HIPAA Audit Risk Assessment - Risk Factors

Transcription

1 I II Compliance Compliance I Compliance II SECTION ONE COVERED ENTITY RESPONSIBILITIES AREA ONE Notice of Privacy Practices 1 Is your full notice of privacy practices given to every new patient in your practice at the first encounter or episode of care? 2 Who is responsible for ensuring that the notice is given to every new patient? Please explain the process. NPP to all new patients at first encounter Individual / Position(s) & process clearly NPP distribution process to new patients needs minor revisions Individual / Position(s) and/or process, but more detail NPP is not to all new patients at first encounter Individual / Position(s) and/or process not 3 Does anyone spot check the individual responsible for checking-in new patients to ensure the notice of privacy practices is actually? If yes, how is this spot checking done (for example: observation, interview of staff, etc.)? 4 Does the staff responsible for checking-in new patients get any type of refresher training on the requirements of providing the NPP to new patients? If yes, who provides the training and how often? 5 Does anyone spot check the medical records of new patients to ensure that staff is getting an acknowledgment from the patient that the NPP was received? If yes, please describe the process and attach any applicable policies and procedures. 6 Is the NPP posted in a prominent place that would make it readily apparent to your patients? 7 Have you updated your NPP since April 14, 2003? If yes, why? Please provide a current copy of your practice s NPP. AREA TWO Minimal necessary Section One - Area One: Min / Max Risk Score Answer is yes and process clearly Answer is yes and clearly Answer is yes, process is clearly, and p/p were process should be in more detail should be in more detail process is not clearly, or p/p were not and/or process not and/or not, and/or process is not & p/p were not Answer is clearly not. documented as yes. clearly documented. Valid NPP Provided Provided Invalid NPP No NPP Provided 1 Who is responsible for reviewing the uses and disclosures of protected health information in your practice to ensure the minimal necessary standard is met? clearly, but more detail 2 Please describe the process for this review and attach any 3 Who is responsible for reviewing the roles of the various staff in your clinics to ensure that their access to protected health information is the minimal amount necessary to perform their job? 4 Please describe the process for this review and attach any 5 How does your practice/department control access to paper medical records, please describe in detail? 6 How does your practice/department control access to electronic medical records, please describe in detail? 7 How does you practice/department control access to billing information, please describe in detail? 8 Who is responsible for reviewing non-routine requests for PHI to ensure the minimal necessary standard is met? 9 Please describe the process for this review and attach any Section One - Area Two: Min / Max Risk Score Process clearly and p/p were clearly Process clearly and p/p were Process clearly in detail Process clearly in detail Process clearly in detail clearly Process clearly and p/p were or p/p were not, but more detail or p/p were not in detail in detail in detail, but more detail or p/p were not Process not and p/p were not Process not and p/p were not Process not Process not Process not Process not and p/p were not Page 1 of 8

2 AREA THREE Authorizations I II Compliance Compliance I Compliance II 1 Who is responsible for reviewing HIPAA authorizations to ensure that all of the required elements are present? Please attach copies of your Authorization and/or Release of Information form(s). 2 Please describe the process for this review and attach any 3 Who is responsible for reviewing HIPAA authorizations to ensure that only the PHI by the authorization is being used or disclosed as described by the authorization? clearly & Copy of valid Authorization form(s) Process clearly and p/p were clearly clearly & Copy of invalid Authorization form(s) or p/p were not, but more detail or Authorization form not Process not and p/p were not 4 Please describe the process for this review in detail and attach any 5 Who is responsible for receiving the notice when a patient revokes an authorization? 6 Does anyone routinely monitor the records to ensure revocations of authorizations are honored? If yes, who and how often? If not, please explain why. 7 Please describe the process for the review addressed in question 6 above and attach any applicable policies and procedures. 8 Does anyone in your clinical area/department have contact with the media regarding your patients? If yes, please explain how your department ensures: a Appropriate permission has been obtained from the patient if any patient specific information will be shared or the patient will be interviewed or videotaped, Process clearly and p/p were clearly Answer is yes and clearly Process clearly and p/p were or p/p were not Process not and p/p were not, but more detail should be in more detail or p/p were not n/a n/a n/a n/a If answer is no, assign If answer is yes, assign lowest risk level I factor to appropriate I or III steps a, b, & c below risk to steps a, b, & c below to #8 above Answer is yes to #8 requested is and/or not Process not and p/p were not If answer is yes, assign appropriate I or III risk to steps a, b, & c below Answer is yes to #8 requested is not b The media and their staff only have access to the protected health information that is part of their story, and c No patient information is visible to the media person and/or his/her staff if patient permission has not been obtained to #8 above Answer is yes to #8 requested is to #8 above Answer is yes to #8 requested is Answer is yes to #8 requested is not Answer is yes to #8 requested is not Section One - Area Three: Min / Max Risk Score AREA FOUR Business Associate Agreements 1 Have all of your practice/department s business associate agreements been reviewed by the University of Louisville Privacy Office? 2 Please list all your practice/departments business associates and attach all business associate contracts that have been entered into by your practice and/or department. If the BA provisions are incorporated in to the contract please attach the contract. 3 Have you reviewed all your business activity to ensure that business associate agreements are in place for all situations where your practice shares PHI with another entity? (Note: Ten specific examples listed, items a. thru j., after question # 3 ) 4 Have your business associate agreements been updated to include the provisions of the HIPAA security rule and the breach notification rule? If the answer is no, please contact the Privacy Office at Who is responsible for coordinating a review of new contracts with the University of Louisville Privacy Office to determine if a BA? 6 Does your practice/department act as a business associate for any other entity? If yes, please list the applicable entities and attach a copy of all business associate agreements Answer is yes with qualifying information All BAAs listed and Some BAAs listed and no copies of BAA documents BAA documents Response to every item a. thru j. Response to some items a. thru j. Answer is yes with qualifying information clearly Answer is yes with BAA documents No BAAs No responses, but more detail BAA documents Section One - Area Four Min / Max Risk Score Page 2 of 8

3 AREA FIVE Disclosures of information to family, friends and others involved in the patient s care or payment for the patient s care I II Compliance Compliance I Compliance II 1 Do you require the patient to designate who you can talk to regarding their care or payment for their care? If yes, how? 2 Who monitors information shared with the patient s designated individuals to ensure that only those individuals who the patient designates get information? 3 If you do not require the patient to designate who you can talk to regarding care or the payment for care, do you disclose information to family, friends and/or others using a verification method? If yes, what is the method? What information do you required for verification? Please be specific. 4 When contacted by another provider for information on a patient do you share the information without an authorization? If yes, what verification method is used? 5 Do you routinely treat minors in your practice? If yes, please indicate who monitors to ensure that information over which the minor has control is not shared with a parent, guardian or other legal representative without appropriate permission from the minor? 6 Please describe the process discussed in Number 5 above in detail. AREA SIX Fundraising Answer is yes with documentation of process documentation of process clearly or require patient to designate, but more detail Answer is yes with documentation of method documentation of method Answer is yes with documentation of method documentation of method Answer is yes with individual / position(s) Process clearly in detail Section One - Area Five: Min / Max Risk Score individual / position(s) Process not 1 Does your practice do any fundraising activity directly? If yes, what patient information do you use for fundraising (patient name, address, date of service, date of birth, insurance status, diagnosis, etc.)? 2 Do you provide any patient information to the University Development Office, a business associate, a hospital foundation, the Brown Cancer Center foundation or to any other entity for fundraising purposes? If you do provide such information, please specify each entity and what information you provide (name, address, date of service, date of birth, insurance status, diagnosis, etc.)? 3 If you use patient information for fundraising is this addressed in your Notice of Privacy Practice? If yes, what is the exact language? NOTE: if you have your NPP you do not need to provide the language here Answer is yes with documentation of patient information used Answer is yes with documentation of each entity and information Answer is yes and copy of valid NPP is or compliant language is documented documentation of patient information used documentation of each entity and information Answer is yes and copy of valid NPP is not or non-compliant language is documented AREA SEVEN - Research Section One - Area Six: Min / Max Risk Score Does your department conduct research? with qualifying information 1 2 If yes, who is responsible for ensuring compliance with the to #1above Answer is yes to # 1 HIPAA regulations before any information is viewed or above with individual / shared for a research purpose? position(s) 3 If a report from the billing or electronic medical record system is requested for a research study, who is clearly, but more detail responsible for ensuring the information being requested is permitted under the research authorization, or the partial or complete waiver of authorization? 4 Please describe in detail the process by which a request for Process clearly information related to research is verified. Please attach an and p/p were or p/p were not applicable policies and procedures 5 Does your practice/department use the Rule of 50 for Answer is yes and p/p disclosures made for a research purpose? If yes, please attach your policy and procedure for the Rule of Are residents and medical students permitted to maintain Answer is yes and p/p any research data including PHI on their personal devices such as laptops, PDAs, etc.? If yes, please attach your policy and procedure for ensuring the privacy and security of this information. Answer is yes Answer is yes to #1 above without individual / position(s) Process not and p/p were not Answer is yes and p/p is not Answer is yes and p/p is not Page 3 of 8

4 7 If the answer to number 6 above is yes, please describe any training the residents and medical students have been regarding maintaining the privacy and security of the PHI stored on their personal devices. Attach any training material used. 8 Does the document used by your clinic/division/department to obtain consent to treat a new patient include ANY reference to research (the language referencing research might be in sentence that states something like I give you permission to use my information for educational, scientific and research purposes )? Please attach a copy of this document. If different documents are used by different clinical sites, please attach a copy of each distinct document. 9 Does your clinic/division/department use its own consent document for procedures (this might include diagnostic, surgical or other procedures)? If the answer is yes, does the document make ANY reference to research? Please attach a copy of each such document used by your clinic/division/department. I II Section One - Area Seven: Min / Max Risk Score Compliance Compliance I to #6 above Process clearly and training materials were and copy of consent form confirms answer and copy of consent form confirms answer, but copy of consent form is not, but copy of consent form is not Compliance II or training materials not Answer is yes and/or copy of consent form confirms presence of research language Answer is yes and/or copy of consent form confirms presence of research language AREA EIGHT Storage and transmission of PHI 1 Please describe in detail how paper medical records are stored in your practice, clinical area and/or department. 2 Please describe in detail how access to your paper and/or electronic medical records is controlled during business and non-business hours. 3 Please describe in detail how you ensure the privacy and security of electronic protected health information is maintained while the data is at rest (simply stored on a PC, server, etc.) and while it is in transit (sent via , transported on disk, etc.) 4 Does your practice permit PHI to be shared via ? If yes, please describe in detail the method used for ensuring the security of the information (encryption, password protection, etc.). Attach any applicable policies and procedures. 5 Are your staff, faculty, residents, medical students, etc. permitted to set-up a rule forwarding all to a home or non-uofl/non-practice plan account? If yes, please describe the method for ensuring any that might contain PHI is properly secured and/or deleted when sent to a non-uofl/practice plan account. 6 Are physicians, residents, students and/or staff permitted to maintain any clinical PHI on their personal devices such as laptops, PDAs, etc.? If yes, please attach your policy and procedure for ensuring the privacy and security of this information. 7 If the answer to question 6 above is yes, please describe in detail the method for ensuring that the PHI is properly disposed and/or returned to the University of Louisville or the practice plan once the residency is complete or the medical students finishes his/her rotation. Please attach any Process clearly in detail Process clearly in detail Process clearly in detail Answer is yes and method described in detail Answer is yes with process described Answer is yes and p/p to #6 above Answer is yes with method described and/or p/p Process not Process not Process not Answer is yes and method is not Answer is yes and process is not described Answer is yes and p/p is not method described and p/p Section One - Area Eight: Min / Max Risk Score Page 4 of 8

5 AREA NINE Breach Notification I II Compliance Compliance I Compliance II 1 When a potential breach is suspected to have occurred, who is responsible for receiving, gathering, and documenting the information, and evaluating the circumstances to determine whether the circumstances constituted a breach of PHI? 2 Please describe the process for this review, including how breach log is reported to Secretary of DHHS, and attach any 3 In the event it is determined that a breach has occurred, who is responsible for determining whether the breach poses a significant risk of financial, reputational or other harm to the individual? 4 Please describe the process for this determination, including documentation process, and attach applicable policies and procedures. 5 In the event it is determined that a breach has occurred, who is responsible for determining whether the incident meets an exception that would not require notification to the individual? 6 Please describe the process for this determination, including documentation process, and attach applicable policies and procedures. 7 In the event it is determined that a breach has occurred, who is responsible for determining which parties (e.g., individuals, media, government authorities) should be notified of the breach and what information should be included in such notification(s)? 8 Please describe the process for this determination, including documentation procedures, and attach applicable policies and procedures. Section One - Area Eight: Min / Max Risk Score SECTION ONE - TOTAL MIN / MAX RISK SCORE 1,280 3,840 SECTION TWO PATIENT RIGHTS AREA ONE Patient access to PHI clearly but more detail Process clearly in detail clearly but more detail Process clearly in detail clearly but more detail Process clearly in detail clearly but more detail Process clearly in detail Process not Process not Process not Process not 1 When a patient requests access to his/her medical record do you permit the patient to inspect the record? If yes, is an appointment required? Does anyone sit with the patient while records are reviewed? 2 If a patient requests a copy of some or all of his/her medical record who is responsible for ensuring that the copies are made and available to the patient within 30 days for records on sight and within 60 days for records off site? Answer is yes, appointment is required and staff member sits with patient clearly, but more detail Answer is yes, appointment is not required and/or staff member does not sit with patient 3 If additional time to provide a patient copies of his/her medical record who is responsible for ensuring the patient is notified that an extension of time will be needed so that the notification is received within the original 30 or 60 day timeframe? 4 Does your practice define what is included in the medical record to distinguish the medical records from the information defined by HIPAA as the designated record set? If yes, please provide the document that identifies this distinction. Section Two - Area One: Min / Max Risk Score AREA TWO Request for confidential communications clearly Answer is yes and copy of document defining this distinction, but more detail copy of document defining this distinction is not 1 Has your practice/department received any request from patients for confidential communication? If yes, who is responsible for evaluating the request to determine if it is reasonable? 2 Please describe in detail the process used for determining if a request for confidential communication is reasonable Answer is yes with individual / position(s) Process clearly in detail individual / position(s) Process not Page 5 of 8

6 3 If a request for confidential communication is deemed reasonable, who is responsible for ensuring that all communications with the patient are done in a manner consistent with the request for a confidential communication? I II Section Two - Area Two: Min / Max Risk Score Compliance clearly Compliance I Compliance II, but more detail AREA THREE Accounting of disclosure 1 Has your practice received any request for an accounting of disclosures? If yes, how many? 2 Who is responsible for generating the accounting of disclosures if a patient makes a request? 3 How do you account for disclosures? Please list all methods by which you account for disclosures, be specific. 4 Does anyone routinely review records to ensure that all disclosures that require an accounting are, in fact, accounted for in the record? 5 Do you provide any ongoing training or refresher courses to all staff responsible for making disclosures to ensure they understand when an accounting? If yes, please describe the training process. 6 Would you be interested in using web-based software to account for disclosures if it were available to you at a nominal cost? 7 Has anyone in your practice ever tested the accounting of disclosures process to ensure that if an accounting is requested by a patient it can be produced in an accurate and timely manner? If yes, please describe the process Answer is yes with number of requests documented clearly Process clearly in detail Answer is yes and clearly Answer is yes and description of training process number of requests documented, but more detail Answer is yes and clearly description of training process not n/a n/a n/a n/a n/a n/a n/a Answer is yes and clearly is not Process not Section Two - Area Three: Min/ Max Risk Score AREA FOUR Patient Complaints 1 Has your practice received any complaints from a patient that involve an allegation of a breach or violation of the patient s privacy rights? If yes, please describe the complaint and its resolution. 2 If the answer to question 1 above was yes, did you report this complaint to the University of Louisville Privacy Office? Answer is yes with description of complaint(s) and resolution(s) to # 1 above Answer to this question (#2) is yes description of complaint(s) and resolution(s) Answer to this question (#2) is no Section Two - Area Four: Min / Max Risk Score SECTION TWO - TOTAL MIN / MAX RISK SCORE SECTIONS ONE & TWO - TOTAL MIN / MAX RISK SCORE 1,485 4,455 SECTION THREE ELECTRONIC DATA SECURITY 1 Please describe the types of systems used to store, transmit or process ephi. Include information such as the type of computer or device, its operating system, database and application programs and the device or program s functions with ephi. 2 Who are the personnel who have access to each of these systems for administration, normal work or other purposes? Please describe their role and the systems they use Types of systems clearly Types of systems not clearly in detail with role(s) and system(s), but role(s) and system(s) not Types of systems not 3 For each system your department, clinic, practice or other organization manages, administers or maintains, either totally or in conjunction with others, please complete this checklist and provide any explanations in the area directly below each question: Electronic Data Security General: Min / Max Score Checklist Answers for Risk : "Doing it Now", "Not Needed", or "Does Not Apply" Checklist Answers for Risk I: "In the future" Checklist Answers for Risk II: "Too Expensive" or "Don't Know" Page 6 of 8

7 I II Individual Authentication of Users 1 Unique individual identifier for each user 2 Automatic logoff after specified time Change passwords often (enforced by system) Weak passwords not allowable System stores password encrypted Uniform User ID across organization Incentives to reduce key account sharing Biometric (fingerprint, retinal scan, etc.) Different security for terminals or computers in different locations 10 Account canceled when employee leaves 11 Emergency access procedures for forgotten password Policies and procedures in place for Authentication Policies and procedures strictly enforced (even fines) Individual Authentication of Users: Min / Max Risk Score Compliance Compliance I Compliance II Access Controls 1 Access control list for each file or database 2 Access control lists UserID based Role based access profiles Access overrides for emergencies Simple access control (All or nothing) Gross granularity control (Screen based, or application based) 7 Medium granularity control (Record based, or role based algorithm) 8 Fine granularity control (Field based, or UserID based algorithm) 9 Multiple parameters (e.g. UserID, role, physical location, function, etc.) 10 Policies and procedures in place for Access Control, and to determine legitimate need Policies and procedures strictly enforced (even fines) Access Controls: Min / Max Risk Score Monitoring of Access 1 System imposed audit trails 2 Software controlled audit trails 3 Transaction log, file level, record level, field level audit trails (indicate which) 4 Write or change data audit trail 5 Read, display, print data audit trail Automatic display of "last access" to the next user, to allow self-audit by all users. 7 Periodic management reports of exceptions and/or all access (indicate which) 8 Internal periodic audit of audit trails 9 Policies and procedures in place for Access Monitoring, to detect misuse and violations Policies and procedures strictly enforced (even fines) Monitoring of Access: Min / Max Risk Score Physical Security and Disaster Recovery 1 Secure computer room 2 Secure access to displays and printers Network security, no external network access Secure destruction of printouts, floppies, etc. 5 Secure destruction of obsolete equipment 6 Burglar alarm monitored by Police Secure backup, storage and retrieval 8 Multiple and/or off-site backup storage sites Disaster recovery plan in place 10 Disaster recovery plan periodically tested 11 Working emergency data access plan in place in case of disaster 12 Business continuity plan developed to promote operations recoverability and non-disruption of critical functions (even if via alternative means) 13 Policies and procedures in place for Physical Security and Disaster Recovery 14 Policies and procedures strictly enforced (even fines) Security maintained 100% in disaster recovery mode Page 7 of 8

8 I II Physical Security & Disaster Recov: Min / Max Risk Score Compliance Compliance I Compliance II Protection of Remote Access Points and Protection of External Electronic Communications 1 Firewall for Internet access 2 Encryption Required for Sensitive and ephi 3 Healthcare data available to external network only via secure and authenticated methods 4 Authentication required for Internet and Extranet users 5 Dial-in protections (e.g. Caller-ID, callback, encryption) Mobile access (laptop/handheld/cell phone) physical protection and data encryption 7 Healthcare data over Infrared or Radio links encrypted and authenticated 8 Control IP addresses, prevent IP spoofing Periodic verification / maintenance of security measures Policies and procedures in place for protection of remote / external access Policies and procedures strictly enforced (even fines) Periodic user training on required procedures Remote Access Pts & Ext Comm: Min / Max Risk Score Malicious and/or Inappropriate Software Protection 1 Virus checking all files 2 Virus checking electronic mail 3 Anti-Spyware tool actively used 4 Control PC software loading and/or usage Version control / Change control in use 6 Policies and procedures in place to manage for assurance of software discipline Policies and procedures strictly enforced (even fines) Periodic user training on required procedures Malicious/Inappropriate Software: Min / Max Risk Score Organizational Practices 1 Designation of an information security officer in the department, clinic, practice plan or other unit 2 Awareness education and training programs for all employees, medical staff, agents and contractors 3 Organizational sanctions for violation of policies and procedures 4 Periodic security reminders. User education 5 Written security policies and documentation 6 Signed statement by all employees regarding confidentiality of records 7 Defined escalation procedures, including contact names and numbers, for security issues 8 Personnel clearance procedure Organizational Practices: Min / Max Risk Score SECTION THREE - SECURITY MIN / MAX RISK SCORE 1,580 4,740 GRAND TOTAL - MIN / MAX RISK SCORE 3,065 9,195 Page 8 of 8