Are You Ready for an OCR Audit? Tom Walsh, CISSP Tom Walsh Consulting, LLC Overland Park, KS. What would you do? Session Objectives



Similar documents
Ready for an OCR Audit? Will you pass or fail an OCR security audit? Tom Walsh, CISSP

What does HIPAA Compliant mean? Session 137 April 15, 2015

Tom Walsh, CISSP Tom Walsh Consulting, LLC Overland Park, KS. Session Objectives. Introduction Tom Walsh

HIPAA Security Risk Analysis for Meaningful Use

Does Your Information Security Program Measure Up? Session #74

Trust 9/10/2015. Why Does Privacy and Security Matter? Who Must Comply with HIPAA Rules? HIPAA Breaches, Security Risk Analysis, and Audits

Aug. Sept. Oct. Nov. Dec. Jan. Feb. March April May-Dec.

HIPAA MYTHS: DON T ALWAYS BELIEVE WHAT YOU HEAR. Chris Apgar, CISSP

Laptops, Tablets, Smartphones and HIPAA: An Action Plan to Protect your Practice

HIPAA Myths. WEDI Regional Affiliates. Chris Apgar, CISSP Apgar & Associates

OCR/HHS HIPAA/HITECH Audit Preparation

HIPAA Secure Now! How MSPs Can Profit From Selling HIPAA security services

OCR HIPAA AUDITS THEY RE BACK!

Q: How does a provider know if their system has encryption? Do big services (gmail, yahoo, hotmail, etc.) have built-in encryption?

Sunday March 30, 2014, 9am noon HCCA Conference, San Diego

What Are The Odds Of a HIPAA Audit?

Are You Still HIPAA Compliant? Staying Protected in the Wake of the Omnibus Final Rule Click to edit Master title style.

HIPAA Myths. WEDI Member Town Hall. Chris Apgar, CISSP Apgar & Associates

How To Understand And Understand The Benefits Of A Health Insurance Risk Assessment

Privacy and Security requirements, OCR HIPAA Audits and the New Audit Protocol

OCR Reports on the Enforcement. Learning Objectives 4/1/2013. HIPAA Compliance/Enforcement (As of December 31, 2012) HCCA Compliance Institute

OCR Reports on the Enforcement. Learning Objectives

Surviving a HIPAA Audit: What you need to know NOW So you can cope THEN. Jonathan Krasner

What do you need to know?

HIPAA Enforcement. Emily Prehm, J.D. Office for Civil Rights U.S. Department of Health and Human Services. December 18, 2013

HIPAA COMPLIANCE PLAN FOR 2013

HIPAA Security Overview of the Regulations

Nine Network Considerations in the New HIPAA Landscape

THE HIPAA TANGO CHOREOGRAPHING PRIVACY AND SECURITY UNDER THE FINAL RULE

HIPAA compliance audit: Lessons learned apply to dental practices

HIPAA Audits: How to Be Prepared. Lindsey Wiley, MHA, CHTS-IM, CHTS-TS HIT Manager Oklahoma Foundation for Medical Quality

Art Gross President & CEO HIPAA Secure Now! How to Prepare for the 2015 HIPAA Audits and Avoid Data Breaches

How to Leverage HIPAA for Meaningful Use

Can Your Diocese Afford to Fail a HIPAA Audit?

HIPAA and HITECH Compliance for Cloud Applications

Security Is Everyone s Concern:

HIPAA Compliance: Efficient Tools to Follow the Rules

Tools to Prepare and Protect Your Practice for HIPAA and Meaningful Use Audits

Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use

Privacy and Security Meaningful Use Requirement HIPAA Readiness Review

Hosting for Healthcare: ADDRESSING THE UNIQUE ISSUES OF HEALTH IT & ACHIEVING END-TO-END COMPLIANCE

Locking Down the Cloud for Healthcare. Kurt Hagerman Chief Information Security Officer

HIPAA Hot Topics. Audits, the Latest on Enforcement and the Impact of Breaches. September Nashville Knoxville Memphis Washington, D.C.

6/17/2013 PRESENTED BY: Updates on HIPAA, Data, IT and Security Technology. June 25, 2013

Proofpoint HIPAA Breach Report:

HIPAA Omnibus Rule Overview. Presented by: Crystal Stanton MicroMD Marketing Communication Specialist

Nationwide Review of CMS s HIPAA Oversight. Brian C. Johnson, CPA, CISA. Wednesday, January 19, 2011

HIPAA Privacy, Security, Breach, and Meaningful Use. CHUG October 2012

2016 OCR AUDIT E-BOOK

What s New with HIPAA? Policy and Enforcement Update

Understanding HIPAA Regulations and How They Impact Your Organization!

HIPAA Audits Are Happening. eroi

2/9/ HIPAA Privacy and Security Audit Readiness. Table of contents

HIPAA: Compliance Essentials

Agenda. OCR Audits of HIPAA Privacy, Security and Breach Notification, Phase 2. Linda Sanches, MPH Senior Advisor, Health Information Privacy 4/1/2014

HIPAA WEBINAR HANDOUT

Legal Issues in Medical Office Use of Social Media. James F. Doherty, Jr. Pecore & Doherty, LLC Columbia, Maryland

HIPAA Omnibus Rule Practice Impact. Kristen Heffernan MicroMD Director of Prod Mgt and Marketing

DATA SECURITY HACKS, HIPAA AND HUMAN RISKS

Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions

Guided HIPAA Compliance

HIPAA in an Omnibus World. Presented by

The Impact of HIPAA and HITECH

Presented by Jack Kolk President ACR 2 Solutions, Inc.

Compliance Challenges. Ali Pabrai, MSEE, CISSP (ISSMP, ISSAP) Member, FBI InfraGard. Increased Audits & On-site Investigations

HIPAA: Breach Notification By: Office of University Counsel For: Jefferson IRB Continuing Education. September 2014

Sustainable Compliance: A System for Ongoing Audit Readiness

Healthcare IT (HIT) Strategic Planning & Budgeting MARCH 26, 2014

HIPAA security rules of engagement

HIPAA LIAISON MEETING PRESENTAITON. August 11, 2015 Leslie J. Pfeffer, BS, CHP University HIPAA Privacy Officer

The HIPAA Audit Program

HIPAA Security & Compliance

MEANINGFUL USE DESK AUDIT

Overview of the HIPAA Security Rule

HIPAA Omnibus Compliance How A Data Loss Prevention Solution Can Help

Tatiana Melnik Tampa, FL

Outline. Outline. What is HIPAA? I. HIPAA Compliance II. Why Should You Care? III. What Should You Do Now?

What is required of a compliant Risk Assessment?

Are You Prepared for an OCR HIPAA Audit or Investigation? February 15, 2012 ID Experts Webinar

YOUR HIPAA RISK ANALYSIS IN FIVE STEPS

HIT Audit Workshop. Jeffrey W. Short.

HIPAA Audits and Compliance: What To Expect From Regulators and How to Comply

Raymond: Beyond Basic HIPAA - GSHA Convention HIPAA HIPAA HIPAA. Financial. Carol Ann Raymond, MBA, Ed.S., CCC-SLP

Healthcare Horizons Webinar Series:

HIPAA Violations Incur Multi-Million Dollar Penalties

Data Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, :15pm 3:30pm

Part 14: USB Port Security 2015

Mobile Medical Devices and BYOD: Latest Legal Threat for Providers

Vendor Management Challenges and Solutions for HIPAA Compliance. Jim Sandford Vice President, Coalfire

Outline. Learning Objectives 9/23/2013. HIPAA Headline

Meaningful Use and Security Risk Analysis

Checklist for HIPAA/HITECH Compliance Best Practices for Healthcare Information Security

Preparing for the HIPAA Security Rule

Preparing for and Responding to an OCR HIPAA Audit

Checklist for Breach Readiness. Ali Pabrai, MSEE, CISSP (ISSMP, ISSAP) For Daily Compliance & Security Tips, Follow

MIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)

Secure Endpoint Management. Presented by Kinette Crain and Brad Lewis

A PRACTICAL GUIDE TO USING ENCRYPTION FOR REDUCING HIPAA DATA BREACH RISK

Am I a Business Associate?

Are You Prepared for a HIPAA Audit? 7 Steps to Security Readiness GUIDE BOOK

Transcription:

Are You Ready for an OCR Audit? Tom Walsh, CISSP Tom Walsh Consulting, LLC Overland Park, KS What would you do? Your organization received a certified letter sent from the Office for Civil Rights (OCR) to your CEO stating that the organization is being audited. Included with the letter is a list of requested documentation that needs to be sent within 15 business days. Do you have everything you need to respond to the document request and pass an audit? How confident are you that you will pass an audit? Session Objectives Upon successful completion of today s session, participants should be able to: 1. Identify the three types of OCR audits 2. Explain the type of documentation that could be needed prior to and during an audit 3. Leverage the HIPAA Audit Program Protocol, as a way to evaluate compliance 4. Begin building a book of evidence 1

Introduction Tom Walsh Certified Information Systems Security Professional (CISSP) 11 years Tom Walsh Consulting (tw-security) Co-authored four books on security Former information security manager for large healthcare system in Kansas City, MO A little nerdy, but overall, a nice guy Preparing for an Audit from the Office for Civil Rights (OCR) Timeline of Compliance Audits Date Action Taken 2008 2009 CMS HIPAA Compliance Reviews 2012 HIPAA Security audits conducted by KPMG June 2012 November 2012 HIPAA Audit Program Protocol released Medicare EHR incentive program audits 2

Three Types of OCR Audits 1. Investigation Trigger: Reported breach or patient complaint 2. Random (HIPAA Compliance) Trigger: Not sure how entities get selected 3. Meaningful Use Trigger: Entity received incentive money Investigation Audits Investigation OCR Audits Focused audits that are event driven Incident or breach Compliant from patient Whistleblower report Audit scope may widen if there is evidence of willful negligence Settlement results are typically: Penalties or fines Corrective Action Plan (CAP) 3

Investigation OCR Audits Samples of the evidence needed: Policies and procedures that were in place at the time of the incident or breach OCR will examine the meta data Date on documents must be before the letter is received Audit logs or audit reports Training content and records Agreements or forms signed by the worker(s) Emails What is the retention requirement for HIPAA compliance? Investigation OCR Audits Corrective Action Plans (sample) Examination of policies and procedures Implementation of revised policies and procedures Education or training of the workforce Risk management Annual reports to the OCR (from 1 to 3 years) Investigation OCR Audits OCR has levied fines and corrective action plans against more than 20 organizations: Idaho State University ($400,000) Alaska Department of Health and Social Services ($1.7 million) Blue Cross and Blue Shield of Tennessee ($1.5 million) UCLA Health System ($865,000) Massachusetts General Hospital ($1 million) Cignet Health ($4.3 million) Rite Aid ($1 million) CVS/pharmacy ($2.2 million) Phoenix Cardiac Surgery ($100,000) Providence Health & Services ($100,000) The Hospice of North Idaho ($50,000) 4

Random Audits Random OCR Audits #1 February 2009 The Department of Health and Human Services (HHS) through the Office for Civil Rights (OCR) is mandated (HITECH Act Section 13411) to provide periodic audits to make sure that covered entities and business associates comply with the requirements of HIPAA privacy and security On June 10, 2011, HHS awarded to KPMG a $9.2 million contract to create an audit protocol and then conduct random audits as part of the pilot program Random OCR Audits #2 By December 31, 2012 115 audits were conducted by KPMG Fiscal year 2014 Start of a permanent audit program OCR officials also indicated that business associates, as well as covered entities, will be audited in the permanent program because they're liable for HIPAA compliance under the HIPAA Omnibus Rule. A major weakness found during the pilot audit program, as well as through OCR breach investigations, has been a lack of thorough risk analysis, he added. [Leon Rodriguez, director of the Department of Health and Human Services' Office for Civil Rights as quoted in an article] 5

HIPAA Audit Program Protocol Three components: 1. Privacy 2. Security 3. Breach Notification OCR established a comprehensive audit protocol that contains the requirements to be assessed through these performance audits. The entire audit protocol is organized around modules, representing separate elements of privacy, security, and breach notification. The combination of these multiple requirements may vary based on the type of covered entity selected for review. Source: HHS website http://ocrnotifications.hhs.gov/hipaa.html HIPAA Audit Program Protocol (SAMPLE) Missing from the Protocol? Tablet Smartphone Mobile devices Personally-owned devices Portable media External hard drives and USB thumb drives Data loss prevention Data leakage Change control Configuration management BYOD Mobile device management Wireless networks Texting Secure messaging Web portal Secure website (https) Router, switch, firewall Networking scans Penetration testing 6

Also Missing Biomed or Biomedical Devices Cloud Telecommute (such as remote coding and remote transcription) Telemedicine Teleradiology Social Security Numbers Software licensing (illegal software) Payment Card Industry Data security Standard (PCI DSS) Audit Test Procedures For each criteria, there are typically three stated measures within the audit procedures: 1. Inquire of management (Perception) 2. Obtain some type of document (Policy) 3. Observe validate the safeguard and control is being followed (Practice) The three P s need to align: 1. Perception 2. Policy 3. Practice Audit Test Procedures A common Audit Procedure that would pertain to standards, policies, procedures, plans or any other forms of documentation Determine if the covered entity's formal or informal policy and procedures have been updated, reviewed, and approved and on a periodic basis. 1. Updated 2. Reviewed 3. Approved 7

Audit Test Procedures For any of the 22 Addressable Implementation Specifications of the HIPAA Security Rule the same phrase is repeated: If the covered entity has chosen not to fully implement this specification, the entity must have documentation on where they have chosen not to fully implement this specification and their rationale for doing so This needs to be documented in your book of evidence Create a Book of Evidence Proof of compliance - required by HIPAA Identify and fill the gaps Minimize the time required to respond to a request for documentation Once you are notified, the clock is ticking (15 days) Avoid making a bad first impression Perception is the only reality Being disorganized does not make a good impression on the OCR auditor Create a Book of Evidence Two types of documentation in the book of evidence: In response to the audit notification letter (see additional handout) During the fieldwork while the auditors are onsite (see additional handout) 8

What Drives the Audit Agenda? Prior audit findings from other OCR audits Reported breaches to HHS and common weaknesses that plague all of healthcare Your own policies Say what you do. Do what you say. Your risk analysis and remediation plan Let s learn from others CMS Audit Reports 2008 2009 Seven common areas of concern 1. Risk Assessment 2. Currency of Policies and Procedures 3. Security Awareness and Training 4. Workforce Clearance 5. Workstation Security 6. Encryption 7. Business Associate Contracts and Other Arrangements CMS Audit Reports 2012 Source: 2012 HIPAA Privacy and Security Audits, Linda Sanches, OCR Senior Advisor, Health Information Privacy Lead, HIPAA Compliance Audits 9

Meaningful Use Meaningful Use Stage 1 Objective: Ensure adequate privacy and security protections for personal health information Measure: Conduct or review a security risk analysis in accordance per 45 CFR 164.308 (a)(1) and implement security updates as necessary and correct identified security deficiencies as part of its risk management process. Meaningful Use, Stage 1 Audits Protect Electronic Health Information (Core #14 Hospitals; Core #15 - Eligible Professionals) Proof that a security risk analysis of the certified EHR technology was performed prior to the end of the reporting period (i.e. report which documents the procedures performed during the analysis and the results of the analysis). If deficiencies are identified in this analysis, please supply the implementation plan; this plan should include the completion dates. 10

Sample Cover Letter Sample Document Request Meaningful Use, Stage 1 Audits OCR conducts audits for HIPAA privacy and security rule compliance. Providers in the CMS EHR incentive programs may also receive a random audit from CMS to determine if they actually conducted the security risk analysis and implemented adequate safeguards. Source: Guide to Privacy and Security of Health Information, released in May 2012 11

What does the ONC say about, Risk Analysis? 12

Looking Ahead MU Stage 2 For security Essentially the same requirement as Meaningful Use Stage 1, except This time the risk analysis must address, encryption / security of data at rest Meaningful Use Stage 2 Objective: Protect electronic health information created or maintained by the Certified EHR Technology through the implementation of appropriate technical capabilities Measure: Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1), including addressing the encryption/security of data at rest in accordance with requirements under 45 CFR 164.312 (a)(2)(iv) and 45 CFR 164.306(d)(3), and implement security updates as necessary and correct identified security deficiencies as part of the EP s risk management process. Threats to Data at Rest Unauthorized access to a database or files on a server, SAN, or NAS Theft or loss of media (tapes, CDs, DVDs, USB drives, external hard drives, memory cards, etc.) or mobile devices (laptops, tablets, smartphones, etc.) that store PHI or other confidential information Hacking of the database or hijacking of a database Reuse or disposal of a device which may contain PHI Unauthorized access to confidential information stored on a workstation, laptop, tablet or smartphone Malicious code (virus, worm, etc.) Deletion of data or files (unintentionally or intentionally) Encryption key management (user forgets how to unencrypt data) or media is no longer readable (hardware failure or old media format) 13

Other Things to Consider HIPAA Compliance Business Associates Omnibus Rule: Compliance by September 23, 2013 Small business associates Are they compliant? No audit protocol yet for business associates Physician group practices and clinics Hospitals are buying up physician practices Immediately assume the liability for noncompliance with Meaningful Use and HIPAA Resources HIPAA Audit Program Protocol http://ocrnotifications.hhs.gov/hipaa.html Article: HIPAA Audits: More to Come in 2014 By Marianne Kolbasuk McGee, September 23, 2013 http://www.govinfosecurity.com/hipaa-audits-more-to-come-in-2014-a-6090 Presentation: 6 Steps to Showing HIPAA Privacy/Security Compliance http://www.healthdatamanagement.com/gallery/six-steps-to-showing-hipaa- privacy-compliance-46619-1.html?et=healthdatamanagement:e4239:3644364a:&st=email&utm_source= editorial&utm_medium=email&utm_campaign=hdm_daily_011314_011014 14

Questions? Thank You! Tom Walsh, CISSP Tom Walsh Consulting, LLC Overland Park, KS www.tomwalshconsulting.com tom.walsh@tw-security.com 913-696-1573 15

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information