Get your Ducks in a Row - The OCR Audit Season is About to Begin
1 like411 views
The OCR Audits Season is About to Begin discusses the upcoming Phase 2 of HIPAA audits by the Office of Civil Rights (OCR). Key points: - OCR will audit 350 covered entities in 2014-2015, focusing on security risk analysis, breach notifications, and privacy practices. - Entities should review Phase 1 audit findings, perform self-audits, and ensure policies and documentation are updated to address audit focus areas and reflect HIPAA rules. - Thorough risk analysis and risk management programs are especially important given their prominence in Phase 1 findings. Entities must identify risks, vulnerabilities, and implement security measures to address them.
Get your Ducks in a Row - The OCR Audit Season is About to Begin
- 1. The OCR Audits Season is About to Begin June 10, 2014 Get Your Ducks in a Row ID Experts www2.idexpertscorp.com
- 2. 1 Presenters Rebecca Williams, RN, JD Co-Chair, Health Information Practice Davis Wright Tremaine Mahmood Sher-Jan, CHPC VP and GM, RADAR Product Unit ID Experts
- 3. 2 Agenda • OCR Phase 2 Audit scope, process and timeline • Changes you can expect in Phase 2 audit and how they could impact you • How to prepare for them based on a risk based approach • Breach notification rule – Stages of the rule’s evolution – Regulatory Obligation for CEs & BAs – Audit readiness • Questions
- 4. 3 Audit Program Mandate • Reasonably new enforcement approach under HIPAA • HITECH Act, part of the American Recovery and Reinvestment Act of 2009 – Requires HHS to provide for periodic audits to ensure covered entities and business associates are complying with the HIPAA Privacy, Breach Notification and Security Rules – Section 13411 – Audits
- 5. 4 Multi-year Phase 1 − How Did We Get Here? Description Vendor Status/Timeframe Audit program development study Booz Allen Hamilton Closed 2010 Covered entity identification and cataloguing Booz Allen Hamilton Closed 2011 Develop audit protocol and conduct audits KPMG Closed 2011-2012 Evaluation of audit program PwC Closed 2013
- 6. 5 Phase 1: Pilot 2011 – 2012 • Phase 1 of the HIPAA Audits • Conducted 115 performance audits through 12/2012 • Two parts: – Initial 20 audits to test original audit protocol – Final 95 audits using modified audit protocol • Covered broad range of topics regarding adherence with HIPAA standards
- 7. 6 Overall Findings & Observations No findings or observations for 11% of the entities 2 Providers 9 Health Plans 2 Clearinghouses Security accounted for 60% of findings and observations – although only 28% of potential total Providers had a greater proportion of findings and observations (65%) than reflected by their proportion of the total set (53%) Smaller, Level 4 entities struggle with all three areas
- 8. 7 Privacy Findings & Observations 20% 2% 16% 18% 44% Notice of Privacy Practices for PHI Right to Request Privacy Protection for PHI Access of Individuals to PHI Administrative Requirements Uses and Disclosures of PHI Percentage of Findings and Observations by Area of Focus
- 9. 8 Security Results 58 of 59 providers had at least one Security finding or observation 2/3 of entities had no complete, accurate risk analysis 47 of 59 providers 20 of 35 plans 2 of 7 clearinghouses Addressable implementation specifications: most entities without a finding or observation met the standard by fully implementing the addressable specification
- 10. 9 Security Elements 12% 14% 7% 18% 4% 14% 8% 14% 9% Risk Analysis Access Management Security Incident Procedures Contingency Planning and Backups Workstation Security Media Movement and Destruction Encryption Audit Controls and Monitoring Percentage of Audit Findings and Observations by Area of Focus
- 11. 10 Breach Notification Findings Notification to individuals Timeliness of notice Method of notification to individuals Burden of proof
- 12. 11 Overall Cause Analysis • For every finding and observation cited, audit identified a“Cause.” • Most common across all entities: entity unaware of the requirement – In 30% (289 of 980 findings and observations) • 39% (115 of 293) of Privacy • 27% (163 of 593) of Security • 12% (11) of Breach Notification – Most related to explicit requirements • Other causes noted included: – Lack of application of sufficient resources – Incomplete implementation – Complete disregard
- 13. 12 Cause Analysis – Top Elements Unaware of the Requirement Privacy Security • Notice of Privacy Practices • Access of Individuals • Minimum Necessary • Authorizations • Risk Analysis • Media Movement and Disposal • Audit Controls and Monitoring
- 14. 13 Phase 2: Who Can Be Audited? Any Covered Entity Health plans of all types Health care clearinghouses Individual and organizational providers Any Business Associate Selection through covered entities
- 15. 14 Phase 2 Covered Entity Pool • Have a pool of covered entities eligible for audit – Health care providers selected through NPI database – Clearinghouses & Health Plans from external databases (e.g., AHIP) • Random selection used when possible within types • Wide range (e.g., group health plans, physicians and group practices, dental, hospitals, laboratories)
- 16. 15 Pre-audit – Timing of Audit Spring • Address verification Summer • “Pre-survey”for on-line screening – Questions address size measures, location, services, best contacts – Expect to contact 550-800 entities Fall • Notification and data request letters to selected entities – Anticipate 350 covered entities • Two weeks for entity response
- 17. 16 Audit 2015: Business Associates • Covered entities will be asked to identify their business associates and provide their current contact information • Will select business associate audit subjects for 2015 first wave from among those identified by covered entities
- 18. 17 Phase 2 Audit Distribution Projections Entity Type Privacy Breach Security Covered Entities 100 100 150 • Health Plans 33 31 45 • Providers 67 65 100 • Clearinghouses - 4 5
- 19. 18 Phase 2 Protocol Criteria • Updated protocols – Reflect Omnibus Rule changes – More specific test procedures • Sampling methodology • Target provisions that were the source of a high number of compliance failures in the pilot audits • Updated protocol to be available on web site
- 20. 19 Phase 2 Audit Focus 2014 – Covered Entities • Security—Risk analysis and risk management • Breach—Content and timeliness of notifications • Privacy—Notice and access 2015 Round 1 Business Associates • Security—Risk analysis and risk management • Breach—Breach reporting to covered entity Round 2 Covered Entities (Projected) • Security—Device and media controls, transmission security • Privacy—Safeguards, training to policies and procedures 2016 (Projected) • Security—Encryption and decryption, facility access control (physical); other areas of high risk as identified by 2014 audits, breach reports, and complaints
- 21. 20 Audit Phase 2 Approach • Primarily OCR internally staffed • Desk audits of selected provisions • Comprehensive on-site audits, as resources allow • Data request will specify content and file organization, file names, and any other document submission requirements
- 22. 21 Desk Audit Expectations • Only requested data submitted on time will be assessed • All documentation must be current as of the date of the request • Likely will not consider documentation developed after data request • Likely will not ask for clarification • Don’t submit extraneous information • Respond! Otherwise may result in compliance review
- 23. 22 How to Help Yourself • Review Audit Protocols (Phase I and Phase II) – Likened to an“open book test” • Perform own assessment/audit – Internal or external – Use audit protocol – Identify other toolkits – Consider use of attorney-directed investigation Begin corrective action for gaps On-going monitoring
- 24. 23 How to Help Yourself • Document, Document, Document • Verify policies and procedures are updated • Critical that the documents accurately reflect the program • Have supplemental documentation ready – Limited time period to provide documents – To prove compliance – Make it relatively self-explanatory (e.g., clearly labeled) – Focus on targeted areas, but that could be extended
- 25. 24 How to Help Yourself • Maintain a current list of business associates and their contact information • Covered entities: remind your business associates audits are coming • Concern that not all Business Associates know: – They are business associates – What they need to do • Goal: Develop and maintain a culture of compliance
- 26. 25 How to Help Yourself – Privacy • Access • Policies and procedures – Update to reflect Omnibus Rule • Additional documentation • How to prove – Access was provided? – Timely compliance?
- 27. 26 How to Help Yourself - Privacy • Notice of Privacy Practices – Update to reflect Omnibus Rule – Verify NPP reflects actual practices • Post NPP – Remember website • Policies and procedures • Additional documentation • How to prove – NPPs were provided – Acknowledgements were obtained
- 28. 27 How to Help Yourself − Security Rule Risk Analysis Risk analysis (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate. 45 C.F.R. § 164.308(a)(1)(ii)(A)
- 29. 28 How to Help Yourself − Security Rule Risk Management Risk management (Required). Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to: • ensure the confidentiality, integrity, and availability of electronic protected health information • protect against reasonably anticipated threats or hazard • protect against reasonably anticipated impermissible uses and disclosures and • ensure workforce compliance. 45 C.F.R. § 164.308(a)(1)(ii)(A)
- 30. 29 How to Help Yourself − Risk Analysis/Risk Management • Identify locations of PHI • Identify reasonable vulnerabilities and anticipated threats (e.g., human, natural, and environmental) • Assign risk levels (e.g., low, medium, high) based on likelihood and impact • Make sure it is a HIPAA risk analysis – Not a list of controls – Not an“evaluation”or“gap analysis” • Verify appropriate policies, procedures, and safeguards are in place • Revisit regularly and when changes occur • See OCR Guidance on Risk Analysis and HHS Risk Assessment tool
- 31. 30 Agenda • OCR Phase 2 Audit scope, process and timeline • Changes you can expect in Phase 2 audit and how they could impact you • How to prepare for them based on a risk based approach • Breach notification rule – Stages of the rule’s evolution – Regulatory Obligation for CEs & BAs – Audit readiness • Questions
- 32. 31 4 Stages of Flirting with “Breach Notification” Acceptance 2013: Final Breach Notification Rule Bargaining Harm Test Advocates vs. Opponents Denial The Interim Final Rule Era Risk of Harm Revisited ANGER 2009: “Risk of Harm” Backlash & Fury
- 33. 32 Breach Compliance Obligations Obligations Covered Entity Business Associate Incident Management Policies & Procedures Yes & Business Associate(s) Yes & Downstream sub-contractor(s) Incident Risk Assessment & Outcome Retention Yes Yes Breach Notification Individuals; Regulator(s); CRAs Covered Entity Accounting of Disclosures Yes (including PHI incidents) Yes (including PHI incidents) HIPAA Investigations HHS/OCR HHS/OCR Covered Entities & Business Associates
- 34. 33 Foundation of Breach Rule Compliance Risk Factors & Mitigation Factors Low Probability of Compromise (LoProCo?) If Wrong: Low Probability of Compliance! Your Incident Risk Assessment Consistency & Outcome
- 35. 34 Incident Risk Assessment Challenges 4th Annual Benchmark Study on Patient Privacy & Data Security 0% 10% 20% 30% 40% 50% 60% 70% 80% Lack of consistency Inability to scale Difficult to use
- 36. 35 Addressing Risk Assessment Challenges by Using the Right Tools Requires more than issue tracking & ad-hoc risk assessment Solution Scope & Automation EaseofUse&Affordability
- 37. 36 Multi-Factor & Multi-Jurisdictions Risk Scoring •Relevance •Risk Score •Weight •Relevance •Risk Score •Weight •Relevance •Risk Score •Weight •Relevance •Risk Score •Weight Disclosed Data Type & Scope Recipient & Intent Risk Mitigation Access / Viewing/ Re- disclosing Breach Not Breach Voluntary FACTORS • 47 States & DC • +3 Territories • Most have“harm”test • Different notification timelines, obligations, thresholds
- 38. 37 Breach Notification Rule: Audit Preparedness • Multi-Factor Risk Assessment • Multi-Jurisdiction Risk Assessment • Always Up to Date • Easy to Use • Purpose-Built Work-flow • Collaboration Platform • Reports & Audit Logs • Central Repository Moving Beyond Compliance & Audits Know the rules Follow the rules Prove it!
- 39. 38 Where to learn more • www2.idexpertscorp.com/resources • www2.idexpertscorp.com/radar • www2.idexpertscorp.com/ponemon
- 40. 39 Questions & Answers If you are having a breach now, call 866-726-4271 Becky Williams, RN, JD Co-Chair, Health Information Practice Davis Wright Tremaine LLP 206.757.8171 beckywilliams@dwt.com Mahmood Sher-Jan, CHPC VP and GM, RADAR Product Unit ID Experts 800-298-7558 mahmood.sher-jan@idexpertscorp.com
- 41. 40 ID Experts Webinar Series ID Experts provides software and services for managing the disclosure and breaches of regulated data. Leading organizations in healthcare, insurance, financial services, universities, higher education, and government rely on ID Experts’patented RADAR™ data incident management software and data breach response services for managing risks. Exclusively endorsed by the American Hospital Association. ID Experts is an advocate for privacy and a leading contributor to legislation and industry organizations that focus on the protection of PHI and PII. On the web: http://www2.idexpertscorp.com/. For more information visit: • www2.idexpertscorp.com • Complete Data Breach Care • Cyber Liability Insurance • RADAR