OIG Security Audit: What You Need To Know

Similar documents
OIG Security Audits of EHR Incentive Program Participants

Sustainable HIPAA Compliance: Protecting Patient Privacy through Highly Leveraged Investments

Preparing for HIPAA and Meaningful Use Compliance Audits

5/11/2015 AGENDA ROUNDTABLE PARTICIPANTS TALES FROM THE FRONTLINES OF MEANINGFUL USE: FOCUS ON OPTOMETRY

Electronic Health Record Incentive Program Update May 29, Florida Health Information Exchange Coordinating Committee

Sunday March 30, 2014, 9am noon HCCA Conference, San Diego

Sustainable Compliance: A System for Ongoing Audit Readiness

Nationwide Review of CMS s HIPAA Oversight. Brian C. Johnson, CPA, CISA. Wednesday, January 19, 2011

View the Replay on YouTube. Sustainable HIPAA Compliance: Enhancing Your Epic Reporting. FairWarning Executive Webinar Series October 17, 2013

Semi-Annual Blueprint Conference October 20, 2014

Meaningful Use Audits. NextGen Physician Consulting Services

Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use

HIPAA COMPLIANCE PLAN FOR 2013

Developing HIPAA Security Compliance. Trish Lugtu CPHIMS, CHP, CHSS Health IT Consultant

Preview of the Attestation System for the Medicare Electronic Health Record (EHR) Incentive Program

Community Health Center Association of Connecticut Meaningful Use: Audit Preparedness And Other Challenges February 12, 2015

HIPAA: Compliance Essentials

Who are we? *Founded in 2005 by Purdue University, the Regenstrief Center for Healthcare Engineering, and the Indiana Hospital Association.

Checklist and Related Guidance for Meaningful Use Audits

Meaningful Use Audit Red Flags: Pay Careful Attention To The Security Risk Analysis - Or Else

Art Gross President & CEO HIPAA Secure Now! How to Prepare for the 2015 HIPAA Audits and Avoid Data Breaches

Don t Panic! Surviving a Meaningful Use Audit October, 2014

PREPARING FOR EMR PROGRAM SUCCESS IN /10/2015. December 15, Travis Skinner, CPA Senior Managing Consultant

Stage 2 Medical Billing and reconciliation of Patients

HIPAA Security Risk Analysis for Meaningful Use

HIPAA - Breaking News!

Become Audit Proof. What You Need To Know To Protect Your Practice

HITRUST CSF Assurance Program

Securing Patient Portals

How to Leverage HIPAA for Meaningful Use

HIPAA Audits: How to Be Prepared. Lindsey Wiley, MHA, CHTS-IM, CHTS-TS HIT Manager Oklahoma Foundation for Medical Quality

Meaningful Use Stage 2. Meeting Meaningful Use Stage 2 with InstantPHR TM.

Objectives 5/5/2015. Quality Health Associates (QHA) of ND

HIPAA Secure Now! How MSPs Can Profit From Selling HIPAA security services

WHAT JUST HAPPENED TO THE EMR PROGRAM?

HIT Audit Workshop. Jeffrey W. Short.

Meaningful Use Preparedness 07/24/2015

Privacy and Security Meaningful Use Requirement HIPAA Readiness Review

Bridging the HIPAA/HITECH Compliance Gap

10/19/2015. Meaningful Use: Current and Future Environment. Agenda. MGMA Annual Conference Nashville, TN October 13, 2015

How to prepare your organization for an OCR HIPAA audit

HIPAA/HITECH Privacy and Security for Long Term Care. Association of Jewish Aging Services 1

HIPAA Security Alert

Big Data, Big Risk, Big Rewards. Hussein Syed

Meaningful Use and Security Risk Analysis

HIPAA Myths. WEDI Regional Affiliates. Chris Apgar, CISSP Apgar & Associates

HIPAA Security. 4 Security Standards: Technical Safeguards. Security Topics

The Advantages and Disadvantages of Having a CEHRT in 2015

U.S. DEPARTMENT OF HEALTH AND HUMAN SERVICES Health Resources and Services Administration

Electronic Health Record (EHR) Incentive Program. Meaningful Use Frequently Asked Questions Webinar

Meaningful Use: Terms & Timelines, Changes to Stage 1, and Stage 2 Overview

MEANINGFUL USE DESK AUDIT

Aug. Sept. Oct. Nov. Dec. Jan. Feb. March April May-Dec.

Compliance, Security and Risk Management Relationship Advice. Andrew Hicks, Director Coalfire

Medicaid EHR Incentive Program Eligible Hospitals. New Hampshire Department of Health and Human Services Office of Medicaid Business and Policy

Improve the Quality of Care and Earn $12,000 A simple guide to understanding the Medicare EHR Incentive program, from registration through

Meaningful Use: Registration & Attestation Eligible Professionals

Eligible Professionals (EPs) Purdue Research Foundation

HITECH and Meaningful Use - An Overview - To Enrich Lives Through Effective And Caring Service

Eligible Professionals

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics

Meaningful Use Stage 2 & HIPAA: The Relationship between HIPAA and Meaningful Use Privacy & Security Regulations View the Replay on YouTube

Privacy and Security requirements, OCR HIPAA Audits and the New Audit Protocol

RSA SECURE WEB ACCESS FOR HEALTHCARE ENVIRONMENTS

CMS Medicaid Electronic Health Record (EHR) Incentive Programs 2015 Final Rule Overview Meaningful Use

HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What?

CPCA Meaningful Use Boot Camp October 22, 2014 Parking Lot Q&A

How To Protect Your Health Care From Being Stolen From Your Computer Or Cell Phone

29 OIG 2014 Work Plan explores new compliance projects: Part 2. Nathaniel Lacktman

Medicaid EHR Incentive Program Updates ehealth Services and Support September 24, 2014

Stage 2 Meaningful Use What the Future Holds. Lindsey Wiley, MHA HIT Manager Oklahoma Foundation for Medical Quality

Empowering Nurses & Building Trust Through Health IT

Supplier Security Assessment Questionnaire

Data Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, :15pm 3:30pm

Meaningful Use: Stage 1 and 2 Hospitals (EH) and Providers (EP) Lindsey Mongold, MHA HIT Practice Advisor Oklahoma Foundation for Medical Quality

Preparing for Meaningful Use Stage 2 Bill Beighe, CIO Becky Shoemaker, HIE Project Manager

Meaningful Use Stages 1 and 2 and How to Survive a Meaningful Use Audit. Charles Jarvis, Senior Manager

ERC Incentive Program - Overview and Tips

Medicare & Medicaid EHR Incentive Programs Elizabeth S. Holland, MPA Director, HIT Initiatives Group Office of E-Health Standards & Services, CMS

Please Read. Apgar & Associates, LLC apgarandassoc.com P. O. Box Portland, OR Fax

Straight from the Source: HHS Tools for Avoiding Some of the Biggest HIPAA Mistakes

Iowa Medicaid Health Information Technology (HIT) and Electronic Health Record (EHR) Incentive Payment Program for Eligible Professionals

Hospital Certified Electronic Health Record (EHR) Technology Questionnaire

Considering Meaningful Use Participation when Acquiring a Hospital or Professional Practice

Iowa Medicaid Health Information Technology (HIT) and Electronic Health Record (EHR) Incentive Payment Program for Eligible Hospitals

Stage 2 EHR Incentive Programs Supporting Documentation For Audits Last Updated: February 2014

Why Lawyers? Why Now?

CMS Meaningful Use Proposed Rule

Healthcare and IT Working Together KY HFMA Spring Institute

The Medicare and Medicaid EHR incentive

Meaningful Use Update

What s New with HIPAA? Policy and Enforcement Update

Medicaid EHR Incentive Program Dentists as Eligible Professionals. Kim Davis-Allen, Outreach Coordinator

Participation Agreement Medicaid Provider Program

HIPAA Security Compliance Reviews

Electronic Health Record (EHR) Incentive Program. Stage 2 Final Rule Update

Meaningful Use of EHR. Presenter:

University of Illinois at Chicago Health Sciences Colleges Information Technology Group Security Policies Summary

Ensuring Privacy & Security of Patient Information

Achieving Meaningful Use in Presented by the SFREC

Transcription:

Watch the Replay on YouTube OIG Security Audit: What You Need To Know Executive Series Webinar July 23rd, 2015

Today s Speakers Elana R. Zana Attorney & Author Ogden Murphy Wallace P.L.L.C. ezana@omwlaw.com Chuck Burbank Director of Managed Privacy Services FairWarning, Inc. Chuck@FairWarning.com Brian Stone Manager, Customer Success FairWarning, Inc. Brian@FairWarning.com

Agenda OIG Work Plans Expectations - What OIG investigators will look for CMS vs OIG OIG audits related to Meaningful Use Audit readiness plan Audit controls Mapping to Audit protocols

OIG Audits Elana Zana ezana@omwlaw.com 206-442-1308

OIG Work Plans Target HIPAA & EHR 2014 Work Plan Security of Certified Electronic Health Record Technology under Meaningful Use 2015 Work Plan Security of Certified Electronic Health Record Technology under Meaningful Use Hospitals electronic health record system contingency plan 5

Multiple Government Entities Auditing HIPAA Security 6

OIG Security Audits

Security of Certified EHR Technology under Meaningful Use We will perform audits of various covered entities receiving EHR incentive payments from CMS and their business associates, such as EHR cloud service providers, to determine whether they adequately protect electronic health information created or maintained by certified EHR technology Furthermore, business associates that transmit, process, and store EHRs for Medicare/Medicaid providers are playing a larger role in the protection of electronic health information. Therefore, audits of cloud service providers and other downstream service providers are necessary to assure compliance with regulatory requirements and contractual agreements. 8

OIG Refuses Request For Information No information publicly available about: Audit Process How to prepare for an audit Penalties related to audit results Number of hospitals undergoing an audit Audit reports Benchmarks & best practices used as comparisons 9

Rumor Has It OIG Security Audit is not focused on individual entities, but is part of a comprehensive report that the OIG is developing based on its findings. 10

EHR Incentive Program Audits: Double Jeopardy 11

EHR Incentive Program Audits: Double Jeopardy 12

CMS vs. OIG 1. Meaningful Use Core Measure: Protect Electronic Health Information 2. To measure the objective, eligible hospitals must conduct security risk analysis of certified EHR technology per federal regulations 3. Figliozzi requests copy of Security Risk Analysis does not analyze adequacy of Security Risk Analysis 4. Failure of CMS audit = Return of Meaningful Use $$$ 13

CMS vs. OIG 1. OIG deeper dive into EHR security 2. Business Associates with access to EHR 3. Focus on EHR cloud service providers & EHR vendor 4. On-site Audit (2-3 weeks) 5. Interviews 6. Failure of OIG Audit = Fraud??? 14

OIG Audit Questionnaire 17 areas of interest including: EHR Risk Assessment, Audits & Reports EHR Security Plan Organizational Chart Network diagram EHR websites & Patient Portals Policies and Procedures System Inventory Tools used to perform vulnerability scans Central Log and Event Reports EHR System Users List of contractors supporting EHR & Network Perimeter Devices 15

Audit Question: Network Diagram Provide the EHR network diagram (or network map) that shows your EHR network architecture including external connections. 16

Audit Question: Policies & Procedures Provide copies of policies related to: a. risk assessment b. plan of action and milestones/corrective action plans c. incident response d. encryption e. patch management f. access controls g. audit logging and/or audit controls 17

OIG Meaningful Use Audits

Medicare Meaningful Use Attestations Figliozzi Audits = 1 Year, only one Stage OIG Audits = Several Years, Possibly Stage 1 & Stage 2 30 days to respond Unknown if goal is individual audit or comprehensive report 19

Questions CEHRT documentation Information regarding EHR incentives received Questions Identical to CMS Audits: Practice in multiple locations? Core Set Measures Menu Set Measures Proof of Security Risk Analysis Questions follow Stage 1 2014 measures 20

AIU Audits Medicaid EHR Incentive Audit of hospitals unknown if EPs 10 days to respond Must validate patient volume Deep dive into accounting related to calculating patient volume Must validate CEHRT 21

AIU Audits - Patient Volume Describe process for calculating Patient Volume In-depth information regarding patient volume - all patient data, not just Medicaid Please provide a detailed system-generated output report for your total patient volume for the 90-day reporting period used for the first-year payment attestation (and second-year payment attestation, if applicable). This report should include, at a minimum, the following criteria: Provider Identifier Service Date Patient Name Insurance Carrier/Insurance Plan Charge Amount Amount Paid Why is this information needed for validating patient volume attestations? 22

AIU - Security In depth questions regarding hospital security, goes beyond meaningful use requirements. Please answer the following questions concerning data security and integrity: a) Is a unique password required to access the EHR system? b) Did the hospital sign a confidentiality agreement with the EHR vendor? c) Does each user of the EHR system have their own unique electronic signature to sign off on documents and is the electronic signature time and date stamped? d) Can a document be edited/changed after it has been signed? e) Describe the hospital s contingency plan if the EHR product goes offline? Please include in your description any use of backup files. 23

Audit Readiness Plan 1. Maintain documentation as required by the CMS EHR Incentive Program 6 year requirement Be able to pull this information upon request 2. Gather information consistent with OIG Audit Questionnaire 3. Evaluate health IT vendors and related Business Associate Agreement 4. Identify team that will respond to an OIG audit request 5. Conduct a mock audit to fully assess readiness 24

Elana Zana (206) 442-1308 ezana@omwlaw.com www.omwhealthlaw.com @EZhealthlaw

OIG Security Audits and OCR HIPAA Security Audits It s all about the evidence

Audit Controls/Auditing Activity #1 deficiency in initial audits and #1 Technical Security Deficiency after the 115 audits Policy or procedure Evidence ongoing Criteria of the activities you monitor Evidence that criteria has been approved 27

Example Audit Protocols Audit Controls 164.312 164.312(b) Audit controls. Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information. Determine the Activities that Will be Tracked or Audited Inquire of management as to whether audit controls have been Required implemented over information systems that contain or use ephi. Obtain and review documentation relative to the specified criteria to determine whether audit controls have been implemented over information systems that contain or use ephi. 164.312 164.312(b) Audit Controls - Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information. Select the Tools that Will be Deployed for Auditing and System Activity Reviews Inquire of management as to whether systems and applications have been evaluated to determine whether upgrades are necessary to implement audit capabilities. Obtain and review documentation of tools or applications that management has identified to capture the appropriate audit information. Required 164.312 164.312(b) Audit Controls - Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information. Develop Appropriate Standard Operating Procedures Inquire of management as to whether procedures are in place on the systems and applications to be audited and how they will be audited. Obtain and review management's procedures in place to determine the systems and applications to be audited and how they will be audited. Required 28

Evidence - Audit Controls (User Activity Monitoring) 29

Evidence - Audit Controls (User Activity Monitoring)

Example Audit Protocol Incident Management 164.308 164.308(a)(6): Security Incident Procedures ( 164.308(a)(6)(ii)) - Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity; and document security incidents and their outcomes. Develop and Implement Procedures to Respond to and Report Security Incidents Inquire of management as to whether there are formal or informal Required policies and/or procedures in place for identifying, responding to, reporting, and mitigating security incidents. Obtain and review the formal or informal policies and procedures and determine if incident response procedures are in place. Obtain and review the formal or informal policies and/or procedures and determine if incident response procedures are updated on a periodic basis based on changing organizational needs. Obtain and review formal or informal documentation to determine if the incident response procedures have been communicated to appropriate entity personnel. Obtain and review formal or informal documentation of procedures and evaluate the content relevant to the specified criteria in place for conducting postincident analysis. Obtain and review formal or informal documentation to determine if post-incident analyses have been conducted.

Evidence - Incident Management 32

Example Audit Protocol Access Control 164.312 164.312(a)(2)(i): Access Control - Assign a Ensure that All System Users unique name and/or number for identifying Have Been Assigned a and tracking user identity. Ensure that system Unique Identifier activity can be traced to a specific user. Ensure that the necessary data is available in the system logs to support audit and other related business functions. Inquire of management as to how users are assigned unique user IDs. Obtain and review policies and/or procedures and evaluate the content in relation to the specified criteria to determine how user IDs are to be established and assigned and evaluate the content in relation to the specified criteria. Obtain and review user access lists for each in-scope application to determine if users are assigned a unique ID and evaluate the content in relation to the specified criteria for attributing IDs. For selected days, obtain and review user access logs to determine if user activity is tracked and reviewed on a periodic basis and evaluate the content of the logs in relation to the specified criteria for access reviews. Required

Evidence Access Control

Access Controls Processes for granting access to workforce & to third parties Processes for removing access Processes for updating access Elevated privilege management People with dual roles What is your process for updating access when a worker changes jobs within the organization? Is it documented? 35

Ask the Experts Please submit via the WebEx Q&A or Chat windows to the right side of your screen. For more information, please visit: www.fairwarning.com

Thank you for attending! Elana R. Zana Attorney & Author Ogden Murphy Wallace P.L.L.C. ezana@omwlaw.com Chuck Burbank Director of Managed Privacy Services FairWarning, Inc. Chuck@FairWarning.com Brian Stone Manager, Customer Success FairWarning, Inc. Brian@FairWarning.com

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information