Use, Disclosure, and Access Policy & Procedure Compliance Tools: What 2016 OCR Audit Protocols Require

Transcription

1 Use, Disclosure, and Access Policy & Procedure Compliance Tools: What 2016 OCR Audit Protocols Require by Edward D. Jones III CEO, Cornichon Healthcare Select, LLC June 23, 2016 Presented In HIPAA Integrity Webinar sponsored by WEDI

2 Focus on HIPAA Integrity Compliance Tool Package Version 4.0 (1) New Modular Design 2016 OCR Audit Protocols Addition of HIPAA Privacy Rule Use, Disclosure, and Access Standards and Implementation Specifications Inclusion of Privacy Use, Disclosure, and Access Safeguards in the HIPAA Integrity Safeguard Training Curriculum June 23,

3 Focus on HIPAA Integrity Compliance Tool Package Version 4.0 (2) Existing Version 3.0 Tools in the New Format Include NIST-based Risk Analysis Template Written Policies and Procedures and Implementation Guidance for Administrative, Physical, and Technical Safeguards Policy and Procedures & Documentation Compliance Protocols Business Associate Agreement HIPAA Privacy Rule Administrative Requirements HITECH Act Breach Notification Standards and Requirements Meaningful Use Security Measure Criteria Concordance with HIPAA Security Rule Risk Analysis and Safeguard Standards June 23,

4 Version 4.0 New Modular Design to Facilitate Policy and Procedure Access and Workforce Member Training (July 2016) Components can be Downloaded Separately after Purchase. Addition of April 2016 OCR Audit Protocols for Implementation Guidance (June 2016) OCR Compliance Audits Underway HIPAA Privacy Rule Use, Disclosure, and Access Policies and Procedures and Forms to Supplement Existing HIPAA Privacy Rule Administrative Requirements (July 2016) HIPAA Integrity Safeguard Training Curriculum Enhanced with HIPAA Privacy Rule Use, Disclosure, and Access Safeguard Content (July 2016) June 23,

5 Foundation for Creating HIPAA Integrity (1) HIPAA Privacy Rule Policies and Procedure Regulation at 45 CFR (i) Standard: Policies and procedures. A covered entity must implement policies and procedures with respect to protected health information that are designed to comply with the standards, implementation specifications, or other requirements of the HIPAA Privacy and HITECH Act Breach Notification Rules. The policies and procedures must be reasonably designed, taking into account the size and the type of activities that relate to protected health information undertaken by a covered entity, to ensure such compliance. Training Regulation at 45 CFR (b) Standard: Training. A covered entity must train all members of its workforce on the policies and procedures with respect to protected health information required by the HIPAA Privacy and HITECH Act Breach Notification Rules, as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity. June 23,

6 Foundation for Creating HIPAA Integrity (2) HIPAA Security Rule Policies and Procedure Regulation at 45 CFR (a) Standard: Policies and procedures. Implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of the HIPAA Security Rule, taking into account (i) The size, complexity, and capabilities of the covered entity or business associate. (ii) The covered entity's or the business associate's technical infrastructure, hardware, and software security capabilities. (iii) The costs of security measures. (iv) The probability and criticality of potential risks to electronic protected health information. Documentation Regulation at 45 CFR (b)(2)(ii) Implementation Specification: Availability. Make documentation available to those persons responsible for implementing the procedures to which the documentation pertains. Training Regulation at 45 CFR (a)(5)(i) Standard: Security awareness and training. Implement a security awareness and training program for all members of its workforce (including management). June 23,

7 Foundation for Creating HIPAA Integrity (3) Covered Entities and Business Associates have insufficient background and knowledge to conduct a National Institute of Standards and Technology (NIST)-based risk assessment, and would rather focus on their core business activities. The HIPAA Integrity Risk Analysis Template is based on tables for which the covered entity or business associate inputs data to attain risk analysis findings. Covered Entities and Business Associates have insufficient time to prepare in excess of 130 policies and accompanying procedures, and would rather focus on their core business activities. The HIPAA Integrity generic policies and procedures require covered entities or business associates to tailor them to their specific business environments by applying findings from their risk analyses. Covered Entities and Business Associates have been unable to effectively track their current and archived policies and procedures, and would rather focus on their core business activities. The HIPAA Integrity Compliance Tool Package comprises an electronic set of files that facilitate immediate access to current and archived documentation for workforce member training and in the event of a timely request for specific documentation in the event of a compliance audit or complaint or breach investigation by the Office for Civil Rights (OCR), state Attorney General investigation, or request by cybersecurity insurance underwriters. June 23,

8 New Modular Design Components Facilitates Distribution of Components to Workforce Members for Tailoring Policies and Procedures to Risk Assessment Findings. Facilitates Access by Workforce Members for Review as Part of HIPAA Integrity Safeguard Training Curriculum. Facilitates Ready Access for Response to Compliance Audit or Complaint or Breach Investigation Request for Documentation. Facilitates Ready Access for Response to Cybersecurity Insurance Underwriters for Risk Mitigation Documentation in Support of New or Renewal Coverage. In Short, You Know Where Your Documentation is Located! June 23,

9 New Security Rule Modular Design Components Identification Key Activity Relevant Definitions Established Performance Criteria Standard Implementation Specification Description OCR Audit Inquiry Sample Policies and Procedures Embedded Designated Organization Name NIST Guidance and General Questions re Implementation References Authorization or Maintenance Forms, if applicable June 23,

10 New Security Rule Modular Design Components Examples HIPAA Security Rule Administrative Safeguards Table of Contents SR AS 6.1 : Administrative Safeguards Security Incident Procedures Standard Response and Reporting Implementation Specification SR AS 6.1F: Security Incident Report Log June 23,

11 April 2016 OCR Audit Protocols (1) On March 21, 2016, the Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS) announced that its long-awaited compliance audit program was underway. In its announcement, OCR stated: The 2016 audit process begins with verification of an entity s address and contact information. An is being sent to covered entities and business associates requesting that contact information be provided to OCR in a timely manner. OCR will then transmit a pre-audit questionnaire to gather data about the size, type, and operations of potential auditees; these data will be used with other information to create potential audit subject pools. Additional information on the audit program, with audits beginning in early summer 2016, is available in the announcement online at: June 23,

12 April 2016 OCR Audit Protocols (2) On April 1, 2016, OCR published audit protocols that are the foundation for the audit review of policies and procedures adopted and employed by covered entities and business associates to meet selected standards and implementation specifications of the Privacy, Security, and Breach Notification Rules. HIPAA Integrity has embedded the appropriate current audit protocol, named OCR Audit Inquiry, with each of its written policies and procedures as guidance on the type of inquiry and documentation that OCR may require in a compliance audit or in a complaint or breach investigation. If your organization is selected for a compliance audit, pay particular attention to OCR s general instructions that accompany the current audit protocols: June 23,

13 April 2016 OCR Audit Protocols (3) When a protocol says entity, it means both covered entities and business associates unless identified as one or the other. Management refers to the appropriate privacy, security, and breach notification official(s) or person(s) designated by the covered entity or business associate for the implementation of policies and procedures and other standards. Entities must provide only the specified documents requested, not compendiums of all entity policies and procedures. The auditor will not search for relevant documentation that may be contained within such compilations. Unless otherwise specified, all document requests are for versions in use as of the date of the audit notification and document request. June 23,

14 April 2016 OCR Audit Protocols (4) Unless otherwise specified, selected entities should submit documents via OCR s secure online Web portal in PDF, MS Word, or MS Excel formats. If the requested number of documentations of implementations is not available, the entity must provide instances from equivalent previous time periods to complete the sample. If no documentation is available, the entity must provide a statement to that effect. Workforce members include entity employees, on-site contractors, students, and volunteers. Information systems include hardware, software, information, data, applications, communications, and people. June 23,

15 April 2016 OCR Audit Protocols (5) Example OCR Audit Inquiry for Risk Analysis 45 CFR 308(a)(1(ii)(A) at HIPAA Integrity SR, AS.1.1: Does the entity have policies and procedures in place to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of all the electronic protected health information (ephi) it creates, receives, maintains, or transmits? Has the entity conducted an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of all the ephi it creates, receives, maintains, or transmits? Determine how the entity has implemented the requirements. Obtain and review risk analysis policies and procedures. Evaluate and determine if written policies and procedures were developed to address the purpose and scope of the risk analysis, workforce member roles and responsibilities, management involvement in risk analysis and how frequently the risk analysis will be reviewed and updated. June 23,

16 April 2016 OCR Audit Protocols (6) Example OCR Audit Inquiry for Risk Analysis 45 CFR 308(a)(1(ii)(A) at HIPAA Integrity SR, AS.1.1: Obtain and review the written risk analysis or other records that document that an accurate and thorough assessment of the risks and vulnerabilities to the confidentiality, integrity, and availability of all ephi was been conducted. Evaluate and determine whether the risk analysis or other documentation contains: A defined scope that identifies all of its systems that create, transmit, maintain, or transmit ephi Details of identified threats and vulnerabilities Assessment of current security measures Impact and likelihood analysis Risk rating. Obtain and review documentation regarding the written risk analysis or other documentation that immediately preceded the current risk analysis or other record, if any. Evaluate and determine if the risk analysis has been reviewed and updated on a periodic basis, in response to changes in the environment and/or operations, security incidents, or occurrence of a significant event. If there is no prior risk analysis or other record, obtain and review the two (2) most recent written updates to the risk analysis or other record, if any. If the original written risk analysis or other records have not been updated since they were originally conducted and/or drafted, obtain and review an explanation as to the reason why. June 23,

17 HIPAA Integrity PR UDA Series Series (1) Means Privacy Rule (PR), Use, Disclosure, and Access (UDA) Use means, with respect to individually identifiable health information, the sharing, employment, application, utilization, examination, or analysis of such information within an entity that maintains such information. 45 CFR Disclosure means the release, transfer, provision of access to, or divulging in any manner of information outside the entity holding the information. 45 CFR Access means Right of access. An individual has a right of access to inspect and obtain a copy of protected health information about the individual in a designated record set, for as long as the protected health information is maintained in the designated record set, with exceptions for psychotherapy notes and use in a civil, criminal, or administrative action or proceeding. 45 CFR (a)(1) 42 Standards in the PR UDA Series ( ) June 23,

18 HIPAA Integrity PR UDA Series Series (2) 502: Uses and disclosures of PHI: General rules 10 Standards 504: Uses and disclosures: Organizational requirements 3 Standards 506: Uses and disclosures to carry out treatment, payment, or health care operations 2 Standards 508: Uses and disclosures for which an authorization is required 1 Standard 510: Uses and disclosures requiring an opportunity for the individual to agree or to object 2 Standards 512: Uses and disclosures for which an authorization or opportunity to agree or object is not required 12 Standards June 23,

19 HIPAA Integrity PR UDA Series Series (3) 514: Other requirements relating to uses and disclosures of PHI 6 Standards 520: Notice of privacy practices for PHI 1 Standard 522: Rights to request privacy protection for PHI 2 Standards 524: Access of individuals to PHI 1 Standard 526: Amendment of PHI 1 Standards 528: Accounting of disclosures of PHI 1 Standard June 23,

20 HIPAA Integrity PR UDA Series Series (4) Identification Key Activity Relevant Definitions Established Performance Criteria Standard Implementation Specification OCR Audit Inquiry Sample Policies and Procedures Embedded Designated Organization Name References Authorization or Maintenance Forms, if applicable June 23,

21 Amendment of Protected Health Information 45 CFR (1) (a) Standard: Right to Amend (1) Right to Amend (2) Denial of Amendment (b) Implementation Specifications (IS): Requests for Amendment and Timely Action (1) Individual s Request for Amendment (2) Timely Action by the Covered Entity (c) (IS): Accepting the Amendment (1) Making the Amendment (2) Informing the Individual (3) Informing Others June 23,

22 Amendment of Protected Health Information 45 CFR (2) (d) IS: Denying the Amendment (1) Denial (2) Statement of Disagreement (3) Rebuttal Statement (4) Recordkeeping (5) Future Disclosures (e) IS: Actions on Notices of Amendment (f) IS: Documentation June 23,

23 New Privacy Rule Modular Design Components Examples PR UDA : Amendment of PHI Right to Amend PR UDA F: Amendment of PHI Right to Amend Request to Amend Records Form PR UDA : Amendment of PHI Denial of Amendment PR UDA F1: Amendment of PHI Right to Amend Response to Request to Amend Records PR UDA F2: Amendment of PHI Right to Amend Amendment Request Log June 23,

24 Inclusion of Privacy Use, Disclosure, and Access Safeguards in the HIPAA Integrity Safeguard Training Curriculum (1) Lesson 1: Safeguard Training Landscape Lesson 2: Foundational Principles and Definitions Adding Use, Disclosure, and Access Lesson 3: HIPAA Privacy Rule Administrative Requirements Lesson 4: HIPAA Security Rule Lesson 5: HITECH Act Breach Notification Rule Lesson 6: HIPAA Privacy Rule June 23,

25 Inclusion of Privacy Use, Disclosure, and Access Safeguards in the HIPAA Integrity Safeguard Training Curriculum (2) Appointment of Privacy and Security Officials, which may be the same person, particularly in small covered entity or business associate environments Privacy and Security Officials conduct risk analysis using the HIPAA Integrity Risk Analysis Template and identify required risk mitigation strategies and measures Privacy and Security Officials tailor HIPAA Integrity safeguard policies and procedures with identified risk mitigation strategies and measures Privacy and Security Officials initiate Safeguard Training Lessons 1 and 2, and provide workforce members access to electronic tailored safeguard policies and procedures for review prior to initiating Lessons 3-6 June 23,

26 Inclusion of Privacy Use, Disclosure, and Access Safeguards in the HIPAA Integrity Safeguard Training Curriculum (3) Lessons 3-6 focused on Privacy and Security Officials Answering workforce member questions following review of safeguard policies and procedures Emphasizing that any questions or issues pertaining to safeguard policies and procedures in the normal course of business should immediately be directed to the Privacy or Security Official Requiring that any question or request by a patient concerning protected health information (e.g., right of access or amendment of PHI) should be directed to the Privacy or Security Official immediately. Requiring that any security incident or privacy breach, or concern about a possible incident, should be directed to the Privacy or Security Official immediately Administering HIPAA Integrity safeguard true-false and multiple choice test questions to workforce members to measure awareness and understanding of safeguard policies and procedures. June 23,

27 Finally just before any questions HIPAA Integrity Compliance Tool Package includes access via app for smart technology devices after download at no additional cost. Just login on a smart device with your username and password and download the Package to the device. HIPAA Integrity also includes online practicums to help clients use the tools for implementing safeguard policies and procedures. HIPAA Integrity provides download regeneration for updates and version changes during the initial purchase year for $499 and annually thereafter at the purchaser s option for an annual renewal fee of $99 per facility. HIPAA Integrity notifies your organization via at renewal time. Today s Webinar participants who purchase HIPAA Integrity initial year membership before Friday, July 1, 2016, will receive the second year free, as well as the forthcoming Version 4.0 including Privacy use, disclosure, and access policies and procedures. June 23,