HIPAA Summit. March 10, Phyllis A. Patrick, MBA, FACHE, CHC Phyllis A. Patrick & Associates LLC

Transcription

1 HIPAA Summit March 10, 2011 Phyllis A. Patrick, MBA, FACHE, CHC Phyllis A. Patrick & Associates LLC

2 The Secretary shall provide for periodic audits to ensure that covered entities and business associates that are subject to the requirements of this subtitle and subparts C (HIPAA Security Rule) and E (HIPAA Privacy Rule) of part 164 of title 45, Code of Federal Regulations, as such provisions are in effect as of the date of enactment of this Act, comply with such requirements. ONCHIT must include, in the annual report on compliance, the number of compliance reviews conducted and the outcome of each review. (Section (a)(1)(d))

3 AUDITS COMPLAINTS COMPLIANCE REVIEWS BREACH REPORTS

4 Civil Monetary Penalties Violations categorized Tiered ranges of civil money penalty amounts

5 $100 - $50K/violation, not to exceed $25K - $1.5MM Person did not know (and by exercising reasonable due diligence) would not have known $1,000 - $50K/violation, not to exceed $100K - $1.5MM Violation due to reasonable cause and not to willful neglect $10K - $50K/violation, not to exceed $250K - $1.5MM Due to willful neglect and violation was corrected At least $50K/violation, not to exceed $1.5MM Due to willful neglect and violation was not corrected

6

7 Accounting of Disclosures Rule Reports to Congress on Compliance, Breach Notification National Outreach Campaign HIPAA Audit Program State Attorneys General Training Privacy Rule Minimum Necessary Guidance De-identification Guidance Final Rules on HITECH Breach Notification, Enforcement, and GINA Adam Green, Upcoming OCR Activities, HIPAA Summit West, October 2010

8 Purpose: To evaluate and compare compliance audit program configurations and recommend to OCR several feasible and effective program structure alternatives to implement HITECH Section Timeline: Nov Mar March Aug Aug RFP issued Contract awarded to BAH Research period BAH issued final report to OCR

9 Planning Selection of auditing entities, creation of documentation and analysis tools, staff identification and training, establishing level of effort, pre-audit planning Testing Performing tests and evaluating results Drafting communications Reporting Communicating results of audits

10 Maintenance Corrective Action Transition from Audit to Enforcement Conducting Appeals Encouraging compliance Adam Green, Preparing for the Anticipated OCR Privacy and Security Audits, HIPAA Summit West, October 2010

11 What is the Universe of Covered Entities and Business Associates? Some new players: HITECH aligns patient safety and HIPAA Rules Patient Safety Organizations (PSOs) are treated as business associates when applying the Privacy Rule (42 U.S.C. 299b-22(i)(1) Health Information Exchange Organizations (HIEs)and Regional Health Information Organizations RHIOs) E-prescribing Gateways Vendors of Personal Health Records Sub-contractors (one who acts on behalf of a BA)

12 How will auditees be selected? What will be the Scope of the audit? What types of audit tools will be used? Who will conduct the audits? What will be the frequency of audits? How will resources be allocated? How much advance notice?

13 What type of documentation will be required to address and support audit findings? What will the Audit Report look like? How will recommendations be prepared and what will they look like? How may findings be disputed? Will reports be made public? How to ensure that corrective action is taken? When will enforcement be appropriate?

14 OCR continuing work on strategic plan for determining audit models and deploying the audit function All options still be on the table Approach needs to be cost-effective and efficiently deployed (limited resources) Audit process will augment existing processes (investigations, compliance reviews, etc.) Will audits start in 2011?

15 CEs may be asked to certify on a periodic basis that they are in compliance with various requirements. One possibility is that such certification may also be used to select auditees. OCR may partner with other accrediting and/or licensing organizations.

16 OCR may decide to look at sentinel events (e.g., major breach, complaint, etc.) to determine priorities for audits. Audit process might be linked to Meaningful Use process, e.g., the Attestation requirement. OCR s consistent theme is that audits should be educational, not punitive and that auditing will complement existing processes Compliance is the right thing to do.

17 Prepare for coming HITECH Act mandatory and periodic audits of PRIVACY and SECURITY. Audit preparation can be a tool for assessing the organization s compliance with the Privacy and Security Rules, including new HITECH requirements. Achieving a return on investment in EHR, infrastructure, etc. and qualifying for MU incentives requires creating and enhancing a robust privacy and security program.

18

19 Are you in compliance with the HIPAA Security Rule Evaluation Standard? Perform a periodic technical and non technical evaluation, based initially upon the standards and implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, that establishes the extent to which an entity s security policies and procedures meet the requirements of this subpart. [Section (a)(8)]

20 Can you demonstrate that your policies, procedures, and practices enable a patient s individual rights (e.g., a patient s right to access his/her medical records) and can you confirm that these rights are upheld by your organization?

21 Do you meet the HIPAA Security Rule Standards for Risk Analysis and Risk Management? Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity. [Section (a)(1)(ii)(A)] Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with Section (a). [Section (a)(1)(ii)(B)]

22 Have you completed the required Risk Analysis that is required for Meaningful Use AND has always been required by the HIPAA Security Rule (April 2005)? When did you start doing risk analyses? Do your risk analyses go beyond the technical requirements of the Security Rule?

23 How often do you perform risk analyses? How do you document your risk analyses? Are your analyses for security and privacy integrated with your organization s enterprise-wide risk analysis process?

24 Have you implemented appropriate administrative, technical and physical safeguards to comply with the HIPAA Security Rule? For example: Encryption Training Documentation of Policies and Policy Process Auditing Program Designation of Privacy and Security Officers Etc.

25 Do you have an ongoing program of Auditing and Monitoring for the Privacy and Security Programs? Plan Objectives Responsibility for audits and monitoring processes Frequency and Types of Audits Corrective Action Plans Documentation of audits, results, remediation Documentation of program changes due to audit reports and findings Reporting of Findings to Board Committee, Senior Leaders, and Managers

26

27 Update and enhance Training Programs. Training Continuous Training Encrypt Mobile Devices. Update and communicate policies. Document this process.

28 Review documentation processes and make sure corrective actions are completed and documented. Continue enhancing the Risk Analysis and Risk Management Processes. Incorporate good privacy and security practices into day-to-day operations and embed in organizational culture.

29

30 Phyllis A. Patrick, MBA, FACHE, CHC