Ready or Not: OCR s Second Round of HIPAA Audits Are Just Around the Corner

Transcription

1 Ready or Not: OCR s Second Round of HIPAA Audits Are Just Around the Corner OPRA 2015 Fall Conference November 4, 2015 Presented By: Lisa Pierce Reisz Vorys, Sater, Seymour and Pease LLP lpreisz@vorys.com

2 Second Round Timing Originally scheduled for fall 2014 but now pushed back to sometime in 2015???? Delayed to give OCR time to finalize its audit protocol and to test and implement its new internet web portal Will be used to streamline data collection and analysis Will be used to report HIPAA breaches and violations

3 Covered Entities and Business Associates On Hook in Round 2 Select number of Covered Entities and Business Associates will be audited. Initially, 400 desk audits but reduced to 200 with increase in funding for on-site visits. Organizations to be audited should have already received a pre-audit questionnaire in July/August 2014 (approximately 1200 questionnaires were sent out). Covered entities will be audited first; then business associates.

4 HIPAA Audits Round 2 Process Round 2 audits will be conducted by OCR staff; not KPMG. Round 2 audits will be a combination of remote desk audits (all paper) and onsite evaluations. DOCUMENTATION of HIPAA compliance is key!! Covered entities will be required to use the internet portal to submit their documents. Must be timely (10 days to respond), accurate and concise. Covered entities will be required to submit a list of contractors and business associates as part of prescreening process.

5 Narrower Focus Scope of Second Round Audit will be very specific: Breach Notification rules Patient privacy regulations Security rule risk assessments

6 This Time It Counts! Poor audit performance will likely result in enforcement and financial penalties for the first time. Although audits have narrower focus, any HIPAA violations discovered in the audit process will likely not be ignored by OCR.

7 Significant Civil Monetary Penalties Civil Monetary Penalties for HIPAA Violations:

8 OCR Penalties OCR treats each case individually and many factors go into determining whether penalties are issued: Number of affected individuals Level of risk each faces as a result of breach Extent of data exposed Length of time breach allowed to persist

9 Enforcement Highlights As of July 31, 2015, OCR has received over 118,939 HIPAA complaints and has initiated over 1,224 compliance reviews. 94% of cases have been resolved as follows: 23,731 cases were investigated and resolved by requiring changes in privacy practices and corrective actions or by providing technical assistance. 10,783 cases were investigated with no violation found. 9,995 cases involved early intervention in which OCR provided technical assistance without the need for an investigation. 66,956 cases were determined to be ineligible for enforcement (i.e. entity not covered by HIPAA or disclosure of PHI permitted by HIPAA) breaches involving 500 or more individuals are currently posted on the HHS website ( Wall of Shame ): 869 Health Care Providers; 146 Health Plans; 5 Health Care Clearinghouses 280 Business Associates

10 Enforcement Findings Compliance issues investigated most (in order of frequency): 1. Impermissible uses and disclosures of PHI 2. Lack of safeguards of PHI 3. Lack of patient access to their PHI 4. Use or disclosure of more than the minimum necessary PHI Most common types of CEs that have been required to take corrective action under HIPAA (in order of frequency): 1. Private Practices 2. General Hospitals 3. Outpatient Facilities 4. Pharmacies 5. Health Plans (group health plans and health insurance issuers)

11 Criminal Enforcement Actions 42 U.S.C. 1302d-6 To commit a criminal offense under HIPAA a person must knowingly and in violation of HIPAA do one of the following: Use or cause to be used a unique health identifier; Obtain individually identifiable health information; or Disclose individually identifiable health information to another person. Penalties for Criminal Violations: HIPAA Violation Fine Prison Knowingly Up to $50, Up to 1 year False Pretenses: Up to $100, Up to 5 years Intent to sell, transfer, or use Up to $250, Up to 10 years to commercial advantage, personal gain, or malicious harm DOJ enforces HIPAA s criminal provisions. Few cases have been prosecuted but typically involve theft of PHI for some form of financial gain by an employee of a covered entity. - U.S. v. Gibson, No. CR RSM, 2004 WL (W.D. Wash. Aug. 19, 2004).

12 OCR s Audit End Game Audit are intended to delve deeper and uncover flaws in policies and procedures which could lead to data breach Violations of HIPAA rules could result in fines and penalties EVEN IF NO PHI IS EXPOSED!!

13 Security Rule Compliance is Primary Area of Focus 2012 Pilot Audits revealed significant Security Rule compliance failures: Failure to conduct a risk assessment. Failure to identify/address all security issues. Failure to make risk assessment an ongoing process. Failure to encrypt.

14 Security Rule Risk Assessments Tips 1. Forget your organization s size (small does not negate need for risk assessment). 2. Thoroughly document risk assessment. 3. Re-evaluate every time your organization changes. 4. Look for qualified resources to help with your risk assessment. 5. Avoid myths of vendor/consultant HIPAA-compliance claims. 6. Engage the staff to make information security a part of their daily routines.

15 Security Rule Compliance is Primary Area of Focus 2012 Pilot Audits revealed significant Security Rule compliance failures: Failure to conduct a risk assessment. Failure to identify/address all security issues. Failure to make risk assessment an ongoing process. Failure to encrypt.

16 Target Areas for 2015 HIPAA Audits Information Risks: Failure to encrypt data and devices; BYOD; Cloud Storage; Business associate relationships; Networked medical devices; and Malware.

17 Target Areas for 2015 HIPAA Audits (cont d) Security Risks: Social Media; Mobile Devices; and Photocopiers. Privacy Risks: Employees.

18 Audit Readiness Readiness is not just checking boxes or maintaining policy binders. Auditors will be looking for practical application of Privacy and Security policies throughout entire organization. Ongoing documentation of efforts to detect new threats and intrusions (no shallow risk assessment ). Audit trails and logs. Record key activities. Forensic evidence of any investigation of suspected or known security incidents/breaches to patient privacy, including documentation of sanctions of employees, business associates or contractors. Track disclosures of PHI. Staff training. Show overall effectiveness of policies and user compliance.

19 Preparing for HIPAA Audits 1. Manage risks on ongoing basis Do meaningful risk assessment Implement a risk management program 2. Document, Document, Document!!! 3. Train, and re-train New hire training Annual employee training Ongoing training

20 Current Challenges for Covered Entities Ensuring that their HIPAA compliance program makes a significant impact on the organization s culture and behavior. Achieving and maintaining HIPAA compliance and adequately documenting such compliance. Conducting and updating a complete, accurate and meaningful risk analysis. Adequately training employees on HIPAA obligations and importance of keeping patient information confidential and secure. Consistently disciplining employees for HIPAA violations. Digital Age Challenges (texting, social media, mobile devices, mobile apps., telecommuting)

21 Top Ten Pitfalls & Lessons

22 HIPAA Pitfall #1 Missing or inadequate security risk assessments

23 HIPAA Pitfall #2 Dangers of texting (aka being smart with your smartphone)

24 HIPAA Pitfall #3 Breach response when in doubt, report it!

25 HIPAA Pitfall #4 Social media is for friends only

26 HIPAA Pitfall #5 Business associates are no longer just a weekday lunch companion

27 HIPAA Pitfall #6 Customize, not cut and paste, your HIPAA policies and procedures

28 HIPAA Pitfall #7 Encryption is your get-out-of-jail-free card

29 HIPAA Pitfall #8 Pfishing don t take the bait

30 HIPAA Pitfall #9 Paper PHI please secure and dispose of properly

31 HIPAA Pitfall #10 It s Saturday night do you know where your PHI is?

32 QUESTIONS?