HIPAA Compliance Audits: Your Newest Risk: Are You Prepared?

Transcription

1 HIPAA Compliance Audits: Your Newest Risk: Are You Prepared? Presented by: Melissa (Lisa) Thompson, JD, MPH and Elizabeth Lamkin, MHA Slide 1

2 Speakers Melissa (Lisa) Thompson, JD, MPH Partner Adelman, Sheff & Smith, LLC Elizabeth Lamkin, MHA CEO PACE Healthcare Consulting, LLC This presentation is provided for informational purposes only and does not constitute legal advice. Slide 2

3 Disclaimer Panacea has prepared this seminar using official Centers for Medicare and Medicaid Services (CMS) documents and other pertinent regulatory and industry resources. It is designed to provide accurate and authoritative information on the subject matter. Every reasonable effort has been made to ensure its accuracy. Nevertheless, the ultimate responsibility for correct use of the coding system and the publication lies with the user. Panacea, its employees, agents and staff make no representation, warranty or guarantee that this information is error-free or that the use of this material will prevent differences of opinion or disputes with payers. The company will bear no responsibility or liability for the results or consequences of the use of this material. The publication is provided as is without warranty of any kind, either expressed or implied, including, but not limited to, implied warranties or merchantability and fitness for a particular purpose. The information presented is based on the experience and interpretation of the publisher. Though all of the information has been carefully researched and checked for accuracy and completeness, the publisher does not accept any responsibility or liability with regard to errors, omissions, misuse or misinterpretation. Current Procedural Terminology (CPT ) is copyright 2011 American Medical Association. All Rights Reserved. No fee schedules, basic units, relative values, or related listings are included in CPT. The AMA assumes no liability for the data contained herein. Applicable FARS/DFARS restrictions apply to government use. CPT is a trademark of the American Medical Association. Copyright 2012 by Panacea. All rights reserved. No part of this presentation may be reproduced in any form whatsoever without written permission from the publisher Published by Panacea, 287 East Sixth Street, Suite 400, St. Paul, MN Slide 3

4 HIPAA Audits Mandated by American Recovery and Reinvestment Act of 2009 (ARRA) in the HITECH Act Rolled out by Office for Civil Rights (OCR) as pilot program November 2011 using KPMG LLP Covered entities audited first, business associates to follow Goals conduct up to 150 audits and establish permanent program by end of 2012 Slide 4

5 HIPAA Audit Process Notification letter Requesting production of documents and information within 10 business days Notice of onsite visit to 90 business days Onsite visits last between 3 to 10 business days 20 to 30 business days later, auditors submit draft report to covered entity 10 business days allowed for the covered entity to comment 30 business days later, the final audit report generated and submitted to OCR Slide 5

6 Sample HIPAA Audit Letter from OCR Source: hipaa/enforcement/audit/sampl e-ocr_notification_ltr.pdf Slide 6

7 OCR s Official View Audits are primarily a compliance improvement activity. Generally, OCR will use the audit reports to determine what types of technical assistance should be developed, and what types of corrective action are most effective. Should an audit report indicate a serious compliance issue, OCR may initiate a compliance review to address the problem. Slide 7

8 Enforcement and Liability OCR typically tries to resolve using voluntary compliance, corrective action and/or a Resolution Agreement/monetary settlement OCR can impose Civil Monetary Penalties (CMPs) Referral to Department of Justice Criminal Penalties risk for entity/individuals (fines/prison) Knowingly obtain or disclose PHI DOJ interprets knowingly as knowledge of the actions, does not require knowing the actions are a violation of HIPAA Slide 8

9 HIPAA Security Rule National standards for security of electronic Protected Health Information (ephi) Standards are stated as implementation specifications that are either required or addressable Note: caveat on addressable specifications Enforced by the Office for Civil Rights (OCR) Prior to July 27, 2009 CMS enforced Slide 9

10 Addressable Addressable is not the same as optional! Addressable means the entity must: Perform an assessment to determine whether the implementation specification is a reasonable and appropriate safeguard for implementation in the entity s environment Decide whether to implement the addressable specification as-is, implement an equivalent alternative that still allows compliance, or not implement either one Document the assessments and all decisions Slide 10

11 Designated Security Official Must have a Designated Security Official This is required under Security Rule Responsible for developing and implementing the Security policies Slide 11

12 Security Rule Policies and Procedures Security policies and procedures are required Must be periodically reviewed and updated in response to environmental or organizational changes that affect security of ephi. 6-year document retention requirement Written security policies and procedures Other records of actions required under Security Rule Slide 12

13 Are Existing Policies Sufficient? Entities typically have some form of security policies/procedures in place Usually IS/IT Department policies May be called Standard Operating Procedures Could be in place with vendor, if IS/IT department is outsourced Do they cover all of the HIPAA Security Rule standards and implementation specifications? Will OCR recognize this and agree? Slide 13

14 Security Official works with Privacy Officer and/or Legal One approach does not fit all! Look at existing policies in context of specific Security Rule requirements -- are there any holes? How will the policies and procedures function within the organization? Do the policies need renaming or reorganizing? Should there be one layer or more than one layer? (e.g., Security policies and technical IS/IT department SOPs) Slide 14

15 HIPAA Security Rule Implementation Specifications Example Standard: Contingency Plan. Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information. Contingency Plan Standard has three Required and two Addressable Implementation Specifications Data Backup Plan (Required) Disaster Recovery Plan (Required) Emergency Mode Operation Plan (Required) Testing and Revision Procedures (Addressable) Applications and Data Criticality Analysis (Addressable) Slide 15

16 Implementation Specifications Under Contingency Plan Standard Data backup plan: Establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information. Disaster recovery plan: Establish (and implement as needed) procedures to restore any loss of data. Emergency mode operation plan: Establish (and implement as needed) procedures to enable continuation of critical business processes for protection of the security of electronic protected health information while operating in emergency mode. Testing and revision procedures (Addressable): Implement procedures for periodic testing and revision of contingency plans Applications and data criticality analysis (Addressable): Assess the relative criticality of specific applications and data in support of other contingency plan components. Slide 16

17 HIPAA Security Rule Implementation Specifications Example Standard: Security Management Process Implement policies and procedures to prevent, detect, contain, and correct security violations. Security Management Process Standard has Four Required Implementation Specifications 1. Risk Analysis 2. Risk Management 3. Sanction Policy 4. Information System Activity Review Slide 17

18 Implementation Specifications Under Security Management Process Standard Sanction policy: Apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity. Information system activity review: Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports. Risk analysis: Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity. Risk management: Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with (a). Slide 18

19 Security Policies and Risk Analysis Risk Analysis is a required Security Rule implementation specification. Depending on the results from the Risk Analysis Security controls may have to be added or adjusted Policies and procedures may need to be revised or drafted Other actions may need to be taken Slide 19

20 Risk Analysis Required by the HIPAA Security Rule at 45 CFR (a)(1) Also a CMS Stage 1 core objective measure to achieve EHR meaningful use to qualify for EHR incentive payments Security risk analysis is an ongoing process Regular review of records to track access and detect security incidents Periodic evaluation of effectiveness of security measures in place Regular re-evaluation of potential risks to ephi Slide 20

21 What is a Risk Analysis? Assessment of potential risks and vulnerabilities to confidentiality, integrity and availability of ephi in all forms of electronic media Potential risk = the net mission impact considering: Likelihood of particular threats occurring Resulting impact Slide 21

22 Nine Essential Elements of Risk Analysis 1. Scope of the analysis all ephi created, received, maintained, or transmitted (all electronic media) 2. Data collection and documentation 3. Identify and document potential threats and vulnerabilities 4. Assess current security measures 5. Determine likelihood of threat occurrence 6. Determine potential impact of threat occurrence 7. Determine level of risk and corrective actions 8. Finalize documentation 9. Periodic review and updates to the Risk Analysis Slide 22

23 Example Entities will need to determine a method to use A quantitative method could be used for the Likelihood, Potential Impact and/or Level of Risk sections Different descriptive levels could be used - for example Potential Impact could be low, medium, high and critical Other methods can be used instead Billing Department Servers Threat Vulnerability Likelihood Estimate Flood waters impacting computer systems (Facility in flood zone) Billing department servers are located on ground floor Potential Impact Risk Level Corrective Actions Low High High The IS department will create redundancy offsite by [DATE] Unauthorized access by former employees Former employees access codes disabled 3 days after termination Medium High High The Billing department to develop a procedure to notify IS department of employee termination and IS will terminate access code immediately upon receipt of notice. Slide 23

24 Security Rule and Risk Analysis Tools No set requirements for tools or methods -- additional resources: Office for Civil Rights (OCR) Security Rule -- see website ex.html Risk Analysis publication: Guidance on Risk Analysis Requirements under the HIPAA Security Rule National Institute of Standards and Technology (NIST) Guide to Technical Aspects of Performing Information Security Assessments Information Security Handbook: A Guide for Managers (Chapter 10) An Introductory Resource Guide for Implementing the HIPAA Security Rule (Part 3) Managing Risk from Information Systems (draft) HIPAA Security Rule Toolkit Risk Management Guide for Information systems Slide 24

25 OCR Links: Stay on Top of Recent Developments Security Rule yrule/index.html Privacy Rule Sign up for the OCR Privacy and Security Listserv dentities/listserv.html Slide 25

26 One more thing... for hospitals Enforcement authority for HIPAA was shifted from CMS to OCR Privacy Rule BUT the latest news from CMS is: Revisions to the State Operations Manual More details in privacy/security survey instructions Link to new CMS guidance on privacy surveys: and- Certification/SurveyCertificationGenInfo/Downloads/SC Letter12_18-.pdf Slide 26

27 CoP: Patient s Rights Standard: Privacy and Safety A-0143 OLD Survey Procedures: Conduct observations to determine if patients are provided privacy during examinations, procedures, treatments, surgery, personal hygiene activities and discussions about their health status/care and other appropriate situations. Are names posted in public view? Is patient information posted in public view? Is the hospital promoting and protecting each patient s right to privacy? PACE Healthcare Consulting 2012 Slide 27

28 New Survey Procedures A-0143 New Survey Procedures (c)(1) Conduct observations/interview patients or their representatives to determine if patients are provided reasonable privacy during examinations or treatments, personal hygiene activities and discussions about their health status/care and other appropriate situations. Review hospital policy and interview staff concerning their understanding of the use of patient information in the facility directory. Does the policy address the opportunity for the patient or patient s representative to restrict or prohibit use of patient information in emergent and non-emergent situations? Review hospital policy and conduct observations/interview staff to determine if reasonable safeguards are used to reduce incidental disclosures of patient information. If audio and/or visual monitoring is utilized in the med/surg or ICU setting, conduct observations to determine that monitor screens and/or speakers are not readily visible or audible to visitors or the public. Slide 28

29 CoP: Patient s Rights Standard: Confidentiality of Patient Records A-0147 OLD Survey Procedures: Observe care units. Is patient information posted where it can be viewed by visitors or other non-hospital staff? Are medical records accessible to people not involved with the patient s care? Is it likely that unauthorized persons could read or remove the clinical record? Are patient clinical information/records available and accessible at the bedside or in the patient s room where people not involved in the patient s care could likely read the information. Slide 29

30 New Survey Procedures A-0147 Survey Procedures (d)(1) Verify that the hospital has policies and procedures addressing the protecting of information in patients medical record from unauthorized disclosures. Observe locations where medical records are stored to determine whether appropriate safeguards are in place to protect medical record information. Interview staff to determine their understanding of and compliance with the hospital s policies and procedures for protecting medical record information. Slide 30

31 CoP: Medical Record Services Standard: Form and retention of record. A-0441 OLD Survey Procedures (b)(3) Verify that only authorized persons are permitted access to records maintained by the medical records department. Verify that the hospital has a policy to grant patients direct access to his/her medical record if the responsible official (e.g., MD/DO responsible for patient s care) determines that direct access is not likely to have an adverse effect on the patient. Verify that medical records and other confidential patient information are released only for patient care evaluation, utilization review, treatment, quality assurance programs, in-house educational purposes, or in accordance with Federal or State law, court orders, or subpoenas. Slide 31

32 New Survey Procedures A-0441 New Survey Procedures (b)(3) Verify that policies are in place that limit access to, and disclosure of, medical records to permitted users and uses, and that require written authorization for other disclosures. Are the policies consistent with the regulatory requirements? Observe whether patient records are secured from unauthorized access at all times and in all locations. Ask the hospital to demonstrate what precautions are taken to prevent physical or electronic altering of content previously entered into a patient record, or to prevent unauthorized disposal of patient records. Verify that patient medical record information is released only as permitted under the hospital s policies and procedures. Conduct observations and interview staff to determine what safeguards are in place or precautions are taken to prevent unauthorized persons from gaining physical access or electronic access to information in patient records. If the hospital uses electronic patient records, is access to patient records controlled through standard measures, such as business rules defining permitted access, passwords, etc.? Do the hospital s policies and procedures provide that original medical records are retained, unless their release is mandated under Federal or State law, court order or subpoena? Interview staff responsible for medical records to determine if they are aware of the limitations on release of original medical records. Slide 32

33 So Why is This Important Now? Prior to the HITECH Act, Section 1176(a) of the Act, 42 U.S.C. 1320d-5(a) the Secretary of HHS could impose civil monetary penalties: Any person who violates a provision of this part a penalty of not more than $100 for each violation Except that the total amount for all violations of an identical requirement of prohibition during a calendar year may not exceed $25,000 PACE Healthcare Consulting Slide 33

34 So Why is This Important Now? Effective February 18, 2009 section 13410(d) became effective to strengthen enforcement of the HIPAA rules Modified Section 1176(a) establishes categories of violations that reflect increasing levels of culpability, requires that a penalty determination be based on the nature and extent of the violation and the nature and extent of the harm resulting from the violation, and establishes tiers of increasing penalty amounts PACE Healthcare Consulting Slide 34

35 So Why is This Important Now? Summary of tiers for each person Minimum Penalties: (3)(A) $100 each violation capped at $25,000/calendar year for identical violation (3)(B) $1,000 each violation capped at $100,000/calendar year for identical violation (3)(C) $10,000 each violation capped at $250,000/calendar year for identical violation (3)(D) $50,000 for each violation capped at $1,500,000/calendar year for identical violation PACE Healthcare Consulting Slide 35

36 What are the penalties? Violation that the entity did not know and, by exercising reasonable diligence, would not have known violated the law? $100 minimum up to $50,000 for each violation Violation due to reasonable cause but not willful neglect? $1,000 minimum up to $50,000 for each violation Willful neglect? If corrected within 30 days, $10,000 minimum up to $50,000 for each violation If not corrected within 30 days, $50,000 minimum per violation There is a $1.5 million annual aggregate cap for identical violations (calendar year) Slide 36

37 Reasonable diligence is required to detect and correct violations within 30 days or monetary penalties apply. What is reasonable diligence? The business care and prudence expected from a person seeking to satisfy a legal requirement under similar circumstances. Willful neglect results in mandatory penalties, higher if violations are not corrected within 30 days. What is willful neglect? Conscious, intentional failure or reckless indifference to the obligation to comply CFR Secretary can waive monetary penalties if there is reasonable cause and payment would be excessive relating to the violation. What is reasonable cause? Circumstances that would make it unreasonable for the entity to comply, despite the exercise of ordinary business care and prudence Slide 37

38 How are the Security Rule and the HITECH Act Different from HIPAA Privacy Rule? The Security Rule and the HITECH Act are specific to safeguards to protect the confidentiality, integrity and availability of electronic protected health information. The Privacy Rule sets standards for how protected health information should be controlled by setting forth what uses and disclosures are authorized or required and what rights patients have with respect to their health information. Source: Federal Register/Vol.68 No. 34 PACE Healthcare Consulting Slide 38

39 How Will This Affect Operations? Training Much of the training staff receives revolves around HIPAA Privacy Both Privacy and Security must be defined separately Part of all staff orientation Can additionally be part of annual competency reviews Designated Security Official must be current and receive ongoing training Training must include the entire workforce, not just employees (e.g., trainees, volunteers, and all others the entity has control over) PACE Healthcare Consulting Slide 39

40 How Will This Affect Operations? Develop Policies and Procedures (P&Ps) Apply the Performance Improvement Process of Measuring/Auditing to ensure Compliance with P&PS Periodic audit of orientation/evaluations for proof of training and understanding Audit through rounding by adding simple HIPAA Security questions to existing rounding tools Develop questions directly from policies that relate to staff For example: o Have you changed your password according to policy? o Do you have administrative rights at your local computer? o Observe privacy and security on the units can you easily view patient names on screens, what do signs on the patient doors say... (look at the new CMS CoP guidance) PACE Healthcare Consulting Slide 40

41 How Will This Affect Operations? Develop Key Performance Indicators (KPIs) for the Facility and each Department for HIPAA Security Report KPIs on a regular, consistent basis Make part of compliance report to the the Compliance Committee and Governing Board Develop and implement ongoing risk assessment and risk management for security of PHI Include self audits of HIPAA requirements, accreditation requirements, and CoPs (based on the new CMS guidance for surveyors). PACE Healthcare Consulting Slide 41

42 Sample Checklist This is small snapshot of 3+ page assessment developed with Mulholland Information Security, LLC Molholland Information Security, LLC Slide 42

43 Checklist Continued Molholland Information Security, LLC Slide 43

44 Summary Get Prepared Now Before Audits are Expanded Audit Yourself for Compliance and Act Accordingly Perform ongoing Risk Analysis and Risk Management Make a Part of Your Operations and Measure Compliance TRAIN, TRAIN, TRAIN! PACE Healthcare Consulting Slide 44

45 THANK YOU FOR ATTENDING Slide 45