A smarter way to protect your brand. Copyright 2012 Compliance 360 All Rights Reserved

Transcription

1 A smarter way to protect your brand Minimizing Compliance Risks of Proactive OCR HIPAA Audits Copyright 2012 Compliance 360 All Rights Reserved

2 Compliance 360 at a Glance Compliance, Risk and Audit Solutions for Healthcare 250,000+ Active Users 800, Regulations 350,000+ Policies 150, Contracts 90,000+ Assessments 2

3 Chief Compliance Officer Chief Risk Officer CEO/ Board General Counsel Internal Auditors Compliance Management Executive Dashboard Virtual Evidence Room Incident Management Risk Management Audit Management Content Library & Network of Certified Partners HIPAA, HITECH, STARK, EMTALA, Vendor Compliance, etc. Legal and Regulatory Content, Assessment Templates, Analyses & Recommendations 3

4 Introductions Cliff Baker Meditology, Managing Partner Cliff has worked with leading healthcare companies across all sectors of the industry and served as an executive advisor for key industry affiliations and companies. He is a sought after contributor to various health IT and information security forums, and an author of the Common Security Framework, an IT risk management book and other various publications. HITRUST Alliance, Chief Strategy Officer Most widely adopted information security and compliance framework for healthcare industry PricewaterhouseCoopers Led the southeastern healthcare advisory practice Adam Greene AdamGreene@dwt.com Davis Wright Tremaine, Partner Adam Greene is a partner in the Washington, D.C. office of Davis Wright Tremaine, where he primarily il counsels health h care providers and technology companies on compliance with the HIPAA privacy, security, and breach notification rules. Previously, Adam was a regulator at the U.S. Department of Health and Human Services, where he played a fundamental role in administering and enforcing the HIPAA rules. At HHS, Adam was responsible for determining how HIPAA rules apply to new and emerging health information technologies, and he was instrumental in the development of the current HIPAA enforcement process. 2/29/2012 4

5 Agenda Introductions Background on OCR Audits What to Expect & How to Prepare for an Audit Lessons Learned from OCR Readiness Assessments Questions 2/29/2012 5

6 Prior HHS Enforcement of HIPAA Pi Privacy & Security Privacy and Security Complaints o Over 67,000 complaints o Over 15,000 corrective actions o 7 monetary settlements/penalties o Security investigations normally arose from privacy complaints Compliance Reviews o Incident driven o Limited in scope Breach Reports o Over 39,000 large and small breach reports 6

7 OIG and Congress Call for Audits In two reports issued by OIG, CMS was criticized for not proactively conducting compliance reviews Congress requires privacy and security audits: The Secretary shall provide for periodic audits to ensure that covered entities and business associates that are subject to the requirements of [the HITECH Act, Privacy, and Security Rules], as such provisions are in effect as of the date of enactment of this Act, comply with such requirements. [HITECH Act Section 13411] 7

8 HHS Awards Two Audit Contracts $180,000 contract with Booz Allen Hamilton to identify the universe of covered entities that are candidates for audits (June 2011) $9.2 million contract with KPMG to develop audit protocol and perform 150 audits (June 2011) 8

9 BAH Contract: Identification of Audit Candidates Identification of public and/or private resources that identify and classify covered entities Seeks a single data file of covered entities Does not call for identification of business associates 9

10 KPMG Contract: Audits of Covered Entities Development of audit protocol (instruction module for auditors) Conducting of 150 audits o2012 audits will serve as a pilot program Contract runs through December

11 Audits: A New Tool for OCR First audits over privacy compliance Fourth set of security compliance audits o First by OCR o Much larger than prior OIG or CMS efforts Different than OCR compliance reviews o Preventative and educational focus Conducted by KPMG, not OCR 11

12 Timing of Audits Development of audit protocol should have completed in October 2011 Initial 20 audits began around December 1 st and are being completed now Remainder of audits (100 to 130) expected between May 2012 and December 2012 (notifications expected within next few weeks ) 12

13 Who Will Be Audited Covered entities of varying size and scope o Health care providers o Health plans o Health care clearinghouses Business associates likely will not be included in this round of audits Stratified random selection 13

14 Who Will Be Audited Level 1 Large providers/payers (revenues or assets greater than $1 billion) Level 2 Regional hospital systems/regional insurers ($300 million to $1 billion) Level 3 Community hospitals, outpatient surgery centers, regional pharmacies, self-insured plans ($50 million to $300 million) Level 4 Small providers (10 to 50 provider practices), community or rural pharmacies (less than $50 million) 14

15 Who Will Be Audited: First 20 Audits Level l1 Level l2 Level l3 Level l4 Ttl Total Health Plans Health care providers Healthcare clearinghouses

16 Who Will Be Audited: First 20 Audits Providers Allopathic & Osteopathic Physicians Hospitals 3 Laboratories 1 3 Health Plans Medicaid 1 SCHIP 1 Group Health 3 Dental 1 Nursing & Custodial Care Facilities 1 Health Insurance Issuer 3 Pharmacy 1 16

17 Audience Polling Question #1 Which privacy/security issues pose the biggest risk to your organization? (Please select all that apply) 17

18 Scope of Audit Protocol Policies and Procedures o Potentially ti covers all of the Privacy and Security Rules o Could cover Breach Notification Rule Routine Operations o Have policies i been implemented? o Does implementation comply with HIPAA? Critical Weaknesses o A focus on identifying critical weaknesses 18

19 Timeline of an Audit Notification letter from OCR Documentation due (10 business days from date of notice) Start of site visit (30 90 days from notice) Draft audit report (20 30 days from end of site visit) it) Comments on draft audit report due (10 business days from draft audit report) Final audit report (30 days after comments) 19

20 Site Visits 3 to 10 business days 3 to 5 auditors with expertise in: ohipaa privacy ohipaa security ocompliance auditing oinformation technology auditing 20

21 Site Visits Each audit will include a site visit ointerviews (e.g., CIO, privacy officer, legal counsel, HIM director) Interviews with non-leadership? oexamination of physical features oexamination of operations 21

22 Audit Reports Information about covered entity Methodology Findings Acknowledgment of best practices Overall conclusion Opportunity to dispute/appeal 22

23 Audit Findings Condition: Observed noncompliance and evidence Criteria: Citation of provision(s) potentially violated Cause: Reason the noncompliance exists Effect: Risk of resulting noncompliant status Recommendation Corrective action taken (if any) 23

24 Results of Audits Audits are primarily preventative and educational, not punitive Serious noncompliance may lead to OCR compliance review Compliance reviews may lead to settlements/penalties 24

25 Audience Polling Question #2 Suspected privacy breaches are addressed using (Please select all that apply) 25

26 Lessons Learned: OCR Readiness Reviews Outdated risk assessment or assessments with no formal follow-up Organizations cannot meet their own policy requirements Understanding PHI o Consistent definition of PHI for the organization o Knowing where PHI is located Applying Sanctions o Consistent application executives and physicians 26

27 Lessons Learned - Continued Business Associates overy limited information on their ability to protect your information Private Health Information Exchanges ono clear policies for handling patient preferences, accounting of disclosures or incident id response 27

28 Lessons Learned - Continued Documentation oauditor Perspective if it s not documented it didn t occur Incident response odocumented process for determining significant harm otimely y follow-up 28

29 Lessons Learned - Continued Major Security Weaknesses o Out of reach policies and limited documented processes o Access control Access rights to clinical systems Non employed users o Mobile devices and portable media o Monitoring processes o Encrypting laptops AND desktop workstations in high traffic areas o Vulnerability management non existent 29

30 How to Prepare Ensure that documentation is accessible and organized. Alert upper management of possibility of an audit. Begin appropriate corrective actions now. 30

31 Tips if Audited Ensure that upper management is in the loop. Perform triage focus on biggest compliance issues and easy fixes. Consider refresher training for the workforce. 31

32 Tips if Audited Comply with minimum necessary and IT access management requirements. Comment on draft audit report and remember final audience: OCR. Consult with counsel early in process. 32

33 Audience Polling Question #3 Would you like to learn how Meditology, Davis Wright Tremaine or Compliance 360 can help you reduce the risk of HIPAA audits? (Please select all that apply) 33

34 Questions 2/29/

35 Meditology Five Concourse Parkway Suite 1925 Atlanta, GA (404) Med i tol o gy [Med-ih-tol-uh-jee] -noun A methodology for achieving successful results with healthcare IT by balancing risk management with an optimal implementation approach Privacy and Security Strategy and organization design Compliance assessments (HIPAA, HITECH, Meaningful Use, HITRUST) Ethical hacking / attack and penetration assessments Solution architecture and deployment: -Access control -Virtualization -Privacy and monitoring Training and awareness material design and delivery Cyber insurance packages Implementation Services System selection Implementation planning Meaningful Use planning and project management Testing Training Go-live support Staff augmentation ICD10 assessment e and planning Project Management Change Management 2/29/

36 For more information Adam H. Greene, JD, MPH

37 HIPAA Audit / Breach Management Demos 37