Surviving a HIPAA Audit: What you need to know NOW So you can cope THEN. Jonathan Krasner

Transcription

1 Surviving a HIPAA Audit: What you need to know NOW So you can cope THEN Jonathan Krasner

2 Healthcare IT Landscape Meaningful Use Incentives Technology Advances Increased HIPAA Enforcement Regulation Enforcement EHR / Technology Implementations Government Incentives 30+ Million Patient Records Breached

3 HIPAA Violations Over 1200 HIPAA violations of 500+ records since 2009 Violations occur for organizations of all sizes Violations occur for lots of different reasons Violations are increasing in size and scope The complete list can be found at: HOUSTON, WE HAVE A PROBLEM

4 2015 HIPAA Audits Delayed Covered Entities (CE) Contacted 350 Covered Entities Selected 50 Business Associates (BA) Phase 2 Utilize HHS / OCR Portal to Upload Information Letters Will Be Sent to CEs 2 Weeks to Respond / Upload Information Size, Location, Services, Other Information, BA Desk Audits and Onsite Audits Unlike Previous Audits, Fines are Expected to be Handed Out

5 Meaningful Use Audits Meaningful Use Audits Are Occurring Audits targeted at up to 20% (1 in 5) of eligible providers Organizations can be audited either pre or post payment of incentive funds Failed audits may require an organization to repay a full year of incentive payments Incentive fund repayments average ~$10,000 per eligible provider Failed audit for 1 year could trigger an audit in another year Incentive payments must be repaid within 30 days of MU audit failure notice

6 HIPAA Enforcement HIPAA Regulations are enforced by HHS-OCR Enforcement Activities 2015 Random Audit Program Breach Investigations Covered entities Business Associates Complaint Investigations Dissatisfied patients Disgruntled employees

7 Cost of Breaches Ponemon 2013 Cost of Data Breach Study: Estimate $233 per record # of records Cost 1 $ $2, $23, $233, $2,330,000

8 Cost of Breaches Ponemon 2013 Cost of Data Breach Study: Indirect Costs Estimate $233 per record 1. Turnover of existing customers - Loss of customers / patients 2. Diminished customer acquisition - customers / patients not using a practice (Reputation is damaged) Direct Costs 1. Detection and escalation costs - forensics investigative activities, crisis management activities 2. Notification costs - IT activities to create contact database, determination of regulatory requirements, postage, etc. 3. Post data breach costs - help desk activities, inbound communications from customers, identity protection services, etc.

9 Cost of Breaches Ponemon 2013 Cost of Data Breach Study: Estimate $233 per record (Does not include HIPAA fines) Damage to Reputation Indirect Costs 1. Turnover of existing customers - Loss of customers / patients 2. Diminished customer acquisition - customers / patients not using a practice

10 2012 Breaches Categories 2012 Largest Breaches / Categories of HIPAA Breaches 1. Laptops and portable media 40% of all breaches 2. Inappropriate access to patient information - 30% of all breaches 3. Sending PHI unencrypted - 10% of all breaches 4. Hacking 10% of all breaches 5. Loss of backup tapes - 10% of all breaches

11 Audit An audit is the systematic examination of books, documents and other information of an organization to ascertain whether they present a true and fair view of the subject matter. Audits provide third party assurance to various stakeholders that the subject matter is free from material misstatement.

12 How to survive an audit Rule #1 Be compliant!

13 To be compliant, you need to Appoint a privacy and security officer Perform an annual security risk assessment Remediate gaps Have written policies and procedures Provide annual training to ALL employees NOTE: This list is not exhaustive, but these are the major areas to focus on

14 How to survive an audit Rule #2 Documentation!

15 How to document Be organized All documentation in one place Examples: - Paper file - File share - Web portal

16 What to document Policies and procedures Risk Assessment Work plan Training Consider testing Business Associate agreements BA Compliance Disaster recovery plans Media disposal log Security incidents

17 HIPAA Compliance is an ongoing process It is not set it and forget it But it does not have to be time consuming The security officer needs to budget a little time periodically for HIPAA compliance

18 HIPAA Compliance don ts Don t confuse having documentation with having good documentation Don t buy a set of manuals on the Internet and think you are done Don t perform a risk analysis via spreadsheet in 15 minutes => Auditors are looking for substance

19 What to expect when you are audited Most audits request documentation via mail You have 30 days to comply Don t just blindly send all your documentation Review it first Consult a professional Compliance consultant Attorney => Don t take it lightly

20 Audit Results Organizations with good documentation pass audits HHS is not super picky. They are glad you have worked to comply If you have good documentation, but have suffered a breach, your penalties will be minimized BUT

21 Audit Results If you have a breach (and yes, it can happen to you) AND Your documentation is bad, they can throw the book at you!

22 We re here to help MCMS endorsed HIPAA compliance program 2,000 clients nationwide Have passed 50 CMS audits; no fails See BEI website (beinetworks.com) for details

23 Thank you and have a compliant day!