Key HITECH & Omnibus Rule Challenges Enforcement: Thinking Like OCR Audits, Audits & More Audits Hot Issues for 2015 Wrap Up

Transcription

1 David Holtzman, JD CIPP/G Vice President for Compliance CynergisTek, Inc. 1 Vice President, Compliance, CynergisTek, Inc. Subject matter expert in policy and compliance issues involving the HIPAA Privacy, Security and Breach Notification Rules Former senior advisor for health information technology and the HIPAA Security Rule, Office for Civil Rights David Holtzman CynergisTek, Inc. 2 Discussion Items Key HITECH & Omnibus Rule Challenges Enforcement: Thinking Like OCR Audits, Audits & More Audits Hot Issues for 2015 Wrap Up 3 1

2 Business Associates Breach Access & Restrict Disclosures 4 Expands definition of business associate (BA) to any organization that creates, receives, maintains, or transmits PHI on behalf of a covered entity (CE) Also identifies subcontractors, patient safety organizations, health information organizations, e- prescribing gateways and vendors of personal health records Omnibus makes BAs directly liable for the Security Rule, Breach Notification and with use and disclosure provisions of the contract and the Privacy Rule 5 Provides transmission services of PHI in any form Including temporary storage of PHI incidental to transmission service Examples: postal service, couriers and telephone companies Service provider that provides storage of PHI is a BA even if agreement with the CE or BA does not contemplate Any access to PHI Access only on a random or incidental basis Persistence of custody; not the degree of access 6 2

3 Each entity directly responsible for requirements of the Security Rule & certain provisions of Privacy Rule Liability even if the parties fail to enter into a written BA agreement In the event of a breach of unsecured PHI chain of reporting would follow the chain of contracting in reverse Shredding Company Billing Company Hospital 7 Define Terminate Select Monitor Contract Requirements Definition Solicitation/RFP Processes Contract & Agreements Performance Monitoring Termination Security Incident Management & Breach Notification Documentation 8 I am not a BA or We don t need a BAA Defining permitted BA Services and Functions An agent, or not Security assessments (show me) Breach notification timeframes Encryption required Use of de-identified data Foreign (non-u.s.) sub-agents Cyberinsurance Indemnification State law 9 3

4 An impermissible acquisition, access, use or disclosure of protected health information Presumed to be reportable Unless the entity can demonstrate that there is a low probability that protected health information has been compromised Safe harbor for encrypted PHI Exceptions for certain inadvertent and incidental uses & disclosures 10 Risk Assessment required to demonstrate low probability of compromise The nature and extent of PHI involved The unauthorized person who used the PHI or to whom the disclosure was made Whether the PHI was actually acquired or viewed The extent of mitigation present Documenting the investigation and the risk assessment Maintain records for 6 years 11 Implementing HITECH Privacy Rule rights of access and to request restrictions Expands the right to an electronic copy of PHI stored electronically in a designated record set Individual has right to direct the information be sent to another individual Information may be transmitted using unencrypted Provides for restrictions of disclosure to a health plan if individual pays in full and in cash, and is requested 12 4

5 Thinking Like OCR 13 Investigation by Regional Office HQ Central Intake Unit Review HQ HIP Team/SR SME Citizen Complaint Referral from Federal Partner Breach Report/Significant Incident 14 Business associates (including their subcontractors) are subject to civil money penalties and other enforcement actions for noncompliance with applicable provisions of HIPAA Adds higher level of culpability for Willful Neglect, the conscious, intentional failure or reckless indifference to the obligation to comply with HIPAA Requirement that OCR first attempt informal resolution through voluntary compliance removed Allows concurrent criminal prosecution by DOJ & regulatory enforcement by OCR or state AGs 15 5

6 What OCR considers in evaluating enforcement approach: The nature and extent of any violation, including the number of individuals affected and the duration of the violation; The nature and extent of violation that results in an individual s physical, financial, or reputational harm, including any hindrance to the individual s ability to obtain healthcare; The history of prior noncompliance, including similar prior indications of noncompliance and the offending party s responses to them; The financial condition of the offending party, including difficulties that could have affected compliance or if a monetary penalty could jeopardize the future provision of healthcare; and Such other matters as justice may require. 16 Risk Analysis: The Prerequisite to Compliance NYP/Columbia U. School of Medicine NEEI QCA AP Dermatology The Rules Apply to All Skagit County HoNI The Ostrich Concentra 17 HITECH Phase 2 and Meaningful Use 18 6

7 Permanent audit program slated to begin in 2015 Pre-audit survey to pre-screen 1200 entities ~200 Covered Entities to be selected for desk audits Equal number or less BAs selected for desk audits Commitment to on-site audits Implementing technology to facilitate data collection phases of audit process Carried out by HHS personnel with contractor support 19 Data request will specify content and other electronic document submission requirements Only documentation submitted on time is reviewed All documentation must be current as of the date of the request Auditors will not be able to contact the entity for clarifications or ask for additional information Submission of extraneous information increases difficulty for auditor in finding/assessing required items Audit results may lead to compliance review by regional office Desk Audits of Covered Entities Security Risk Analysis and risk management Breach Content and timeliness of breach notifications Privacy Notice of Privacy Practices and Access 2015 Desk Audits of Business Associates Security Risk Analysis and risk management Breach Breach reporting to covered entities On-site Comprehensive Audits Covered entities Business associates 21 7

8 Security Device and media controls Transmission security Encryption of data at rest Facility access controls Privacy Administrative and physical safeguards Workforce training to HIPAA policies & procedures Other Areas High risk areas identified through: 2015 audits Breach reports submitted to OCR Consumer complaints 22 Figliozzi & Co. delivers MU audits on behalf of CMS Figliozzi & Co. sends letters to EPs & CAHs requesting: Proof of EHR certification for the technology they used to meet program requirements. Documentation to support the method (observation services or all emergency department visits) they chose to report emergency department admissions. The differentiation of the method used for reporting ED admissions is key as it determines which patients were included in the denominators of specific core measures and menu items. 23 HIPAA COW Audit Protocol & HHS Risk Assessment Tools 24 8

9 Modeled as OCR Audit Readiness Toolkit Self-assessments grouped by HIP Rule(s) Replicate audit process to evaluate compliance Inquire of management Obtain and review policies and procedures Obtain and review evidence/documentation If practice has chosen not to fully implement, then must have documentation of why 25 Audit Documentation Request List Keep current with policies, procedures and documentation Track organization s continuous progress HIPAA Security Rule Risk Assessment HHS Risk Assessment Tool for Small Providers NIST HIPAA Security Risk Assessment Tool 26 Questions? David Holtzman David.Holtzman@cynergistek.com (240) Follow