Are You Prepared for an OCR HIPAA Audit or Investigation? February 15, 2012 ID Experts Webinar

Transcription

1 Are You Prepared for an OCR HIPAA Audit or Investigation? February 15, 2012 ID Experts Webinar

2 Mahmood Sher-Jan VP of Product Management Chris Apgar CEO & President 2

3 Overview OCR Audit Program Overview What to Expect if OCR s Auditors Show Up Potential Penalties and Other OCR Actions How to Prepare for an Audit Incident Response Planning Resources Questions & Answers 3

4 OCR Audit Program Overview HITECH Act mandated the Office for Civil Rights (OCR) conduct HIPAA compliance audits OCR announced in 2010 that small to large covered entities (CE) (and soon business associates) would be audited no CE is exempt Audit program meant to augment, not replace, current investigation and enforcement activity 4

5 OCR Audit Program Overview OCR contracted with KPMG to conduct audits and contracted with Booz Allen Hamilton to create a database of all covered entities The database is being used to stratify CEs and assist in identifying which CEs will be audited Pilot audits of 20 CEs started November 1 st 5

6 OCR Audit Program Overview OCR announced the number of contacts OCR had with a CE would factor into the decision of who to audit KPMG is currently training new and existing staff in preparation to launch the formal audit program Small to large CEs were included in the initial 20 entities targeted during the pilot phase 6

7 OCR Audit Program Overview Pilot audits will assist OCR in assessing the effectiveness of the audit program and make needed adjustments before kicking off the formal audit program Expect formal audits to begin May 2012 KPMG is contracted to conduct 150 audits (in addition to pilot audits) by December 31,

8 What to Expect if OCR s Auditors Show Up KPMG will notify CEs immediately preceding a scheduled audit which includes sending a list of required documentation to CEs CEs must forward all documentation requested within 10 business days from notification CEs will be notified 30 to 90 days prior to an on-site audit likely to last several weeks 8

9 What to Expect if OCR s Auditors Show Up Following the on-site audit, CEs will receive a preliminary audit report CEs have 10 business days to provide additional documentation and comments regarding audit findings Within 30 days following the CE comment period, the auditor will forward a final audit report to OCR 9

10 What to Expect if OCR s Auditors Show Up If the audit report findings indicate any serious compliance issue, OCR may initiate a compliance review OCR had not defined serious compliance issue A compliance review will be similar to a formal investigation usually resulting from complaints filed with OCR or large breaches of PHI 10

11 Potential Penalties and Other OCR Actions If OCR elects to conduct a compliance review, it could result in: Technical assistance provided by OCR Loss of eligibility to receive meaningful use dollars Corrective action plan the CE must comply with (may include required third party compliance review for three to five years) Civil penalties or monetary settlements 11

12 Potential Penalties and Other OCR Actions If the review results in a finding of willful neglect, OCR will move to formal corrective action Penalties can be up to $50,000 per incident/$1.5 million per calendar year for the same type of violation Higher penalties can be assessed even for low level violations 12

13 How to Prepare for an Audit Centralized compliance documentation really matters you only have 10 business days to provide all documentation requested such as (list not inclusive): Policies and procedures Risk analysis report Disaster recovery/emergency mode operations plans Incident response investigation documentation 13

14 How to Prepare for an Audit Develop a compliance plan OCR top of the list compliance focus includes: Policies & procedures Workforce training (new and on-going) Audit program (periodic & annual) Incident response (including breach response) Risk analysis completion & risk mitigation 14

15 How to Prepare for an Audit High compliance risks also include lack of: On-going risk management Current disaster recovery and emergency mode operations plan Encryption of any transmitted or transported electronic PHI Access control 15

16 How to Prepare for an Audit High compliance risks also include lack of (continued): Compliant data backup and recovery Remote access management Documented plan to address OCR or state investigations and audits Release of PHI for TPO and other activities not requiring patient authorization 16

17 How to Prepare for an Audit Prioritize high to low risk compliance gaps Assign resources to eliminate privacy and security compliance gaps Track and document compliance project status Document mitigation activity Store all centrally 17

18 How to Prepare for an Audit Most CEs are not compliant with several high risk compliance requirements This amounts to more than adopting required policies and procedures compliance is an on-going process Need to demonstrate continued compliance activities (not a one time event) 18

19 How to Prepare for an Audit Key to surviving an audit unscathed current and accurate documentation that is easily accessible CEs bear the burden of demonstrating compliance The time is now to address compliance gaps Periodically review OCR website for new and changing information 19

20 Incident Response We Can All Identify with Sarah 20

21 Incident Response Incident Response Lifecycle 21

22 Incident Response HITECH Act Burden of Proof Demonstrate (document) that all notifications were made as required; Or demonstrate that the PHI disclosure did not constitute a significant risk of harm to the individual(s) ; 22 Or establish that the PHI was encrypted; met LDS definition; or at least one of the exceptions were met

23 Incident Response Incident vs. Breach All breaches start as incidents, but not all incidents end up as breaches "Incident" = attempted or successful unauthorized access, use, disclosure, modification, or destruction of PHI/PII "Breach" = acquisition, access, use, or disclosure of PHI/PII that poses a significant risk of financial, reputational, or other harm 23

24 Incident Response Steered by Regulatory Complexity HITECH Act Notification IFR Harm-Threshold; Notification Thresholds; Exceptions 46 states and one territory privacy laws PII/PHI; Harm-Test; Notification Thresholds More rule changes expected (federal & states) 24

25 Incident Response A Chain Reaction Begins PHI / PII Laws Risk Analysis Respons e COMPLIANCE 25

26 Incident Response HITECH Act Regulatory Checklist Obligations Description Readiness 45 C.F.R Breach Definition 45 C.F.R Individual Notification 45 C.F.R Media Notification 45 C.F.R Secretary Notification 45 C.F.R Administrative Burden of Proof 45 C.F.R Administrative Requirements 45 C.F.R (b) Complaint Investigation & Review (Office for Civil Rights-OCR) 26

27 Incident Response OCR Incident Data Request Checklist Example Data Request Primary designated contact with OCR Detailed explanation of the breach Copy of Notice of Privacy Practices (NPP) Copy of policies & procedures for safeguarding PHI Copy of policies & procedures for accounting of PHI disclosures Copy of notification of the breach as required by 45 C.F.R Copy of media notification as required by 45 C.F.R Evidence of any action taken to determine root cause of the breach Evidence of any steps to ensure it does not recur Evidence & tracking of the notification of affected individuals Status 27

28 Incident Response Response Team s Scope of Activities 28 Investigation & Root Cause Analysis Problem containment and evidence preservation Incident Risk Assessment HITECH & state law requirements Documented process & decision Notification & Reporting Legal notification; Call center; Fraud Protection OCR & state agencies reporting Post Incident Audit or Investigation Evidence of compliance Evidence of corrective action & risk mitigation

29 Incident Response Summary of Things You Must Do Build an Incident Response Plan (IRP) & a Team (core & extended) Develop a process for incident risk assessment, documentation & reporting Get Clear on What You Will Do & What You Will Outsource 29

30 Resources OCR audit website: Apgar & Associates, LLC: ID Experts: ID Experts RADAR: 30

31 Questions & Answers Mahmood Sher-Jan ID Experts VP of Product Management Chris Apgar Apgar & Associates, LLC CEO & President