2011 2012 Aug. Sept. Oct. Nov. Dec. Jan. Feb. March April May-Dec.

Similar documents
Nationwide Review of CMS s HIPAA Oversight. Brian C. Johnson, CPA, CISA. Wednesday, January 19, 2011

Overview of the HIPAA Security Rule

Medicare & Medicaid Services Efforts to Address Prior Office of Inspector General Findings After the 2008 audit

2/9/ HIPAA Privacy and Security Audit Readiness. Table of contents

HIPAA Security Alert

Are You Still HIPAA Compliant? Staying Protected in the Wake of the Omnibus Final Rule Click to edit Master title style.

Please Read. Apgar & Associates, LLC apgarandassoc.com P. O. Box Portland, OR Fax

The HIPAA Audit Program

Lessons Learned from HIPAA Audits

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc.

Can Your Diocese Afford to Fail a HIPAA Audit?

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

Procedure Title: TennDent HIPAA Security Awareness and Training

VMware vcloud Air HIPAA Matrix

Hosting for Healthcare: ADDRESSING THE UNIQUE ISSUES OF HEALTH IT & ACHIEVING END-TO-END COMPLIANCE

Appendix 4-2: Sample HIPAA Security Risk Assessment For a Small Physician Practice

HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What?

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)

Page 1. Copyright MFA - Moody, Famiglietti & Andronico, LLP. All Rights Reserved.

HIPAA Compliance The Time is Now Changes on the Horizon: The Final Regulations on Privacy and Security. May 7, 2013

HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant

Protecting Personal Information: The Massachusetts Data Security Regulation (201 CMR 17.00)

Lessons Learned from Recent HIPAA and Big Data Breaches. Briar Andresen Katie Ilten Ann Ladd

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions

Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification

The Dish on Data and Disks HIPAAPrivacy and Security Breach Developments. Robin B. Campbell Ethan P. Schulman Jennifer S. Romano

Data Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, :15pm 3:30pm

HIPAA Security COMPLIANCE Checklist For Employers

HIPAA Audits: How to Be Prepared. Lindsey Wiley, MHA, CHTS-IM, CHTS-TS HIT Manager Oklahoma Foundation for Medical Quality

White Paper THE HIPAA FINAL OMNIBUS RULE: NEW CHANGES IMPACTING BUSINESS ASSOCIATES

HIPAA Privacy, Security, Breach, and Meaningful Use. CHUG October 2012

What s New with HIPAA? Policy and Enforcement Update

2012 HIPAA Privacy and Security Audits

HIPAA Security Risk Analysis for Meaningful Use

Trust 9/10/2015. Why Does Privacy and Security Matter? Who Must Comply with HIPAA Rules? HIPAA Breaches, Security Risk Analysis, and Audits

Zip It! Feds, State Strengthen Privacy Protection. Practice Management Feature July Tex Med. 2012;108(7):33-37.

HIPAA Security Rule Compliance

HIPAA SECURITY RISK ASSESSMENT SMALL PHYSICIAN PRACTICE

Preparing for the HIPAA Security Rule

HIPAA Security Compliance Reviews

FINAL May Guideline on Security Systems for Safeguarding Customer Information

SECURITY RISK ASSESSMENT SUMMARY

HOW TO REALLY IMPLEMENT HIPAA. Presented by: Melissa Skaggs Provider Resources Group

When HHS Calls, Will Your Plan Be HIPAA Compliant?

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation

OCR/HHS HIPAA/HITECH Audit Preparation

HIPAA & HITECH AND THE DISCOVERY PROCESS

HIPAA Compliance Guide

Are You Ready for an OCR Audit? Tom Walsh, CISSP Tom Walsh Consulting, LLC Overland Park, KS. What would you do? Session Objectives

CHIS, Inc. Privacy General Guidelines

HIPAA Compliance: Are you prepared for the new regulatory changes?

Security Is Everyone s Concern:

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics

HIPAA and HITECH Compliance for Cloud Applications

HIPAA and Mental Health Privacy:

Nine Network Considerations in the New HIPAA Landscape

HIPAA WEBINAR HANDOUT

How To Write A Health Care Security Rule For A University

Compliance Challenges. Ali Pabrai, MSEE, CISSP (ISSMP, ISSAP) Member, FBI InfraGard. Increased Audits & On-site Investigations

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation

What is HIPAA? The Health Insurance Portability and Accountability Act of 1996

Client Security Risk Assessment Questionnaire

OCR UPDATE Breach Notification Rule & Business Associates (BA)

Privacy Officer Job Description 4/28/2014. HIPAA Privacy Officer Orientation. Cathy Montgomery, RN. Presented by:

Privacy and Security Meaningful Use Requirement HIPAA Readiness Review

Why Lawyers? Why Now?

Security Compliance, Vendor Questions, a Word on Encryption

HIPAA Omnibus Rule Overview. Presented by: Crystal Stanton MicroMD Marketing Communication Specialist

Checklist for HIPAA/HITECH Compliance Best Practices for Healthcare Information Security

Data Security in the Insurance Industry: WHAT YOU NEED TO KNOW

MIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)

Healthcare Compliance Solutions

Telemedicine HIPAA/HITECH Privacy and Security

The Basics of HIPAA Privacy and Security and HITECH

HIPAA Compliance Guide

HIPAA Security. Jeanne Smythe, UNC-CH Jack McCoy, ECU Chad Bebout, UNC-CH Doug Brown, UNC-CH

Healthcare Compliance Solutions

HIPAA Security Rule Changes and Impacts

What Every Organization Needs to Know about Basic HIPAA Compliance and Technology. April 21, 2015

HIPAA/HITECH PRIVACY & SECURITY CHECKLIST SELF ASSESSMENT INSTRUCTIONS

HIPAA Hot Topics. Audits, the Latest on Enforcement and the Impact of Breaches. September Nashville Knoxville Memphis Washington, D.C.

SAMPLE HIPAA/HITECH POLICIES AND PROCEDURES MANUAL FOR THE SECURITY OF ELECTRONIC PROTECTED HEALTH INFORMATION

OCR s Anatomy: HIPAA Breaches, Investigations, and Enforcement

Introduction. Purpose. Reference. Applicability. HIPAA Policy 7.1. Safeguards to Protect the Privacy of PHI

The benefits you need... from the name you know and trust

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation

Information Security Program Management Standard

HIPAA Security. 5 Security Standards: Organizational, Policies. Security Topics. and Procedures and Documentation Requirements

Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use

HIPAA in an Omnibus World. Presented by

Developing HIPAA Security Compliance. Trish Lugtu CPHIMS, CHP, CHSS Health IT Consultant

Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

HIPAA Security. 1 Security 101 for Covered Entities. Security Topics

HIGH-RISK SECURITY VULNERABILITIES IDENTIFIED DURING REVIEWS OF INFORMATION TECHNOLOGY GENERAL CONTROLS

New HIPAA regulations require action. Are you in compliance?

Authorized. User Agreement

HIPAA MYTHS: DON T ALWAYS BELIEVE WHAT YOU HEAR. Chris Apgar, CISSP

Welcome to ChiroCare s Fourth Annual Fall Business Summit. October 3, 2013

Transcription:

The OCR Auditors are coming - Are you next? What to Expect and How to Prepare

On June 10, 2011, the U.S. Department of Health and Human Services Office for Civil Rights ( OCR ) awarded KPMG a $9.2 million contract to develop a pilot HIPAA audit program mandated under the HITECH Act of 2009 to ensure compliance with the HIPAA Privacy and Security Rules and Breach Notification standards. Between November 2011 and December 2012, the OCR will audit up to 150 covered entities. What is My Risk? OCR has made clear that enforcement actions may follow audits revealing significant HIPAA Security compliance issues. In recent years, OCR has stepped up its enforcement activity: Massachusetts General Hospital. $1 million settlement and three-year Corrective Action Plan for loss of Protected Health Information ( PHI ) by employee. (February, 2011) Cignet Health. $4.3 million penalty for refusing patients access to their medical records. (February, 2011) UCLA Health System. $865,000 settlement and three-year Corrective Action Plan for allowing unauthorized access to patient medical records. (July, 2011) Will My Organization Be Next? The initial HIPAA audit program is focused on HIPAA-covered entities (i.e. health care providers, health plans and health care clearinghouses). With 150 audits planned and an aggressive timeline, covered entities should not be surprised to receive an audit request. When Will the Audits Begin? July 2011 2012 Aug. Sept. Oct. Nov. Dec. Jan. Feb. March April May-Dec. Initial Protocol Development Auditee Selection Auditee Notification Begins Test of Initial 20 Audits Test of Protocol Period of Review Adjustment of Protocol Audit Execution / Remaining Audits How Long Does the Audit Take? Elapsed Time 1 Day Covered entity receives OCR notification letter Minimum of 10 Days Covered entity provides response and documentation 3-10 Days Auditors on-site visit 20-30 Days Draft audit report 10 Days Covered entity reviews report and provide comments 30 Days Final audit report Day 1 Day 10 Day 30/90 Depending on completion of auditors on-site visit

What Will the On-Site Visit Look Like? Interviews with key organizational leaders; Scrutiny of physical operations controls (i.e. storage, maintenance and use of PHI); Assessment of how well organizational policies and procedures meant to protect PHI are implemented in practice by the organization; Identification of areas of concern with respect to general regulatory compliance. What Will the Auditors Focus on? OCR has not yet released a set of audit questions. In May 2011, however, the HHS Office of Inspector General ( HHS-OIG ) issued a report based on the agency s audits of seven hospitals across the country. The report identified a number of vulnerabilities, which are likely to be high on OCR s list of priorities. Areas of vulnerability included: Inadequate security of wireless networks Lack of adequate updates to software and operating systems Access log recordkeeping Insufficient incident detection and response procedures Inadequate user access controls and password management controls Risk of theft or loss of mobile devices Information access management, including role-based access High impact vulnerabilities are vulnerabilities that may (1) result in the highly costly loss of major tangible assets or resources; (2) significantly violate, harm, or impede an organization s mission, reputation, or interest; or (3) result in human death or serious injury. The HHS-OIG report also placed particular emphasis on so-called high impact vulnerabilities. The vast majority of high impact vulnerabilities related to lacking or insufficient technical safeguards (i.e. insufficient wireless access control, audit control, integrity control, and person or entity authentication and transmission security). We expect that OCR auditors will focus attention on these high impact vulnerabilities. How Should My Organization Prepare? The HHS-OIG report provides a good starting point for identifying vulnerabilities that may be the focus of the OCR audits. Developing a work plan and reviewing your operations in light of the vulnerabilities identified in the report may help reduce the risks of adverse findings in an audit. To help you in this effort, our Health Care Privacy and Data Security attorneys have developed the attached checklist. Your preparation should also include: A review of your policies and procedures to ensure compliance with the HIPAA Security Rule; A review and update as necessary of your organization s risk assessment plan; Updates to your privacy and security safeguards and implementation of corrective actions when necessary; Updating of your training and workforce education materials as necessary.

How We Can Help We know more than just the law we know the health care industry, health care operations, and health care information systems. Our advice and solutions to privacy, security, and data breach issues address practical, operational and business concerns. We do not provide advice in a vacuum; we seek to solve data privacy and security matters in a way that meets our clients business needs. We can help your organization identify and assess organizational risk related to the HIPAA Security Rule and OCR audit program. We have assisted covered entities in responding to HIPAA security rule audits and enforcement actions, and we have developed corrective action programs. More generally, our attorneys have extensive experience advising a broad range of health care clients in connection with data privacy and security matters, including compliance with the HIPAA Privacy and Security Rules and the HITECH Act. We advise both covered entities and business associates with respect to the permitted uses and disclosure of protected patient information, billing and payment issues, transaction related issues and the development of policies and procedures for HIPAA and HITECH privacy and security compliance. We also assist clients with the conduct of risk assessments and gap analyses, training of workforces, remediation of known HIPAA compliance matters, and prevention of data disclosure breaches. We have worked closely with clients in connection with responding to state and federal regulatory authorities in the wake of data breaches, including compliance with state and federal reporting and notification obligations, responding to audits and investigations by regulatory authorities, implementation of remedial changes to privacy and security compliance, and employee training and employee discipline related to data privacy and security matters. If you have questions about these issues or other topics related to health care privacy and data security, please contact your Ropes & Gray attorney or a member of the Health Care Privacy and Data Security team listed below: Michele M. Garvin Deborah Gersh Timothy McCrystal John Chesley michele.garvin@ropesgray.com T +1 617 951 7495 deborah.gersh@ropesgray.com T +1 312 845 1307 timothy.mccrystal@ropesgray.com T +1 617 951 7278 john.chesley@ropesgray.com T +1 415 315 6394 111 South Wacker Drive 46th Floor Chicago, IL 60606 Three Embarcadero Center San Francisco, CA 94111 Ropes & Gray LLP, 2012. All rights reserved. Prior results do not guarantee a similar outcome. Communicating with Ropes & Gray LLP or a Ropes & Gray lawyer does not create a client-lawyer relationship.

The OCR Auditors are coming - Are you next? identifying potential vulnerabilities By December 2012, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) plans to audit up to 150 covered entities. To help you and your organization prepare, our Health Care Privacy and Data Security attorneys have developed the following checklist. If you answer No or I Don t Know to one or more of these questions, we encourage you to contact us to help your organization conduct a thorough assessment. Technical Safeguards Wireless Access Yes No I Don t Know Do you have an effective encryption program (i.e. complying with the standards in HITECH)? Have you installed a wireless intrusion prevention system to prevent rogue wireless access points, and do you have a mechanism in place to monitor wireless network security? Do you have firewalls separating wireless networks from internal wired networks? Have you turned off automatic broadcast of service set identifiers so that they are not publicly accessible? Do you have effective authentication requirements for entering your wireless networks? Access Control Yes No I Don t Know Do you maintain strict access controls on domain controllers, servers, workstations, and mass storage media used to receive, maintain, or transmit Electronic Protected Health information ( ephi )? Do you require adequate password settings for all password protected materials and databases, and do you require that all passwords are regularly changed? Have you enabled automatic user log off after periods of inactivity? Do you limit the number of unsuccessful log-on attempts before access is terminated, at least temporarily? Do you only allow use of encrypted laptops for access to or storage of ephi? Do you limit user access to root folders?

Access Control (cont.) Yes No I Don t Know Do you have policies in place to ensure immediate termination of access to your system for former employees and other personnel who may have previously had, but should no longer have access to your systems? Audit Control Yes No I Don t Know Do you keep current audit logging on servers, routers, firewalls, databases and wireless access points that contain or transmit ephi? Do you archive these audit logs? Do your network administrators perform routine reviews of operating system and application audit logs and investigate any suspicious or malicious activity, including attempts to hack your networks or compromise the confidentiality and integrity of network ephi? Have you installed system-wide security patches? Do you update antivirus software and scan engines regularly? Integrity Control Yes No I Don t Know Do you have service arrangements with operating system vendors to ensure proper maintenance and support? Do you regularly remove operating systems that are no longer supported by the manufacturer? Do you restrict internet access for hospital users, and do you have an acceptable internet use policy in place? Do you prohibit sharing of administrator accounts? Entity Authentication Yes No I Don t Know Do you ensure that default user identifications and passwords are changed after the first use? Do you have appropriate transmission security safeguards (e.g. prevent use of plain text remote administration tools, require use of e-mail encryption in certain circumstances, disable unnecessary and unsecure network services systems)? Physical Safeguards Facility access control Yes No I Don t Know Do you make sure that indoor windows and doors to rooms housing ephi are secured and locked? Do you have other security measures in place to secure physical PHI (e.g., keycard access to storage areas, etc.)?

Device and media control Yes No I Don t Know Do you have an inventory system in place to keep track of portable or removable devices? Do you have a policy in place that requires removal of ephi from media prior to disposal, and do you document such removal when it occurs? Do you require password protection for all easily accessible computers? Do you have an effective encryption plan in place for computers, equipment and removable media containing ephi? Administrative Safeguards Device and media control Yes No I Don t Know Do you have appropriate security management processes in place for your organization (e.g. regular risk assessments of information management systems)? Do you have appropriate security incident procedures to provide for an immediate and well-organized response in the event of any security incidents involving ephi? Do you have adequate contingency plans in place to address disaster recovery, storage of back-up tapes, and network disruptions? Do you have proper procedures in place to ensure adequate contractual arrangements with all business associates? Do you have policies and procedures in place regarding removal and transport of ephi? Have you conducted initial and follow-up training on your security policies and procedures, including updating your workforce regarding changes in the law? If you have questions about these issues or other topics related to health care privacy and data security, please contact your Ropes & Gray attorney or a member of the Health Care Privacy and Data Security team listed below: Michele M. Garvin Deborah Gersh Timothy McCrystal John Chesley michele.garvin@ropesgray.com T +1 617 951 7495 deborah.gersh@ropesgray.com T +1 312 845 1307 timothy.mccrystal@ropesgray.com T +1 617 951 7278 john.chesley@ropesgray.com T +1 415 315 6394 111 South Wacker Drive 46th Floor Chicago, IL 60606 Three Embarcadero Center San Francisco, CA 94111

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information