Alert: Commencement of HIPAA Phase II audit program



Similar documents
IRS ISSUES FINAL REGULATIONS FOR COMPARATIVE EFFECTIVENESS RESEARCH FEES

EMPLOYER PAY OR PLAY EXCISE TAXES WHERE ARE WE NOW?

ALERT HEALTH CARE REFORM LAW HUMAN CAPITAL PRACTICE 90-DAY WAITING PERIOD AND ORIENTATION PERIOD: FINAL REGULATIONS EXPLAINED BACKGROUND

CHECKLIST: NOTICES TO INCLUDE IN HEALTH PLAN ANNUAL ENROLLMENT MATERIALS

FMLA AMENDED TO PROVIDE LEAVE TO

EFFECTIVE DATE: SEPTEMBER

HRFocus HR CORNER HUMAN CAPITAL PRACTICE

Ethernet Access (Formerly Converged Ethernet Access) Operations Manual

The MetLife Market Survey of Assisted Living Costs

2015 U.S. TOURISM QUALITY PERFORMANCE REPORT RESONANCE REPORT

Department of Veterans Affairs Quarterly Notice to Congress on Data Breaches Third Quarter of Fiscal Year 2015 April 1, 2015 through June 30, 2015

The MetLife Market Survey of Nursing Home & Home Care Costs

HIPAA Audits Are Here!

APPENDIX 1: SURVEY. Copyright 2010 Major, Lindsey & Africa, LLC. All rights reserved.

AXA Advisors Retail Distribution Overview. September 23, 2004

ITIL Foundation. Learn about process improvements, benefits, and challenges of ITIL, and get your ITIL Foundation certification.

Atlanta Rankings 2014

Employee Benefits Alert

2016 OCR AUDIT E-BOOK

ANGELOUECONOMICS 2012 INDUSTRY HOTSPOTS

OCR HIPAA AUDITS THEY RE BACK!

Number of Liver Transplants Performed Updated October 2005

The Most Affordable Cities For Individuals to Buy Health Insurance

2012 Operating Company Technical Service Training Schedules

Cornell Law School February 2014 Public Interest Low Income Protection Plan

The Housing Downturn in the United States 2009 First Quarter Update

OSHA Focuses Enforcement Resources on Nursing and Residential Care Facilities

National Electric Rate Survey

How much are teachers really paid? A Nationwide Analysis of Teacher Pay

TAMPA INTERNATIONAL AIRPORT

U.S. Department of Housing and Urban Development: Weekly Progress Report on Recovery Act Spending

Lodging, Rental Car and Meal Taxes on Travelers in the Top 50 U.S. Cities

in Large Cities,

AT&T Device Support Center Holiday Operating Hours (November/December)

U.S. Department of Veterans Affairs: 2015 TCF List of Locations for VA Careers

Grantee City State Award. Maricopa County Phoenix AZ $749,999. Colorado Youth Matter Denver CO $749,900

Preapproval Inspections for Manufacturing. Christy Foreman Deputy Director Division of Enforcement B Office of Compliance/CDRH

Online Labor Demand Shows Strong Increases, up 217,900 in December


National Bureau for Academic Accreditation And Education Quality Assurance PUBLIC HEALTH

How To Rate Plan On A Credit Card With A Credit Union

Tax Rates and Tax Burdens In The District of Columbia - A Nationwide Comparison

PEER Analysis of OSHA Recordkeeping Inspections Done Pursuant to its National Emphasis Program (NEP)(10/09-8/10) SUMMARY OF DATA

Trends in U.S. Consumer Broadband Pricing

Form LM-3 Common Reporting Errors

Standardized Pharmacy Technician Education and Training

List of Allocation Recipients

New York Public School Spending In Perspec7ve

National Telehealth Resource Centers (NTRCs): National Telehealth Policy Resource Center

Federation of State Boards of Physical Therapy Jurisdiction Licensure Reference Guide Topic: Continuing Competence

COST AND ENERGY SAVINGS:

CINCINNATI HILLS CHRISTIAN ACADEMY COLLEGE QUESTIONNAIRE FOR STUDENTS

OFFICE OF INSPECTOR GENERAL SPECIAL FRAUD ALERT FRAUD AND ABUSE IN NURSING HOME ARRANGEMENTS WITH HOSPICES

Zurich Staff Legal. Experienced. Collaborative. Focused on Results.

NHIS State Health insurance data

Q s. A s for Small Business Employers

Rates are valid through March 31, 2014.

The Strategic Assessment of the St. Louis Region

State Corporate Income Tax-Calculation

Big Impact. BUILDING BUSINESS ONE DEAL AT A TIME

Physical Therapy Marketing Success :: physical therapy assistant schools usa

Federation of State Boards of Physical Therapy Jurisdiction Licensure Reference Guide Topic: Continuing Competence

Funding for Accreditation of Medicolegal Death Investigation Offices and Certification of Medicolegal Death Investigation Personnel

How To Know The Nursing Workforce

DRAFT - Duke Alumni Association - DRAFT Support for and Expectation of Regional Alumni Groups

HIPAA Audits For Covered Entities and Business Associates

Tax Rates and Tax Burdens in the District of Columbia - A Nationwide Comparison. Government of the District of Columbia. Vincent C.

The MetLife Market Survey of Nursing Home & Assisted Living Costs

America s Best Cities for a Healthy (and More Affordable) Retirement. Rankings of 60 Metropolitan Areas

Post-Graduation Survey Results 2013 College of Fine Arts School of Design Undergraduate

Legal Concepts Meet Technology: A 50 State Survey of Privacy Laws

Additional information >>> HERE <<< Getting Free Instant Access freight broker training and job placement - Review

Suitability Agent Continuing Education Requirements by State

NAAUSA Security Survey

Final Expense Life Insurance

Department of Business and Information Technology

LIST OF PAST PRESENTATIONS:

PCF Solutions. Sales & Telemarketing. Home Delivery & Fulfillment. Customer Care

American College of Emergency Physicians

Made Possible by Generous Support From: RETAIL INSIGHT. Spotlight On Retail Employees

HRFocus HR CORNER HUMAN CAPITAL PRACTICE

Physical Therapy Marketing Success :: physical therapy assistant schools usa

Piloting a searchable database of dropout prevention programs in nine low-income urban school districts in the Northeast and Islands Region

Regional Electricity Forecasting

Plan for Achieving Self Support

APPENDIX B. STATE AGENCY ADDRESSES FOR INTERSTATE UIB CLAIMS

Post-Secondary Schools Offering Undergraduate Programs Including Arabic Language/Literature. University name Location Degree offered

Federation of State Boards of Physical Therapy Jurisdiction Licensure Reference Guide Topic: License Renewal Who approves courses?

Take Control of Your Trade Compliance

School Desegregation, School Choice and Changes in Residential Location Patterns by Race. By Nathaniel Baum-Snow and Byron F. Lutz.

AN INSIDE LOOK AT SOCIAL RECRUITING IN THE USA

Physical Therapy Marketing Success :: physical therapy assistant schools usa

TABLE 37. Higher education R&D expenditures at institutions with a medical school, by state, institutional control, and institution: FY 2011

Federation of State Boards of Physical Therapy Jurisdiction Licensure Reference Guide Topic: PTA Supervision Requirements

Adoption of Flood Insurance Rate Maps by Participating Communities

Hiring and Compensation

Comprehensive Course Schedule

Frequently Asked Questions About Using The GRE Search Service

Understanding Payroll Recordkeeping Requirements

Transcription:

Alert: Commencement of HIPAA Phase II audit program April 2016 Consistent with its duties to assess and enforce compliance with the HIPAA Privacy, Security and Breach Notification Rules, the Health & Human Services Office for Civil Rights (OCR) recently announced the commencement of its next phase of audits of covered entities and their business associates. The 2016 Phase II HIPAA Audit Program will review the policies and procedures adopted and employed by covered entities and their business associates to meet selected standards and implementation specifications of the Privacy, Security and Breach Notification Rules (collectively, the HIPAA Rules). Phase I finalization HIPAA established important national standards for the privacy and security of protected health information, and the Health Information Technology for Economic and Clinical Health Act (HITECH) established breach notification requirements to provide greater transparency for individuals whose information may be at risk. HITECH requires the OCR to conduct periodic audits of covered entity and business associate compliance with the HIPAA Rules. In 2011 and 2012, OCR implemented a pilot audit program to assess HIPAA compliance by 115 covered entities. Drawing on the experience of Phase I and the results of related process evaluations, OCR is now implementing Phase II of the program, which will audit both covered entities and business associates. As part of this program, OCR is developing enhanced protocols to be used in the next round of audits and pursuing new strategies to test the efficacy of desk audits (an agency audit conducted via email and telephone, rather than by onsite visits) in evaluating the compliance efforts of the HIPAA regulated industries. Commencement of Phase II beware the spam Phase II of OCR s HIPAA audit program is currently underway. OCR is obtaining and verifying contact information to identify covered entities and business associates of various types and to determine which are appropriate to be included in potential auditee pools. Communications from OCR will be sent via email and may be incorrectly classified as spam. If an entity s spam filtering and virus protection are automatically enabled, OCR expects you to check your junk or spam email folder for emails from OCR; OSOCRAudit@hhs.gov. A sample notification letter is available for inspection at: http://www.hhs. gov/hipaa/for-professionals/compliance-enforcement/audit/ index.html. Who will be audited? Every covered entity and business associate is eligible for an audit. These include covered individual and organizational providers of health services, health plans of all sizes and functions, health care clearinghouses, and a range of business associates of these entities. OCR expects covered entities and business associates to provide the auditors their full cooperation and support.

On what basis will auditees be selected? For Phase II, OCR is identifying pools of covered entities and business associates that represent a wide range of: Health care providers Health plans Health care clearinghouses Business associates By looking at a broad spectrum of audit candidates, OCR hopes to better assess HIPAA compliance across the industry, factoring in size, types and operations of potential auditees. Sampling criteria for auditee selection will include: Size of the entity Affiliation with other health care organizations The type of entity and its relationship to individuals Whether an organization is public or private Geographic factors Present enforcement activity with OCR OCR will not audit entities with an open complaint investigation or those currently undergoing a compliance review. How will the selection process work? Once contact information is obtained for a particular entity, a questionnaire designed to gather data about the size, type and operations of potential auditees will be sent to the entity and its business associates. As part of the pre-audit screening questionnaire, OCR is requiring entities to disclosure the identity of their business associates. Along these lines, covered entities are encouraged to prepare a list of each business associate with contact information so that they are able to respond to the request. OCR will choose a random sample of entities in the audit pool. Selected auditees will then be notified of their participation. from desk audits. Some desk auditees may be subject to a subsequent onsite audit. The audit process will employ common audit techniques. Entities selected for an audit will be sent an email notification of their selection and will be asked to provide documents and other data in response to a document request letter. Audited entities will submit documents online via a new secure audit portal on OCR s website. Auditors will review documentation and then develop and share draft findings with the entity. Auditees will have the opportunity to respond to these draft findings; their written responses will be included in the final audit report. Audit reports will generally describe how the audit was conducted, discuss any findings, and contain entity responses to the draft findings. What if an entity doesn t respond to OCR s requests for information? If an entity does not respond to requests for information from OCR, including address verification, the pre-screening audit questionnaire and the document request of those selected entities, OCR will use publically available information about the entity to create its audit pool. An entity that does not respond to OCR may still be selected for an audit or subject to a compliance review. What is the general timeline for an OCR audit? In the coming months, OCR will notify the selected covered entities in writing through email about their selection for a desk audit. The OCR notification letter will introduce the audit team, explain the audit process and discuss OCR s expectations in more detail. The letter will also include How will the audit program work? OCR plans to conduct desk and onsite audits for both covered entities and their business associates. The first set of audits will be desk audits of covered entities followed by a second round of desk audits of business associates. These audits will examine compliance with specific requirements of the HIPAA Rules and auditees will be notified of the subject(s) of their audit in a document request letter. All desk audits in this phase will be completed by the end of December 2016. The third set of audits will be onsite and will examine a broader scope of requirements from the HIPAA Rules than 2 ALERT: HIPAA Phase II

initial requests for documentation. OCR expects covered entities that are the subject of an audit to submit requested information via OCR s secure portal within 10 business days of the date on the information request. All documents must be submitted digitally via OCR s online portal. After these documents are received, the auditor will review the information submitted and provide the auditee with draft findings. Auditees will have 10 business days to review and return written comments, if any, to the auditor. The auditor will complete a final audit report for each entity within 30 business days after the auditee s response. Thereafter, OCR will share a copy of the final report with the audited entity. While conducting desk audits of covered entities, OCR will replicate the notification and document request process for initiating desk audits of selected business associates. Audited business associates will also receive a copy of the final audit report. Who will be selected for an onsite audit? Entities will be notified via email of their selection for an onsite audit. The auditors will schedule an entrance conference and provide more information about the onsite audit process and expectations for the audit. Each onsite audit will be conducted over three to five days onsite, depending on the size of the entity. Onsite audits will be more comprehensive than desk audits and cover a wider range of requirements from the HIPAA Rules. Similar to desk audits, entities will have 10 business days to review the draft findings and provide written comments to the auditor. The auditor will complete a final audit report for each entity within 30 business days after the auditee s response. OCR will share a copy of the final report with the audited entity. What happens after an audit? OCR will review and analyze information from the final reports. The aggregated results of the audits will enable OCR to better understand compliance efforts with particular aspects of the HIPAA Rules. Should an audit report indicate a serious compliance issue, OCR may initiate a compliance review to further investigate an entity s compliance efforts. OCR will not post a listing of audited entities or the findings of an individual audit which clearly identifies the audited entity. However, under the Freedom of Information Act (FOIA), OCR may be required to release audit notification letters and other information about these audits upon request by the public. What about state law? The scope of the audit program does not extend beyond the HIPAA Rules. Thus, compliance with state laws and local ordinances related to privacy enforcement is not subject to review under the audit program. Also, the audit will not extend to other federal laws, except to the extent operative HIPAA regulations are in place connecting such provisions to the HIPAA Rules. Who is responsible for paying the onsite auditors? The Department of Health and Human Services is responsible for the onsite auditors. Neither covered entities nor their business associates are responsible for the costs of the audit program. However, to the extent enforceable breaches are discovered and related penalties are levied, an entity will be responsible for any such payments. What now? Covered entities, including all self-funded health plans that do not enjoy HIPAA-excepted status, are encouraged to revisit (or visit, as the case may be) HIPAA compliance efforts. Necessarily, ensuring compliance with the HIPAA Rules may require the development of required documents, appointment and training of certain individuals, inspection of the worksite, assessment of technological preparedness, and routine auditing. Clients often find the Four A s Approach to HIPAA Compliance helpful. This approach is outlined in the following sections. 3 ALERT: HIPAA Phase II

technological solutions identified in the HIPAA Rules in terms of safeguards. Reasonable safeguard assessments include, without limitation, the following considerations: Physical Sample Considerations: How does the worksite promote or discourage the security and safety of PHI? Do monitors face windows? Are work stations left unattended and exposed? Where and how are paper records maintained? Are the appropriate individuals granted access to PHI? If granted access to PHI, is a user level of access appropriately monitored to ensure compliance with the narrowest disclosure principle? The four A s approach to HIPAA compliance The key to HIPAA compliance is application of a consistent compliance methodology. Frankly, HIPAA s regulatory burden is so cumbersome, covered entities attempting ad hoc or patchwork HIPAA compliance are likely to find themselves buried in the weeds of a regulatory quagmire. For this reason, it is important to approach HIPAA compliance from a tested methodology. Under the 4 A s methodology, clients ensure HIPAA compliance through satisfaction and repetition of predictable tasks along a compliance trajectory, incorporating: (1) appointments, (2) assessments, (3) adoptions, and (4) audits. Appointments Covered entities should take this time to ensure their compliance with the appointment-related provisions of the HIPAA Rules. Practically, this means: Appointment of the privacy officer Appointment of the security officer Appointment of privacy contacts Appointment of designated individuals Assessments Covered entities must also ensure compliance with the assessment provisions of the HIPAA Rules. This means ensuring consistent application and internal enforcement of the covered entity s physical, administrative and Technological Sample Considerations: Does the covered entity use encryption technology for email? Does the security officer have the ability to recall email, or, in worst case scenarios, to shut down the network? Can the security officer or a delegate deactivate remote devices? Has the covered entity developed a routine technology audit protocol for use in ensuring the continuing satisfaction of its HIPAA Rules compliance objectives? Must users appropriately identify themselves on a network through use of a password or other security feature? Are user passwords stored in a manner to achieve or disrupt HIPAA compliance? Administrative Sample Considerations: Has the covered entity appointed officers, contacts and designated individuals? Are these individuals appropriately trained? Do these individuals receive refresher training on a consistent and reasonable basis? Does the covered entity maintain training attendance logs and keep copies of training materials? Breaches & complaints Sample Considerations: Has the covered entity investigated and resolved any PHI use or disclosure violations? Does the covered entity have any pending use or disclosure violations? Has the covered entity investigated and resolved any HIPAA-related complaints? Does the covered entity have any pending HIPAA-related complaints? Existing documents, policies & procedures Sample Considerations: Does the employer have HIPAA documents in place, such as policies, procedures, participant disclosure forms, and executed business associate agreements? If the covered entity does not have HIPAA documents in place, has there been any progress toward production of required documents? 4 ALERT: HIPAA Phase II

Adoptions Based upon the assessment findings, the covered entity should set about adopting the documents and other items required for HIPAA Rules compliance. Commonly, covered entities need to develop and adopt several types of documents, many of which are listed below: Policy & procedure manual for privacy rule compliance Policy & procedure manual for security rule compliance Plan resolutions & amendments to adopt privacy & security manuals HIPAA disclosure logs HIPAA training logs Breach logs Breach notification letter template Participant forms (authorization, waiver, consent) Business associate agreements, memorandums of understanding (MOUs), and other third-party agreements Physical, administrative & technological safeguards audit protocol (may be incorporated within the policies and procedures manual) Auditing Lastly, and perhaps most importantly, the covered entity must ensure the adopted privacy and security specifications are actually working. From a practical perspective, this means internal auditing, both at the macro and micro levels. At the macro level, the covered entity should audit for assurance with respect to sufficiency of business associate agreements and other HIPAA-related agreements with third parties. Therein, covered entities should assure mutual adoption, consistent terminology, and appropriate memorialization of the most recent iteration of HIPAA Rules requirements. Remember, the Privacy, Security, Enforcement & Breach Notification Rules were significantly amended in 2013, so documents older than 2013 are likely out of compliance. Lastly, HIPAA requires each operative document to have an effective date, so if there is not an effective date on any document, it will be deemed insufficient. At the micro level, HIPAA auditing compliance under the Security Rule requires the covered entity to test its physical, administrative and technological safeguards to ensure its measures are adequate to defend against, and respond to, immediate threats to the safety and security of electronic PHI (or e-phi). Also, respecting Privacy Rule compliance, covered entities should be able to demonstrate authorization and tracking for uses and disclosures of PHI. Necessarily, this type of ongoing auditing requires thoughtful contemplation of the reasonable scope of authority for the covered entity s privacy and security officers. Resources for clients At Willis Towers Watson, we take an instructive approach to helping our clients understand and administer their own HIPAA obligations. Through free courses offered on the Willis Towers Watson Compliance Academy, instructional employer guides, template policy and procedure manuals, and one-on-one compliance assistance with attorneys specializing in privacy and security considerations, Willis Towers Watson facilitates a mutual understanding of the seriousness and scope of privacy laws and regulations affecting each of our clients. Also, designed specifically in response to the Phase II Audit Program notice, the Willis Towers Watson Compliance Academy is currently being expanded to include a new HIPAA 104 course to augment the Academy s current HIPAA offerings. HIPAA 104 will be available in May of 2016 and will focus on HIPAA Security Rule compliance through the development of adequate physical, administrative and technological safeguards. The program will touch upon all of the Phase II Security Rule audit criteria. If you have questions regarding the Phase II Audit program, or if you need assistance with your HIPAA compliance efforts, please reach out to your Willis Towers Watson team. The observations, comments and suggestions we have made in this publication are advisory and are not intended nor should they be taken as legal advice. Please contact your own legal adviser for an analysis of your specific facts and circumstances. 5 ALERT: HIPAA Phase II

Key Contacts New England Auburn, ME 207 783 2211 Bangor, ME 207 942 4671 Boston, MA 617 437 6900 Burlington, VT 802 264 9536 Hartford, CT 860 756 7365 Manchester, NH 603 627 9583 Portland, ME 207 553 2131 Shelton, CT 203 924 2994 Northeast Buffalo, NY 716 856 1100 Morristown, NJ 973 539 1923 Mt. Laurel, NJ 856 914 4600 New York, NY 212 915 8802 Stamford, CT 203 653 2430 Radnor, PA 610 254 7289 Wilmington, DE 302 397 0171 Atlantic Baltimore, MD 410 584 7528 Knoxville, TN 865 588 8101 Memphis, TN 901 248 3103 Metro, DC 301 581 4262 Nashville, TN 615 872 3716 Norfolk, VA 757 628 2303 Reston, VA 703 435 7078 Richmond, VA 804 527 2343 Rockville, MD 301 692 3025 Southeast Atlanta, GA 404 224 5000 Birmingham, AL 205 871 3300 Charlotte, NC 704 344 4856 Gainesville, FL 352 378 2511 Greenville, SC 864 232 9999 Jacksonville, FL 904 562 5552 Marietta, GA 770 425 6700 Miami, FL 305 421 6208 Mobile, AL 251 544 0212 Orlando, FL 407 562 2493 Raleigh, NC 704 344 4856 Savannah, GA 912 239 9047 Tallahassee, FL 850 385 3636 Tampa, FL 813 281 2095 Vero Beach, FL 772 469 2843 Midwest Appleton, WI 800 236 3311 Chicago, IL 312 288 7700 Cleveland, OH 216 861 9100 Columbus, OH 614 326 4722 Detroit, MI 248 539 6600 Grand Rapids, MI 616 957 2020 Milwaukee, WI 262 780 3476 Minneapolis, MN 763 302 7131 763 302 7209 Moline, IL 309 764 9666 Overland Park, KS 913 339 0800 Pittsburgh, PA 412 645 8506 Schaumburg, IL 847 517 3469 South Central Amarillo, TX 806 376 4761 Austin, TX 512 651 1660 Dallas, TX 972 715 2194 972 715 6272 Denver, CO 303 765 1564 303 773 1373 Houston, TX 713 625 1017 713 625 1082 McAllen, TX 956 682 9423 Mills, WY 307 266 6568 New Orleans, LA 504 581 6151 Oklahoma City, OK 405 232 0651 San Antonio, TX 210 979 7470 Wichita, KS 316 263 3211 Western Fresno, CA 559 256 6212 Irvine, CA 949 885 1200 Las Vegas, NV 602 787 6235 602 787 6078 Los Angeles, CA 213 607 6300 Phoenix, AZ 602 787 6235 602 787 6078 Portland, OR 503 274 6224 Irvine, CA 949 885 1200 San Diego, CA 858 678 2000 858 678 2132 San Francisco, CA 415 291 1567 San Jose, CA 408 436 7000 Seattle, WA 800 456 1415 6 ALERT: HIPAA Phase II

About Willis Towers Watson Willis Towers Watson (NASDAQ: WLTW ) is a leading global advisory, broking and solutions company that helps clients around the world turn risk into a path for growth. With roots dating to 1828, Willis Towers Watson has 39,000 employees in more than 120 territories. We design and deliver solutions that manage risk, optimize benefits, cultivate talent, and expand the power of capital to protect and strengthen institutions and individuals. Our unique perspective allows us to see the critical intersections between talent, assets and ideas the dynamic formula that drives business performance. Together, we unlock potential. Learn more at willistowerswatson.com. Copyright 2016 Willis Towers Watson. All rights reserved. WTW-NA-2016-15527 willistowerswatson.com

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information