AHLA. B. HIPAA Compliance Audits. Marti Arvin Chief Compliance Officer UCLA Health System and David Geffen School of Medicine Los Angeles, CA



Similar documents
The HIPAA Audit Program

Agenda. OCR Audits of HIPAA Privacy, Security and Breach Notification, Phase 2. Linda Sanches, MPH Senior Advisor, Health Information Privacy 4/1/2014

OCR HIPAA AUDITS THEY RE BACK!

How to prepare your organization for an OCR HIPAA audit

Interpreting the HIPAA Audit Protocol for Health Lawyers

OCR Reports on the Enforcement. Learning Objectives 4/1/2013. HIPAA Compliance/Enforcement (As of December 31, 2012) HCCA Compliance Institute

OCR Reports on the Enforcement. Learning Objectives

Sustainable Compliance: A System for Ongoing Audit Readiness

HIPAA Audits: Preparing for Phase 2 Audits for Covered Entities and Business Associates

Ethics, Privilege, and Practical Issues in Cloud Computing, Privacy, and Data Protection: HIPAA February 13, 2015

Privacy Officer Job Description 4/28/2014. HIPAA Privacy Officer Orientation. Cathy Montgomery, RN. Presented by:

2012 HIPAA Privacy and Security Audits

Preparing for the Phase II HIPAA Audits

HIPAA Audits Are Here!

HIPAA Audits: How to Be Prepared. Lindsey Wiley, MHA, CHTS-IM, CHTS-TS HIT Manager Oklahoma Foundation for Medical Quality

Lessons Learned from HIPAA Audits

Art Gross President & CEO HIPAA Secure Now! How to Prepare for the 2015 HIPAA Audits and Avoid Data Breaches

HIPAA Hot Topics. Audits, the Latest on Enforcement and the Impact of Breaches. September Nashville Knoxville Memphis Washington, D.C.

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc.

valueoutcome July Preparing for Phase 2: The next generation of HIPAA audits Organizations will face enhanced privacy and security scrutiny

Lessons Learned from OCR Privacy and Security Audits

Lessons Learned from Recent HIPAA Enforcement Actions, Breaches, and Audit. Iliana L. Peters, J.D., LL.M. April 23, 2014

Welcome to ChiroCare s Fourth Annual Fall Business Summit. October 3, 2013

2/9/ HIPAA Privacy and Security Audit Readiness. Table of contents

Are You Prepared for an OCR HIPAA Audit or Investigation? February 15, 2012 ID Experts Webinar

Aug. Sept. Oct. Nov. Dec. Jan. Feb. March April May-Dec.

Cybersecurity in the Health Care Sector: HIPAA Responsibilities from a Legal and Compliance Perspective

OCR s Anatomy: HIPAA Breaches, Investigations, and Enforcement

HIPAA Audits For Covered Entities and Business Associates

The Challenges of Applying HIPAA to the Cloud. Adam Greene, Partner Davis Wright Tremaine LLP

White Paper THE HIPAA FINAL OMNIBUS RULE: NEW CHANGES IMPACTING BUSINESS ASSOCIATES

Privacy and Security Meaningful Use Requirement HIPAA Readiness Review

Business Associate Considerations for the HIE Under the Omnibus Final Rule

A smarter way to protect your brand. Copyright 2012 Compliance 360 All Rights Reserved

Overview of Presentation

Covered Entities and Business Associates: An Evolving Relationship

Business Associates: HITECH Changes You Need to Know

Implementation Business Associates and Breach Notification

HIPAA Compliance: Are you prepared for the new regulatory changes?

HIPAA Changes Mike Jennings & Jonathan Krasner BEI For MCMS 07/23/13

Tools to Prepare and Protect Your Practice for HIPAA and Meaningful Use Audits

HIPAA and the HITECH Act Privacy and Security of Health Information in 2009

Surviving a HIPAA Audit: What you need to know NOW So you can cope THEN. Jonathan Krasner

Security Is Everyone s Concern:

Privacy and Security requirements, OCR HIPAA Audits and the New Audit Protocol

Trust 9/10/2015. Why Does Privacy and Security Matter? Who Must Comply with HIPAA Rules? HIPAA Breaches, Security Risk Analysis, and Audits

New HIPAA Breach Notification Rule: Know Your Responsibilities. Loudoun Medical Group Spring 2010

HIPAA PRIVACY AND SECURITY FOR EMPLOYERS

New HIPAA Rules and EHRs: ARRA & Breach Notification

Business Associates, HITECH & the Omnibus HIPAA Final Rule

COMPLIANCE ALERT 10-12

Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions

HIPAA Omnibus Rule Overview. Presented by: Crystal Stanton MicroMD Marketing Communication Specialist

New HIPAA regulations require action. Are you in compliance?

Overview of the HIPAA Security Rule

HIT Audit Workshop. Jeffrey W. Short.

HIPAA Privacy, Security and Breach Notification Audits

FIVE EASY STEPS FOR HANDLING NEW HIPAA REQUIREMENTS & MANAGING YOUR ELECTRONIC COMMUNICATIONS

OCR UPDATE Breach Notification Rule & Business Associates (BA)

Developing HIPAA Security Compliance. Trish Lugtu CPHIMS, CHP, CHSS Health IT Consultant

Preparing for and Responding to an OCR HIPAA Audit

2016 OCR AUDIT E-BOOK

NEW PERSPECTIVES. Professional Fee Coding Audit: The Basics. Learn how to do these invaluable audits page 16

How To Understand And Understand The Benefits Of A Health Insurance Risk Assessment

Healthcare Compliance Solutions

Headaches and Pitfalls in Business Associate Contract Management

BNA s Health Law Reporter

HIPAA Happenings in Hospital Systems. Donna J Brock, RHIT System HIM Audit & Privacy Coordinator

HIPAA COMPLIANCE AND DATA PROTECTION Page 1

HIPAA PRIVACY AND SECURITY AWARENESS

THE HIPAA TANGO CHOREOGRAPHING PRIVACY AND SECURITY UNDER THE FINAL RULE

UPDATES FOR MEDICAL PRACTICES: RED FLAGS AND IDENTITY THEFT AND HIPAA PRIVACY CHANGES (FROM HITECH)

HIPAA OMNIBUS RULE: EXPANDED COMPLIANCE REQUIREMENTS

HIPAA/HITECH Privacy and Security for Long Term Care. Association of Jewish Aging Services 1

Datto Compliance 101 1

Are You Still HIPAA Compliant? Staying Protected in the Wake of the Omnibus Final Rule Click to edit Master title style.

Sunday March 30, 2014, 9am noon HCCA Conference, San Diego

HIPAA Compliance The Time is Now Changes on the Horizon: The Final Regulations on Privacy and Security. May 7, 2013

OCRA Spring Convention ~ 2014 Phyllis Craver Lykken, RPR, CLR, CCR Court Reporters and HIPAA

HIPAA Security Rule Compliance

Preparing for HIPAA and Meaningful Use Compliance Audits

Protecting Patient Information in an Electronic Environment- New HIPAA Requirements

An Independent Member of Baker Tilly International

Healthcare Compliance Solutions

You Probably Don t Even Know

The HIPAA Omnibus Final Rule

HIPAA Compliance Guide

What s New with HIPAA? Policy and Enforcement Update

PRIVACY POLICIES AND FORMS FOR BUSINESS ASSOCIATES

HIPAA Omnibus Rule Practice Impact. Kristen Heffernan MicroMD Director of Prod Mgt and Marketing

12/19/2014. HIPAA More Important Than You Realize. Administrative Simplification Privacy Rule Security Rule

HIPAA 101. March 18, 2015 Webinar

Straight from the Source: HHS Tools for Avoiding Some of the Biggest HIPAA Mistakes

It s a New Regulatory Landscape: Do You Know Where Your Business Associates are and What They are Doing?

Ready for an OCR Audit? Will you pass or fail an OCR security audit? Tom Walsh, CISSP

HIPAA Summit. March 10, Phyllis A. Patrick, MBA, FACHE, CHC Phyllis A. Patrick & Associates LLC

SECURITY RISK ASSESSMENT SUMMARY

HIPAA Security Overview of the Regulations

The OCR Audit Protocol a first look

Transcription:

AHLA B. HIPAA Compliance Audits Marti Arvin Chief Compliance Officer UCLA Health System and David Geffen School of Medicine Los Angeles, CA Anna C. Watterson Davis Wright Tremaine LLP Washington, DC Fraud and Compliance Forum October 6-7, 2014

HIPAA Compliance Audits Marti Arvin, Chief Compliance Officer, UCLA Health System and David Geffen School of Medicine Anna Watterson, Associate, Davis Wright Tremaine Agenda Brief overview of the Pilot Audit Program Program implementation, protocols and compliance gaps What to expect in 2015 Onsite and offsite audits for covered entities and business associates Continuing challenges to preparing for an OCR audit, onsite versus offsite Tips for evaluating your HIPAA compliance program and making sure you can demonstrate compliance 1

Pilot Audits Recap HITECH Act requires OCR to conduct periodic HIPAA compliance audits of covered entities and business associates OCR launched its audit program in 2010 and conducted 115 audits in 2011 and 2012 Pilot audits were onsite and evaluated compliance with specific components of the HIPAA Privacy, Security and Breach Notification Rules against set protocols posted on OCR website Why are the pilot audits important? Pilot Audits Key Findings The pilot audits shed light on the most problematic areas for HIPAA compliance Widespread Issues Security Compliance Health care Providers Small organizations Only 11% of the audited entities did not have a finding or observation Only 2 of these entities were providers Covered entities struggled the most with Security Rule compliance Health care providers had more findings and observations than health plans or health care clearinghouses Small organizations, regardless of type of organization, had the most findings and observations 2

Pilot Audits Security Rule Findings Nearly all providers had at least one finding or observation Approximately 80% of providers and nearly 57% of health plans did not have a complete or accurate risk analysis Findings included: Risk Analysis Access Management Security Incident Procedures Contingency Planning and Backups Workstation Security Media Movement and Destruction Encryption Audit Controls and Monitoring Integrity Controls Pilot Audits Privacy and Breach Privacy Rule findings included: Notice of Privacy Practices Right to Request Privacy Protections Individual Access Administrative Requirements Uses and Disclosures Breach Notification Rule findings included: Methods of Individual Notification Burden of Proof Timeliness of Notification Notification to Individuals 3

Pilot Audits Key Takeaways Demonstrating compliance means more than having policies and procedures Can you demonstrate breach notifications were provided to individuals through an acceptable method (including substitute notification) for any breach? 59% of covered entities were not aware of the audit program prior to receiving the notification letter 56% became aware of additional HIPAA requirement as a result of the audits Upcoming Audits 2015 2016 Now is the time to assess HIPAA compliance after you receive a notification letter might be too late. OCR will conduct comprehensive onsite audits of both covered entities and business associates both on a resource dependent basis OCR will conduct approximately 200 offsite audits (paper review only) of limited scope (targeting areas of high compliance failures, including risk analysis) Timeline: Delayed due to OCR updating technology for surveys, document submissions and data analytics 4

Upcoming Audits Audit Process OCR Verification OCR began contacting covered entities in the spring to confirm contact information. OCR recently confirmed it is still completing this process. Survey OCR will send a pre audit surveys to entities in the selection pool. OCR is currently developing a portal for survey responses. OCR will use this information, in part, to select auditees. Notification and Data Request OCR projected that it would start sending notifications and data requests in October 2014. This has been delayed no update from OCR on timing. Upcoming Audits Covered Entity Onsite Audits Additional funding has allowed for more onsite audits than previously planned OCR will conduct an unknown number of comprehensive onsite audits in the next round Covered entites should expect onsite audits to include a review of all three rules, including Security Rule risk analysis, individual access under the Privacy Rule and notifications under the Breach Notification Rule OCR will be looking to see if covered entities are following their policies If you have a sanctions policy, can you demonstrate that you are actually sanctioning employees in accordance with your policy? 5

Upcoming Audits Covered Entity Offsite Audits Projected offsite audits for approximately 200 CEs, with a heavier focus on providers Offsite audits will have a limited focus 2014 focus: Risk analysis and risk management Content and timeliness of breach notifications Notice and Access 2015 focus: Device and media controls; transmission security Privacy safeguards, training to policies and procedures 2016 focus (projected): Encryption and decryption, facility access control (physical security), high risk areas as identified in earlier audits, breach reports and complaints Upcoming Audits Business Associates Covered entities will be asked to provide a complete list of all business associates with contact information and the services they provide What does this mean for BAs? If you are a CE, now is the time to look at your vendor management process BA audits expected to start in 2015 unclear if this is still on schedule Focus will be Security Rule and IT based BAs, but others will be included Business Associate Audit Focus 2015 Risk Analysis and Risk Management Breach reporting to CE 6

Onsite Audits vs. Offsite Audits Offsite Onsite Can you demonstrate compliance based on a paper review only? Are you prepared for government officials to come onsite to evaluate your compliance? Have you updated all P&P, BAAs, etc. since the Omnibus Rule compliance date? Do your practices match your policies? Documentation is key Conduct a mock audit (consider privilege issues) Preparing for an Audit Basics Who will OCR contact? Will staff recognize and escalate a phone call or email from OCR? Who will be involved? Ensure collaboration between different departments Who will be the lead? Identify the persons in advance Understand everyone s role 7

Preparing for an Audit Security Rule Know where your data resides Risk Analysis Must be documented Risk Analysis Gap Analysis Risk Analysis: Update at least every 3 years (best practice is every year); update every time there is an environmental or operational change Risk Management Documented, reasonable plan to reduce risks and vulnerabilities Implementation Specifications: Required vs. Addressable Evaluate administrative, physical and technical safeguards Risk Analysis Who does this at your organization? Compliance Information Technology How involved is compliance? Do you know the status of your risk mitigation process? If you have identified a risk mitigation strategy and timeline, is anyone monitoring this? o o o Are you mitigating the risks? Are you on time? If not, why not? OCR is not likely to take the lack of resources as a basis for failing to mitigate risks 8

Risk Analysis What was your process for determining how to prioritize risks? Did you look at recent breaches? Did you have a pre defined list of questions? Who determined what you were going to look at? What else is at risk if you did not do an adequate risk analysis? Meaningful use and the security rule risk assessment Preparing for an Audit Privacy Rule Notice of Privacy Practices has it been updated per Omnibus Rule? Review policies and procedures and ask: Are they compliant on paper? Are they followed in practice? Can you document sanctions? Training? (especially important after a breach) Documentation is key 9

Preparing for an Audit Breach Notification Rule Do you have breach policies and procedures? Do they comply with HIPAA and state law, if applicable? For each incident can you show: Documentation of completed breach risk assessment (or documentation supporting applicability of an exception) or Documentation of notifications (to individuals (including substitute notice), HHS, and the media, if applicable) Do notifications to individuals include all content requirements? Were there any law enforcement delays? Do you have documentation? Conducting a Mock Audit Can you identify all policies and procedures? How will your employees answer an auditor s questions? Do they know your policies and procedures (e.g., do they know how to properly escalate a HIPAA breach)? Do you have documentation for all incidents? 10

Responding to an OCR Data Request 1. Be responsive Provide all documentation needed to demonstrate compliance (you might not get a second chance), but don t provide extraneous information 2. Be organized Submit files in the manner OCR requests (file type, file name, etc.) 3. Be timely OCR will NOT provide entities the opportunity to clarify or submit additional documents 4. Clarify any documents that are unclear on their face OCR has stated auditors will not likely contact entities to clarify or ask questions for offsite audits failure to submit complete documentation of compliance may lead to referral for enforcement action Audits vs. Compliance Reviews How is this different from a complaint or breach investigation? What happens if you fail an audit? 11

OCR Enforcement Action Audits may not result in enforcement action BUT If substantial issues are identified in an audit that could result in referral for further assessment by OCR We have had over eight years to get this right and OCR expects that we have most of it right OCR enforcement has increased recently with nearly $8 million in settlements for 2014 State Attorney General actions and FTC actions HITECH gave state Attorneys General authority to bring actions on behalf of state residents We have seen 6 AG settlements since HITECH, with 3 in Massachusetts More state attorneys general are getting involved Notice to the AG may be required in some states if you have a data breach The FTC is very active in data security and privacy related enforcement actions under section 5 of the FTC Act You really don t want the FTC to become involved in your data security and privacy issues 12

Recent Class Actions Stanford settlement $4 million Sutter Health Ultimately dismissed but at what cost? Started as 11 class actions University of Miami $191,000 Community Health Systems AvMed Meaningful Use Audits If you fail a Meaningful Use audit, you risk losing incentive payments Ensure you have documented an accurate, complete, enterprise wide risk analysis 13

Audit Tools OCR Protocol not updated per Omnibus Rule http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/proto col.html HHS Security Risk Assessment http://www.healthit.gov/providers professionals/security riskassessment National Institute of Standards and Technology: 800 Series http://csrc.nist.gov/publications/pubssps.html OCR Security Risk Analysis Guidance: http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityr ule/rafinalguidancepdf.pdf Questions? Marti Arvin MArvin@mednet.ucla.edu 310 794 0922 Anna Watterson annawatterson@dwt.com 202 973 4247 14

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information