016 NOTE: OCR has a 10 day turnaround time for all requested information!!! 23-8

Phase 2 of the OCR HIPAA Audit Program Launched on March 21, 2016 Contact verification emails sent out around March 21, 2016 Audit Pre-Screening Questionnaires emailed on or about April 4, 2016 - Will be used to chose a diverse sampling of CEs and BAs that vary in size, type, corporate status, geography, and affiliations Plan is to conduct 200 audits of both CEs and BAs Phase 2 has 3 stages 1. Desk audits of CEs 2. Desk audits of BAs - Will most likely be technology-related BAs 3. On-site audits of both CEs and BAs Key Changes to Audit Program Main focus shifts from On-Site to Desk Audits, BUT o 10 25 on-site full compliance audits are projected following desk audits o Complaints will still trigger full investigations in addition to entities where serious compliance issues are uncovered by desk audits o FCi Federal Inc. contracted for data security audits Audits previously outsourced now internal except security State privacy laws & rules will not be considered 23-9

Key Changes to Audit Program Program was delayed for creation of reporting portal & updating of audit protocols to include Omnibus changes Budget increased by $4 million in 2016 State privacy laws & rules will not be considered Phase 2 of the OCR HIPAA Audit Program First Stage will be conducted in May 2016 Chosen CEs will need to provide information about each of their BAs: - names, - type of services provided, - contact information for a first point of contact, - contact information for a second point of contact, and - website 23-10

Phase 2 of the OCR HIPAA Audit Program First Stage will be conducted in May 2016 Chosen CEs could be audited on: - Privacy Rule Compliance - Notice of Privacy Practices - Patient s Right to Access - Security Rule Compliance - Security Risk Analysis/Assessment - Risk Management Plan Phase 2 of the OCR HIPAA Audit Program First Stage will be conducted in May 2016 - Breach Notification Rule Compliance - Breach Notification Policy - Breach Notifications to Patients - Instances where Breach Risk Assessment concluded no breach - Timeline from discovery to notification 23-11

Phase 2 of the OCR HIPAA Audit Program Second Stage will be conducted in June 2016 Chosen BAs could be audited on: - Security Risk Analysis/Assessment - Risk Management Plan - Breach Notification to CEs (include all above regarding Breach Notification) Phase 2 of the OCR HIPAA Audit Program Stage 3 will be conducted by the end of 2016 CEs and BAs will be chosen to participate in on-site audits via email notification On-site audits will be comprehensive and will likely include a 3 5 day on-site visit by the OCR Will use newly released audit protocols http://www.hhs.gov/hipaa/for-professionals/complianceenforcement/audit/protocol-current/index.html Auditors prepare draft findings within 10 days/ce and BA can return comments Auditors prepare final report within 30 days 23-12

Updated Audit Protocols http://www.hhs.gov/hipaa/forprofessionals/complianceenforcement/audit/protocol-current/index.html Lengthy but straightforward 89 Privacy Rule Audit Sections With many subsections 72 Security Rule Audit Sections With many subsections 19 Breach Rule Audit Sections American With Institute many of CPAs subsections \ Audit Timelines Audited Entities have 10 business days to respond via portal Documentation must be digital and current to date of request (little to no weight given to docs dated >date on request) Auditors cannot contact ask for clarification Items submitted after deadline may not be reviewed. Auditors prepare draft findings within 10 days CE can return comments 23-13

Audit Timelines Auditors prepare final report within 30 days Failure to respond may lead to referral for full compliance review. OCR will analyze & aggregate data to develop tools & guidance to assist with compliance self-evaluation & breach prevention List of audited entities or findings won t be posted, but they must comply with Freedom of Information Act requests Preparation Review 2106 guidance/faqa and all P&Ps regarding patient access in addition to your BA P&Ps regarding access Make sure AOD database is up-to-date and can extract data regarding patient & patient-directed requests (charges & fulfillment time) Review everything breach P&Ps, breach risk assessment/analysis, breach notifications to patients, and workforce sanctions policy 23-14

Preparation Make sure Security Risk Assessment and Risk Management plans are up-to date Risk analysis must not only identify the gaps, but also: o o o o o What the threats to that PHI are; How the PHI is vulnerable to impermissible use and disclosure; What those risk levels are; Is periodically updated; and Identify the location of all PHI; Include corrective actions for gaps identified Preparation Have a list of all BAs with contact info Audit BAs- start with questionnaires Prepare your workforce 23-15

Workforce Training/Resources Initial comprehensive, then annual training Systematic workflow Documentation Ongoing privacy & security tips Employee Newsletters Technology Applications OCR You Tube videos https://www.youtube.com/user/usgovhhsocr Competency Testing Retraining as required If you are contacted by the OCR Assemble your Response Team (or create one) Privacy and Security Officers Legal Risk Management Health Information Management Compliance Information Technology 3 American Institute of CPAs Copyright MRO \ Corporation 2016 23-16

If you are contacted by the OCR Ask for any paperwork that the OCR might have Search warrants or inspection orders (if applicable) Copies of complaints List of what documents they are looking for Remember that everything submitted to the OCR pursuant to a investigation or audit is FOIA-able 3 American Institute of CPAs Copyright MRO \ Corporation 2016 Resources/Helpful Tools Administrative Safeguards HHS - Addressing Gaps in Cybersecurity: OCR Releases Crosswalk Between HIPAA Security Rule and NIST Cybersecurity Framework: http://www.hhs.gov/hipaa/for-professionals/security/nist-security-hipaa-crosswalk/ HHS Guidance on Risk Analysis: http://www.hhs.gov/hipaa/forprofessionals/security/guidance/final-guidance-risk-analysis/index.html ONC s Security Risk Assessment Tools: https://www.healthit.gov/providersprofessionals/security-risk-assessment - Updated tools is due out any day now! HHS Security Rule Guidance Material: http://www.hhs.gov/hipaa/forprofessionals/security/guidance/index.html 23-17

Resources/Helpful Tools Minimum Necessary Rule HHS Guidance on the Minimum Necessary Requirement: http://www.hhs.gov/hipaa/for-professionals/privacy/guidance/minimum-necessaryrequirement/index.html Technical and Administrative Safeguards - HHS Guidance on Technical Safeguards: http://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrati ve/securityrule/techsafeguards.pdf - HHS Guidance on Physical Safeguards: http://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrati ve/securityrule/physsafeguards.pdf Thank You Copyright 2013 American Institute of CPAs. All rights reserved. 23-18

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback