HIPAA Self-Audit: Locating Threats, Correcting Vulnerabilities, and Protecting Patient Information

Transcription

1 HIPAA Self-Audit: Lcating Threats, Crrecting Vulnerabilities, and Prtecting Patient Infrmatin Margret Amatayakul, MBA, RHIA, CHPS, CPEHR, CPHIE, CPHIT, FHIMSS

2 Speaker Inf Margret Amatayakul, MBA, RHIA, CHPS, CPEHR, CPHIE, CPHIT, FHIMSS Margret Amatayakul is a health infrmatin management prfessinal with ver 25 years f experience in the healthcare industry, including prviding medical recrd department services, health infrmatics educatin, assciatin management and advcacy, and infrmatin systems cnsulting. During her extensive career, Margret has been actively engaged in many f the majr health infrmatics standards develpment rganizatins, has led industry rganizatins and cnsrtia in cntributing t the gvernment regulatry prcess relative t HIPAA, and has extensive experience in implementing and mnitring regulatry, accrediting, and industry practice cmpliance. Margret funded and served as the Executive Directr f the Cmputer-based Patient Recrd Institute frm 1992 thrugh She has als held the psitin f Assciate Executive Directr f the AHIMA, was an Assciate Prfessr f Health Infrmatin Management at the University f Illinis, and was the Directr f Medical Recrd Services at the Illinis Eye and Ear Infirmary. She is a clinical assciate prfessr at the University f Illinis, is a visiting prfessr at Kuwait University, and adjunct faculty at the Cllege f St. Schlastica. Widely quted and sught after as a speaker n cmputer-based patient recrd (CPR) systems, Margret has published extensively, serves n several editrial review bards, and is the recipient f the Prfessinal Achievement Award frm the American Health Infrmatin Management Assciatin, the Prfessinal Achievement, Literary, and Distinguished Service awards frm the Illinis Health Infrmatin Management Assciatin, the Infrmatin Systems Award frm the Healthcare Infrmatin and Management Systems Sciety, and the Excalibur Award fr Teaching Excellence frm the Student Cuncil f the University f Illinis at Chicag.

3 **Certificates f attendance and CEUs, when available, must be requested thrugh the nline evaluatin.** Evaluatin fr Live Event: We d like t hear what yu thught abut the audi cnference. Please take a mment t fill in the survey lcated here: Requests fr cntinuing educatin credits and certificates f attendance must be submitted within 10 days f the live event. Evaluatin fr CD Recrding: Please use the fllwing link t submit yur evaluatin f the recrded event: Please nte: All links are case sensitive

4 HIPAA Self-Audit: Lcating Threats, Crrecting Vulnerabilities, and Prtecting Patient Infrmatin Margret Amatayakul, MBA, RHIA, CHPS, CPHIT, CPEHR, CPHIE, CPORA, FHIMSS President, Margret\A Cnsulting, LLC An independent cnsulting firm fcusing n preparing fr and ptimizing EHR and health IT prvisins f HIPAA, HITECH, and ACA. 1 Agenda Implementing an internal HIPAA auditing prgram Prcesses t cnduct a risk analysis t identify gaps, update dcuments, and retrain staff n latest plicies and prcedures Establishing a baseline fr prgress mnitring What t include in a priritized remediatin plan Best practices fr dcumenting cmpliance plicies and prcedures Why rganizatins shuld g beynd OCR s nline audit prtcl when cnducting an internal HIPAA audit Reduce risk; be ready 2 1

5 What is internal cmpliance auditing? Onging prcess fr cmpliance assurance Assists in identifying weaknesses t enable establishment f internal cntrls Helps demnstrate cmmitment t respnsible crprate cnduct Prvides accurate view f behavir relative t specific cmpliance requirements Creates a centralized surce fr managing cmpliance Mst hspitals and large clinics have an internal cmpliance prgram t mnitr fr cding/billing fraud and abuse but few have such a prgram fr privacy, security, and breach ntificatin 3 What cmprises an internal cmpliance auditing prgram? Central surce fr distributing infrmatin abut cmpliance Prcess t determine baseline cmpliance Methdlgy that encurages wrkfrce members t reprt ptential prblems Prcedures that allw fr prmpt and thrugh investigatin f a prblem Initiatin f immediate and apprpriate crrective actin Minimizes lss thrugh early detectin and reprting Reduces expsure t (external audits) and penalties 4 2

6 Where des it say t audit fr cmpliance? Cmpliance means nging cnfrmance t laws and regulatins Specifically, HIPAA requires: Uses and disclsures t be cnsistent with ntice f privacy practices [Privacy Rule at 45 CFR (i)] Security measures t be reviewed and mdified as needed t cntinue prvisin f reasnable and apprpriate prtectin [Security standards: General rules at 45 CFR (e)] Peridic technical and nntechnical evaluatin in respnse t envirnmental changes affecting security f ephi that establishes the extent t which an entity s security plicies and prcedures meet the requirements [Security Rule: Evaluatin at 45 CFR (a)(8)] EHR Meaningful Use Incentive Prgram [42 CFR 495.6] measures require: Cnduct r review a security risk analysis in accrdance with requirements under 45 CFR (a)(1) OCR encurages cnsistent attentin t cmpliance activities (Linda Sanches, OCR Senir Advisr) 5 Business case fr internal auditing fr HIPAA privacy, security, and breach OCR (HIPAA) and CMS (EHR Meaningful Use) audits reveal serius weaknesses (see next slide) Ever-increasing number f privacy cmplaints t OCR Increasing number and amunt f settlements fr privacy and security issues; expected increase in number f criminal cases Majr HIPAA breaches have reached 1,000 milestne, with 1 in every 10 peple in U.S. impacted Cst f a breach estimated at $188 per recrd. Average # f recrds in a breach = 23,647; r $4.4M per breach Identity theft may be mst frequent, cstly, and pervasive crime in U.S., with increasing sphisticatin 43% f identity thefts have a medical cmpnent, including ptential fr treatment and payment errrs 6 3

7 OCR Audit Results 7 Level setting n terminlgy Actin: The perfrmance f a prcess that is regulated Cmplaint: Statement that a situatin is unsatisfactry r unacceptable Event: An actin that may cntribute t nncmpliance Incident: An event that is nncmpliant, r series f events that puts the rganizatin at high risk fr nncmpliance (HIPAA) breach: Acquisitin, access, use, r disclsure f PHI in a manner nt permitted by the Privacy Rule that cmprmises the security and privacy f the PHI HIPAA safe harbr: Guidelines specifying that encryptin r destructin render PHI unusable, unreadable, r indecipherable fr purpses f breach ntificatin (General) data breach: An incident in which sensitive, prtected, r cnfidential data have ptentially been viewed, stlen, r used by an individual unauthrized t d s 8 4

8 Implementing internal auditing IPO, ISO, cmpliance fficer(s), risk manager, legal cunsel, develp crdinated prgram Determine fcus f auditing; use surces such as: Establish baseline fr prgress mnitring Frequent privacy cmplaints Knwn security threats Mst cmmn causes f breaches Findings frm federal audits Randm spt checks fr new vulnerabilities Creates culture f: Transparency Hld harmless Data stewardship Cmmitment t risk mitigatin 9 Internal cmpliance audit cycle 10 5

9 Cmpliance assurance plan template 11 Example cmpliance assurance plan: Persnal representatives & invlvement in care 12 6

10 13 Cnducting a (privacy & security) risk analysis: A special case f internal auditing C I A 14 7

11 Breach ntificatin preparatin Create and regularly drill a SWAT team t address a breach Train members f wrkfrce and ensure business assciates knw hw t identify and reprt a ptential breach in a timely manner Have prepared decisin tree t assess whether ptential breach meets: HIPAA definitin and/r State data breach definitin (Nte: nt all state breaches are HIPAA breaches) Have prepared a checklist f tasks, including: Ntificatin t executive management; legal cunsel; bard f directrs Dcumentatin f all steps taken, by whm, and when Preservatin f evidence Management f business assciate relatinships as applicable Have prepared public ntificatin prcess and materials, including public annuncement script Cnduct required ntificatin, reprting, and mitigatin Assess and take actin n lessns learned 15 External audit preparedness Ten-fld increase in audits anticipated. Still n wrd n whether these will be desktp r nsite; whether they will be risk-based r cmprehensive standards based. D nt assume same prtcl Have ready all dcumentatin nt nly P&P but dcumentary evidence, ideally with index arranged in rder f regulatry standards It s nt abut passing the audit, it s abut reducing risk 16 8

12 External audit preparedness (cnt.) Decide hw sensitive dcumentatin will be identified and supplied Cnsider legal cunsel review f dcumentatin prir t submissin Prvide cpy with any patient r health prfessinal identificatin masked but which cntains name f rganizatin n every page and running page numbers 17 Dcumentatin Lack f, r pr, dcumentatin is ne f majr findings in (HIPAA and Meaningful Use) audits and findings in OCR settlement cases 45 CFR (j) [Privacy Rule] Dcumentatin Maintain Plicies and prcedures Cmmunicatins required t be in writing Recrds f actins, activities, r designatins required t be writing Dcumentatin sufficient t meet burden f prf Retain Fr 6 years frm date f creatin r date when last in effect, whichever is later 45 CFR [Security Rule] (a) Plicies and prcedures, taking int cnsideratin flexibility f apprach (b)(1) Dcumentatin f (b)(2) Plicies and prcedures Recrd f actin, activity, r assessment as required Time limit: Retain fr 6 years Availability: Make available t persns respnsible fr implementing prcedures t which dcumentatin pertains Updates: Review dcumentatin peridically and update as needed in respnse t envirnmental r peratinal changes affecting the security f ephi 18 9

13 Plicies and Prcedures 19 Many surces f plicies and prcedures Many plicies exist already Management Human resurces Public relatins Prcurement Institutinal review bard Medical staff bylaws, rules, and regulatins Others Ensure HIPAA is explicitly identified, r catalgue generic plicies and prcedures (e.g., sanctin plicy) under a HIPAA umbrella Ensure HIPAA prcedures are nt cpies f the regulatin, but specific stepby-step descriptins written in plain language that guide wrk Recgnize the sensitivity f certain prcedures and dcumentatin; handle apprpriately (e.g., penetratin test prcedure including identificatin f all IP addresses) 20 10

14 Dcumenting (privacy and security) risk analysis and remediatin pririties/plan Extend spreadsheet fr prject plan 21 Dcumentatin pitfalls Maintaining actin lgs in help desk ticketing system r IT staff member s is generally nt cnducive t: Prducing dcumentary evidence fr an audit Cnducting pattern analysis t identify issues Retentin assurance Accessibility t authrized individuals Buying plicies and prcedures and nt changing them t fit yur envirnment All plicies and prcedures carrying the same effective date, and with n versin histry Lgs maintained withut case files Dcumentatin withut analysis (e.g., recrds f breaches withut risk assessment dcumented) Risk analysis withut remediatin plan/evidence f cmpletin Integrating federal and state breach files; all frms f cmpliance (e.g., cding cmpliance with privacy cmpliance) 22 11

15 Training Mst prviders include HIPAA privacy and security training during rientatin; thereafter in an annual cmpliance training requirement Ensure cntent is updated annually Ensure cntent reflects current trends in industry; issues in envirnment Annual training is nt enugh. Privacy, security, and breach awareness need t be part f rganizatinal culture Managerial staff need t walk the talk and be held accuntable Use teachable mments Discuss ntewrthy cmplaints/incidents in newsletters, meetings, etc. Patients als need training; waiting rm CCTV, newsletters; website infrmatin; nn-negative clinician reinfrcement Dn t put fear int HIPAA Many rganizatins have paralyzed staff int inactin that ptentially is harmful t the rganizatin and the clinical care delivered t its patients Find ways t prtect privacy and address the CIA f security in psitive ways; ensure transparency and stewardship 23 Q & A 24 12