HIPAA Compliance and Reporting Requirements

Transcription

1 Healthcare IT Assurance Peace of Mind Through Privacy and Security Risk Management By Dan Schroeder, CPA, MBA, CISA, CIA, PCI QSA, CISM, CIPP/US

2 BRIEF CONTENTS HCIT IMPROVES THE PROCESS 1 Healthcare Data Breaches are Common ENTER HIP A 2 HITECH and Omnibus Rule make BAs responsible for HIPAA 2 Rise of the BA and Pervasive Security Threats 2 What does Assurance Mean for BAs CREATING PEACE OF MIND 4 SOC 2 for Privacy = Peace of Mind for BAs and CEs SUMMARY 7 SOC 2 as a Better Reporting Option for BAs 7 About Dan Schroeder, Partner, HA&W Appendix A: SOC Reporting Framework

3 PATIENT NAME Business Associates are fundamental to the modern healthcare ecosystem, and data breaches are common. Driven by rising costs, increasingly complex regulations, and the ubiquity of cloud-based solutions, the adoption of healthcare information technology is vastly improving quality and efficiency of the healthcare process. But with progress comes pitfalls. Today, almost every healthcare provider depends on third parties to manage or store gigabytes and sometimes terabytes of information about their patients, and much of it is protected health information ( PHI ). This increasing interdependence of organizations means that the need for assurance regarding those third parties internal controls is greater than ever. Unfortunately, innovation is outpacing security, and threats to personal information abound. Javelin Strategy & Research estimates that 11.6 million American adults were victims of identity fraud in 2011 an increase of 13 percent, or 1.4 million adults, 1 over By the Numbers Number of breaches of PHI since August 2009 > million Patient health records affected 9 % of healthcare organizations had at least one data breach, % of all patient records breached involving a BA, Average Economic Impact of a breach, Average number of lost/stolen records per breach, Sources: Ponemon Institute, Redspin, Javelin Strategy & Research COMMUNITY HOSPITAL INFORMATION IN THIS RECORD IS CONFIDENTIAL DO NOT REMOVE FROM HOSPITAL FIRST MIDDLE LAST Increasingly, third-party technology companies are coming into the crosshairs as a source of information security vulnerability. In a recent study by the Ponemon Institute, 42 percent of survey respondents point to third-party mistakes as the cause of a data breach. 2 According to another recent study, breaches at business associates have historically impacted five times as many patients as those at a covered entity. 3 1 Javelin Strategy & Research (February 2012) 2012 Identity Fraud Report 2 Ponemon Institute and ID Experts. (December 2012 ) Third Annual Benchmark Study on Patient Privacy & Data Security 3 Redspin. (February 2013) Redspin's 2012 PHI Breach Analysis 1

4 Enter HIPAA Compliance with the Health Insurance Portability and Accountability Act ( HIPAA ) continues to require significant resources. This law was designed to improve the efficiency and effectiveness of the nation s healthcare system by encouraging the widespread adoption of electronic records, while also protecting the privacy and security of those records. But not until the passage of the Health Information Technology for Economic and Clinical Health ( HITECH ) Act did HIPAA have teeth. Enacted as part of the American Recovery and Reinvestment Act of 2009, the HITECH Act significantly increases the penalty amounts for violations of HIPAA rules and encourages prompt corrective action. 4 The act increases the maximum penalty amounts from $100 per violation to $50,000 per violation, and from a total of $25,000 to $1.5 million for all violations of an identical provision. In addition, a CE can no longer escape fines for an unknown violation, unless the entity corrects the violation within 30 days of discovery. (In other words, ignorance is no excuse.) HITECH also imposes new notification requirements on CEs and their BAs in the event of a breach of PHI. In addition, HITECH extends the HIPAA Privacy and Security Rules to HIPAA BAs and makes the HIPAA criminal and civil penalties applicable to these third parties. HITECH also deems BAs in violation of HIPAA if they see a pattern of activity that breaches their business associate agreement ( BAA ) and do not either correct it, terminate their agreement or notify the Department of Health and Human Services. In January of 2013, the HIPAA Omnibus Rule was passed and becomes effective in March It combines HIPAA, HITECH, and the Genetic Information Nondiscrimination Act of 2008 ("GINA"), and has strengthened requirements even further. The "harm" standard for breach notification rules has been dissolved and now all unauthorized access to PHI is considered a breach with the exception of specific cases. The HIPAA Omnibus Rule also adopts changes to the Enforcement Rule and strengthens patient rights and requirements for privacy notices. One of the most notable changes the HIPAA Omnibus Rule makes however, is the enforcement of HIPAA requirements and penalties to BAs. Organizations are now considered a BA if the organization "creates, receives, maintains, or transmits any PHI on behalf of the CE or BA." Note: This now includes organizations such as data centers and backup media storage companies. Demonstrating compliance with the complex provisions of the HIPAA Omnibus Rule can be overwhelming, and with HIPAA enforcement heating up, CEs are placing an increasing amount of pressure on their BAs to do just that. Approx 120 audits of CEs were conducted in 2012, and it is expect that the OCR will expand their audit program to encompass BAs. What s a BA to Do? Clearly, BAs have much at stake when it comes to protecting PHI. Not only do they face severe civil and criminal penalties, but also the very survival of the company. As one CEO of an Atlanta-based BA said: If we don t make sure we have the right controls in place, we re dead in the water. So, CEs and BAs need assurance of effective controls to manage their privacy and security risks. But what is assurance? At its most basic level: Assurance is peace of mind. 4 U.S. Department of Health & Human Services (October 2009). News Release: HHS Strengthens HIPAA Enforcement 5 American Bar Association, ABA Health esource (June 2009). HITECH Implications for Business Associate Agreements: What Should You Do and When Should You Do It? 6 U.S. Department of Health & Human Services. HIPAA Privacy & Security Audit Program 2

5 In the context of the BA/CE relationship, that peace of mind is built on evidence that the BA is doing the right things to comply with HIPAA Privacy and Security rules and the HITECH Act to meet its CEs risk management needs and to protect its own integrity and reputation. Notice that there is no mention in that definition of any kind of report. Too many organizations fixate on the report as a way to satisfy an item on a checklist. This checkmark mentality caused organizations to latch onto the SAS 70 report as a universal panacea. But in most cases, SAS 70 (now known as SSAE 16) was used to address risks that are outside of its intended realm of internal controls over financial reporting. It was not designed to address operational or compliance-related controls, and organizations that use it in that capacity are only creating a false sense of assurance. To obtain strong assurance of internal controls and satisfy their governance responsibilities, BAs and CEs must first establish a clear understanding of the services to be provided, how those services are delivered, by whom they are delivered, and other key characteristics of the information system. Without this clear understanding, there can be no context within which to determine the most suitable criteria upon which to establish control objectives and mitigating controls. (For more on service organization governance, see Habif, Arogeti & Wynne s white paper, What s Next After SAS 70? What User Entities Need to Know About Managing Outsourcing and Cloud Risks. ) This lack of focus on suitability of criteria has led BAs to incomplete solutions, which encompass only part of their governance needs. For example, the HITRUST Common Security Framework, a certification awarded by the Health Information Trust Alliance, assesses information security controls, but not 7 those related to privacy. This concept of suitability of criteria has been a missing piece of the discussion around HIPAA compliance. However, it is the foundation of a new assurance reporting option that provides the privacy and security coverage needed by organizations that handle PHI. SOC 2 + GAPP = Peace of Mind The American Institute of Certified Public Accountants ( AICPA ), the standard-setting body for the accounting profession, introduced in 2010 a service organization control ( SOC ) reporting structure to help users of outsourced IT services manage their risks, (see Appendix A). One of these options, SOC 2 reporting on the Privacy Principle, provides a solid framework for addressing the privacy and security risks posed by BAs, for the following reasons: It can be used to demonstrate compliance with HIPAA privacy and security laws, and with business associate agreements It provides transparency into BAs internal controls, which CEs need to satisfy their governance requirements It is backed by an independent attestation 7 HITRUSTalliance.net. HITRUST CSF Assurance Program 3

6 SOC 2 was designed specifically to provide a high level of transparency into controls around privacy, confidentiality, security, availability and/or processing integrity collectively known as the Trust Services Principles. Each principle encompasses existing regulatory requirements and recognized control frameworks. Of particular importance to BAs, the Trust Services Privacy principle maps closely to both the HIPAA Privacy and Security rules. This principle states, personal information is collected, used, retained, disclosed, and destroyed in conformity with the commitments in the entity s privacy notice and with criteria set forth in generally accepted privacy principles, (GAPP)." Working with other international bodies, AICPA developed the GAPP framework by analyzing internationally known fair information practices included in many privacy laws and regulations, including HIPAA. Its underlying focus on security (see sidebar, #8), which is foundational to any discussion of privacy controls, makes it a comprehensive, scalable framework for managing both security- and privacyrelated compliance. Of course, there are circumstances when an organization may need to comply with additional state and foreign regulations that don t map to GAPP criteria. In such cases, SOC 2 allows the organization to incorporate additional criteria. A SOC 2 examination report includes three required sections: a system description, a management assertion, and an independent auditor s opinion. 1. System Description This detailed description of the BA s information system is the basis upon which management provides an assertion and the independent auditor expresses an opinion. It follows robust AICPA guidelines aimed at providing transparency for the CE. Because of the rigor and detail of the report, the entity can rely on it in lieu of performing other procedures that would otherwise be required to understand how effectively the BA is managing risks it poses to the CE. Some of the key components of a BA s SOC 2 system description that addresses the Privacy principle include: The types of services provided. Detailed description of the infrastructure, software, people, procedures and data used to provide those services. Statement of privacy and security practices. Description of any subservice organizations and their role in handling/processing. personal information and controls deployed at the subservice organization. For each privacy principle criterion, a description of control(s) designed to meet those criteria. A statement regarding how the privacy notice is communicated to individuals, that the CEs are responsible for communicating such notice to individuals, and that the BA is responsible for communicating its privacy practices to the CEs in its statement of privacy practices. 4

7 AICPA Generally Accepted Privacy Principles 2. Management Assertion Under SOC 2 reporting standards, management must make a written assertion that states, to the best of management s knowledge and belief, that: Management s description fairly presents the organization s system. The controls stated in management s description were suitably designed to meet the applicable trust services criteria (i.e., GAPP). The controls operated effectively throughout the specified period to meet the applicable trust services criteria (for Type II reports). The organization complied with the commitments in its statement of privacy practices throughout the specified period. The system description and management assertion provide the basis upon which the service auditor conducts tests and issues an opinion. 1. Management. The entity defines documents, communicates, and assigns accountability for its privacy policies and procedures. 2. Notice. The entity provides notice about its privacy policies and procedures and identifies the purposes for which personal information is collected, used, retained, and disclosed. 3. Choice and Consent. The entity describes the choices available to the individual and obtains implicit or explicit consent with respect to the collection, use, and disclosure of personal information. 4. Collection. The entity collects personal information only for the purposes identified in the notice. 5. Use and Retention. The entity limits the use of personal information to the purposes identified in the notice and for which the individual has provided implicit or explicit consent. The entity retains personal information for only as long as necessary to fulfill the stated purposes. 6. Access. The entity provides individuals with access to their personal information for review and update. 7. Disclosure to Third Parties. The entity discloses personal information to third parties only for the purposes identified in the notice and with the implicit or explicit consent of the individual. 8. Security for Privacy. The entity protects personal information against unauthorized access (both physical and logical). 9. Quality. The entity maintains accurate, complete, and relevant personal information for the purposes identified in the notice. 10. Monitoring and Enforcement. The entity monitors compliance with its privacy policies and procedures and has procedures to address privacy-related complaints and disputes. 5

8 3. Independent Auditor s Opinion Unlike other assurance reporting options, a SOC assurance report is backed by an independent auditor s opinion. The auditor standards in expressing an opinion on whether: The system is fairly presented Controls were suitably designed Controls operated effectively The organization complied with the commitments of its statement of privacy practices The CPA s professional liability is another reason that a SOC 2 report provides a higher degree of assurance than other types of reports that award a certification. The underlying intent of a certification is to imply safety. In other words, the certifying body has done all the legwork to provide assurance that the organization is doing the right things to protect the customer s information, and that customer can rely on that certification instead of performing his or her own tests. But what if that assurance report is wrong? Who is liable? Without professional liability, there is no transfer of risk; and without transfer of risk, there cannot be true assurance. When a CPA expresses an opinion, his or her reputation and assets are on the line. No other report provides this level of assurance. The CPA s independence is another important differentiator. A service When seeking a professional to conduct an audit of privacy and security-related controls, BAs should ask the following questions: What is your firm s experience performing IT assurance engagements for healthcare entities? What is your experience with SOC standards? What are the professional standards to which you are held? What is your expertise with privacyrelated standards? Do you hold any privacy designations, such as Certified Information Privacy Professional? What is your expertise with security related standards? Do you hold any security designations, such as Certified Information Security Manager or Certified Information Systems Security Professional? engagement is measuring controls the case of SOC 2 for the Privacy Principle, those criteria are GAPP. Not only is GAPP based on internationally known fair information practices that are included in many privacy laws and regulations of jurisdictions around the world, but also those criteria are 8 publicly available for scrutiny and comment. Compare this level of rigor to a for-profit organization that writes a criterion program, performs the testing and awards the certification. What level of assurance does such a program provide? 8 AICPA.org. (January, 2010) Generally Accepted Privacy Principles 6

9 A Better Assurance Reporting Option Organizations that are responsible for managing the PHI of healthcare entities cannot afford to take any chances. They need a high level of assurance that their internal controls meet the strict requirements of HIPAA, HITECH and state privacy and security laws. A SOC 2 report based on GAPP criteria is a better assurance reporting option because it: Enables BAs to efficiently respond to customer requests for evidence of privacy and security measures; Is based on a set of internationally accepted criteria that demonstrate compliance with the HIPAA Privacy and Security Rules; Is a scalable solution that enables compliance with specific state and foreign regulations; and Is backed by professional attestation standards, vetted testing methodology and an independent auditor s opinion. In short, SOC 2 provides the peace of mind BAs need that they are meeting their own governance needs and the governance needs of their CEs. of HIPAA covered entities and their business associates. For a detailed case study of how HA&W helped a healthcare IT company address its need for transparency into privacy and security controls, see Appendix A. About the Author Dan Schroeder, HA&W s partner-incharge of IT Assurance & Risk Management Services, is immediate ex-chairperson of the AICPA Information Technology Executive Committee and serves on the AICPA Peer Review Task Force for SOC Reporting. He has earned numerous IT designations, including Certified Information Systems Auditor, Certified Internal Auditor and Certified Information Security Manager. He also regularly leads training at national AICPA conferences on the subjects of SOC reporting for SSAE 16 and SAS 70, and other aspects of IT auditing and risk management. All-Around Peace of Mind With deep experience in accounting risk management and technology controls, Habif, Arogeti & Wynne LLP delivers cost-effective, pragmatic solutions to address the risk management and assurance reporting needs To learn more about how HA&W can help ensure that your controls protect your business interests and that you are fulfilling your governance responsibilities, call Dan today at

10 Appendix A AICPA Service Organization Control Reporting Framework The American Institute of Certified Public Accountants ( AICPA ) released a new Service Organization Control ( SOC ) reporting structure in 2010 in an effort to help service organizations and their users manage the risks of IT outsourcing, and to eliminate the confusion that has sprung up around SAS 70. This structure provides three options known as SOC 1, SOC 2 and SOC 3 for reporting on service organization controls. Below we describe the types of reports that address each of the categories of risk. Note that there may be situations when a service poses multiple types of risk to the organization, creating the need for more than one of these reporting options. Financial Risks If the service being provided could affect the reliability of financial reporting, then the appropriate reporting option is SOC 1 Report on Controls Relevant to User Entities Financial Reporting. SOC 1 satisfies what is now known as Statement on Standards for Attestation Engagements (SSAE) 16, which replaced SAS 70 for all reporting periods ending June 15, 2011 or later. As with SAS 70, there are two types of SOC 1 reports: Type 1 A report on management s description of the service organization s system and the suitability of the design of the controls to achieve the related control objectives included in the description as of a specified date. Type 2 A report on management description of the service organization s system and the suitability of the design and operating effectiveness of the controls achieve the related control objectives included in the description throughout a period of time. Services relevant for SOC 1 reporting purposes typically produce output that is used for or directly affects journal entries of their users, such as claims processing, financial transaction processing, medical billing, outsourced inventory management and order fulfillment. A primary difference between SAS 70 and SSAE 16 is that the new standard requires management of the service organization to provide a detailed assertion regarding the information system description and its controls. This management assertion provides much needed transparency into the service organization s control structure, providing user entities the potential opportunity to use the report in lieu of performing other procedures that would otherwise be required to understand the service organization s controls. Operational and Compliance Risk If the services provided pose risks to the achievement of the user entity s operational goals or compliance with laws or regulations, the AICPA has outlined two options. The choice will depend on the user entity s answers to the following questions: Do we need a robust description of the information system used to deliver the services? Does our governance require detailed testing of service organization controls? 8

11 SOC 2: Report on Controls Relevant to Trust Services Principles If the answer to either or both of the above questions is yes, then a SOC 2 report may be the best option. SOC 2 provides the same level of transparency into operational and compliance risks as the SOC 1 report does into financial risks. As with SOC 1, either a type 1 or type 2 report may be issued. A type 2 report will include descriptions of the tests performed by the service auditor and results of those tests. The auditor who prepares a SOC 2 report uses the AICPA s Trust Services Principles and Criteria as a yardstick to gauge the design of the service organization s controls. A SOC 2 report is appropriate when an organization has a high degree of reliance on highly specialized functions performed by a service organization that pose operational and/or compliance risks. For example, a healthcare entity that relies on a service organization for assessment of claims-related data would likely benefit from a SOC 2 report that focuses on the privacy principle. SOC 3: Trust Services Principles & Criteria If the services in question are more general in nature, then a lower level of transparency may be appropriate and a SOC 3 report may be acceptable. Whereas SOC 1 and SOC 2 are based on a set of controls designed by the service organization, with SOC 3 the independent auditor reviews the service organization s application of pre-determined criteria spelled out in one or more of the AICPA s Trust Services principles. As long as the risks represented by the services align well to the control structure represented by one or more of the Trust Services principles (security, availability, processing integrity, confidentiality and privacy), this report can provide a meaningful level of assurance to user entities. When AICPA SOC Reporting Isn t Appropriate While SOC 1, SOC 2, and SOC 3 will fulfill the needs of many organizations, they are by no means the only options for reporting on service organization controls. An auditor applying one or more of these criteria must take an all-or-nothing approach; cherrypicking criteria is not allowed. However, there are scenarios when a more tailored set of controls and attestation reports will be necessary. The service organization s auditor will be able to design a customized attestation report that fulfills the requirements of Attestation Standard 101 and also meets all parties risk management needs. 9

12 Habif, Arogeti & Wynne, LLP Five Concourse Parkway Suite 1000 Atlanta, Georgia An Independent Member of Baker Tilly International