AHLA. B. HIPAA Compliance Audits. Marti Arvin Chief Compliance Officer UCLA Health System and David Geffen School of Medicine Los Angeles, CA

Transcription

1 AHLA B. HIPAA Compliance Audits Marti Arvin Chief Compliance Officer UCLA Health System and David Geffen School of Medicine Los Angeles, CA Anna C. Watterson Davis Wright Tremaine LLP Washington, DC Fraud and Compliance Forum October 6-7, 2014

2 HIPAA Compliance Audits Marti Arvin, Chief Compliance Officer, UCLA Health System and David Geffen School of Medicine Anna Watterson, Associate, Davis Wright Tremaine Agenda Brief overview of the Pilot Audit Program Program implementation, protocols and compliance gaps What to expect in 2015 Onsite and offsite audits for covered entities and business associates Continuing challenges to preparing for an OCR audit, onsite versus offsite Tips for evaluating your HIPAA compliance program and making sure you can demonstrate compliance 1

3 Pilot Audits Recap HITECH Act requires OCR to conduct periodic HIPAA compliance audits of covered entities and business associates OCR launched its audit program in 2010 and conducted 115 audits in 2011 and 2012 Pilot audits were onsite and evaluated compliance with specific components of the HIPAA Privacy, Security and Breach Notification Rules against set protocols posted on OCR website Why are the pilot audits important? Pilot Audits Key Findings The pilot audits shed light on the most problematic areas for HIPAA compliance Widespread Issues Security Compliance Health care Providers Small organizations Only 11% of the audited entities did not have a finding or observation Only 2 of these entities were providers Covered entities struggled the most with Security Rule compliance Health care providers had more findings and observations than health plans or health care clearinghouses Small organizations, regardless of type of organization, had the most findings and observations 2

4 Pilot Audits Security Rule Findings Nearly all providers had at least one finding or observation Approximately 80% of providers and nearly 57% of health plans did not have a complete or accurate risk analysis Findings included: Risk Analysis Access Management Security Incident Procedures Contingency Planning and Backups Workstation Security Media Movement and Destruction Encryption Audit Controls and Monitoring Integrity Controls Pilot Audits Privacy and Breach Privacy Rule findings included: Notice of Privacy Practices Right to Request Privacy Protections Individual Access Administrative Requirements Uses and Disclosures Breach Notification Rule findings included: Methods of Individual Notification Burden of Proof Timeliness of Notification Notification to Individuals 3

5 Pilot Audits Key Takeaways Demonstrating compliance means more than having policies and procedures Can you demonstrate breach notifications were provided to individuals through an acceptable method (including substitute notification) for any breach? 59% of covered entities were not aware of the audit program prior to receiving the notification letter 56% became aware of additional HIPAA requirement as a result of the audits Upcoming Audits Now is the time to assess HIPAA compliance after you receive a notification letter might be too late. OCR will conduct comprehensive onsite audits of both covered entities and business associates both on a resource dependent basis OCR will conduct approximately 200 offsite audits (paper review only) of limited scope (targeting areas of high compliance failures, including risk analysis) Timeline: Delayed due to OCR updating technology for surveys, document submissions and data analytics 4

6 Upcoming Audits Audit Process OCR Verification OCR began contacting covered entities in the spring to confirm contact information. OCR recently confirmed it is still completing this process. Survey OCR will send a pre audit surveys to entities in the selection pool. OCR is currently developing a portal for survey responses. OCR will use this information, in part, to select auditees. Notification and Data Request OCR projected that it would start sending notifications and data requests in October This has been delayed no update from OCR on timing. Upcoming Audits Covered Entity Onsite Audits Additional funding has allowed for more onsite audits than previously planned OCR will conduct an unknown number of comprehensive onsite audits in the next round Covered entites should expect onsite audits to include a review of all three rules, including Security Rule risk analysis, individual access under the Privacy Rule and notifications under the Breach Notification Rule OCR will be looking to see if covered entities are following their policies If you have a sanctions policy, can you demonstrate that you are actually sanctioning employees in accordance with your policy? 5

7 Upcoming Audits Covered Entity Offsite Audits Projected offsite audits for approximately 200 CEs, with a heavier focus on providers Offsite audits will have a limited focus 2014 focus: Risk analysis and risk management Content and timeliness of breach notifications Notice and Access 2015 focus: Device and media controls; transmission security Privacy safeguards, training to policies and procedures 2016 focus (projected): Encryption and decryption, facility access control (physical security), high risk areas as identified in earlier audits, breach reports and complaints Upcoming Audits Business Associates Covered entities will be asked to provide a complete list of all business associates with contact information and the services they provide What does this mean for BAs? If you are a CE, now is the time to look at your vendor management process BA audits expected to start in 2015 unclear if this is still on schedule Focus will be Security Rule and IT based BAs, but others will be included Business Associate Audit Focus 2015 Risk Analysis and Risk Management Breach reporting to CE 6

8 Onsite Audits vs. Offsite Audits Offsite Onsite Can you demonstrate compliance based on a paper review only? Are you prepared for government officials to come onsite to evaluate your compliance? Have you updated all P&P, BAAs, etc. since the Omnibus Rule compliance date? Do your practices match your policies? Documentation is key Conduct a mock audit (consider privilege issues) Preparing for an Audit Basics Who will OCR contact? Will staff recognize and escalate a phone call or from OCR? Who will be involved? Ensure collaboration between different departments Who will be the lead? Identify the persons in advance Understand everyone s role 7

9 Preparing for an Audit Security Rule Know where your data resides Risk Analysis Must be documented Risk Analysis Gap Analysis Risk Analysis: Update at least every 3 years (best practice is every year); update every time there is an environmental or operational change Risk Management Documented, reasonable plan to reduce risks and vulnerabilities Implementation Specifications: Required vs. Addressable Evaluate administrative, physical and technical safeguards Risk Analysis Who does this at your organization? Compliance Information Technology How involved is compliance? Do you know the status of your risk mitigation process? If you have identified a risk mitigation strategy and timeline, is anyone monitoring this? o o o Are you mitigating the risks? Are you on time? If not, why not? OCR is not likely to take the lack of resources as a basis for failing to mitigate risks 8

10 Risk Analysis What was your process for determining how to prioritize risks? Did you look at recent breaches? Did you have a pre defined list of questions? Who determined what you were going to look at? What else is at risk if you did not do an adequate risk analysis? Meaningful use and the security rule risk assessment Preparing for an Audit Privacy Rule Notice of Privacy Practices has it been updated per Omnibus Rule? Review policies and procedures and ask: Are they compliant on paper? Are they followed in practice? Can you document sanctions? Training? (especially important after a breach) Documentation is key 9

11 Preparing for an Audit Breach Notification Rule Do you have breach policies and procedures? Do they comply with HIPAA and state law, if applicable? For each incident can you show: Documentation of completed breach risk assessment (or documentation supporting applicability of an exception) or Documentation of notifications (to individuals (including substitute notice), HHS, and the media, if applicable) Do notifications to individuals include all content requirements? Were there any law enforcement delays? Do you have documentation? Conducting a Mock Audit Can you identify all policies and procedures? How will your employees answer an auditor s questions? Do they know your policies and procedures (e.g., do they know how to properly escalate a HIPAA breach)? Do you have documentation for all incidents? 10

12 Responding to an OCR Data Request 1. Be responsive Provide all documentation needed to demonstrate compliance (you might not get a second chance), but don t provide extraneous information 2. Be organized Submit files in the manner OCR requests (file type, file name, etc.) 3. Be timely OCR will NOT provide entities the opportunity to clarify or submit additional documents 4. Clarify any documents that are unclear on their face OCR has stated auditors will not likely contact entities to clarify or ask questions for offsite audits failure to submit complete documentation of compliance may lead to referral for enforcement action Audits vs. Compliance Reviews How is this different from a complaint or breach investigation? What happens if you fail an audit? 11

13 OCR Enforcement Action Audits may not result in enforcement action BUT If substantial issues are identified in an audit that could result in referral for further assessment by OCR We have had over eight years to get this right and OCR expects that we have most of it right OCR enforcement has increased recently with nearly $8 million in settlements for 2014 State Attorney General actions and FTC actions HITECH gave state Attorneys General authority to bring actions on behalf of state residents We have seen 6 AG settlements since HITECH, with 3 in Massachusetts More state attorneys general are getting involved Notice to the AG may be required in some states if you have a data breach The FTC is very active in data security and privacy related enforcement actions under section 5 of the FTC Act You really don t want the FTC to become involved in your data security and privacy issues 12

14 Recent Class Actions Stanford settlement $4 million Sutter Health Ultimately dismissed but at what cost? Started as 11 class actions University of Miami $191,000 Community Health Systems AvMed Meaningful Use Audits If you fail a Meaningful Use audit, you risk losing incentive payments Ensure you have documented an accurate, complete, enterprise wide risk analysis 13

15 Audit Tools OCR Protocol not updated per Omnibus Rule col.html HHS Security Risk Assessment professionals/security riskassessment National Institute of Standards and Technology: 800 Series OCR Security Risk Analysis Guidance: ule/rafinalguidancepdf.pdf Questions? Marti Arvin Anna Watterson