Interpreting the HIPAA Audit Protocol for Health Lawyers

Interpreting the HIPAA Audit Protocol for Health Lawyers This webinar is brought to you by the Health Information and Technology Practice Group (HIT), and is co-sponsored by the Business Law and Governance (BLG); Hospitals and Health Systems (HHS); In-House Counsel (In-House); Labor and Employment (Labor); Long Term Care, Senior Housing, In-Home Care, and Rehabilitation (LTC-SIR); Payors, Plans, and Managed Care (PPMC); and Physician Organizations (Physicians) Practice Groups. June 21, 2012, 1:00-2:30 Eastern Presenters: Adam H. Greene, JD, MPH, Partner, Davis Wright Tremaine LLP, Washington, DC, adamgreene@dwt.com Michael Mac H. McMillan, CISM, CEO, CynergisTek Inc., Austin, TX, mac.mcmillan@cynergistek.com

Agenda Background Audit Selection The Audit Process The Audit Protocol Initial Audit Results Audit Readiness 2

BACKGROUND 3

Past HIPAA Enforcement Complaints Compliance Reviews Breach Reports 4

Congress Requires Audits Section 13411 of the HITECH Act: The Secretary shall provide for periodic audits to ensure that covered entities and business associates that are subject to the requirements of [the HITECH Act, Privacy, and Security Rules], as such provisions are in effect as of the date of enactment of this Act, comply with such requirements. 5

HHS Contracts Out Audits Description Audit program development study Covered entity identification Vendor Booz Allen Hamilton Booz Allen Hamilton Status/ Timeframe Closed 2010 Open 2011 Develop audit protocol and conduct audits Evaluation of audit program KPMG, Inc. Open 2011-2012 TBD To begin in 2013 6

The Pilot Audit Program 150 115 audits Covers privacy, security, and breach notification Staffed by contractor employees Focused on education and prevention 7

AUDIT SELECTION 8

Selection of Covered Entities Covered entities of all type and size Business associates possible in future audits Stratified, random selection based on size, type, and geography Selection is not based on prior incidents 9

The First 20 Audits Level 1 > $1B Level 2 $300M - $1B Level 3 $50M - $300M Level 4 <$50M Total Health Plans 2 3 1 2 8 Health care providers Healthcare clearinghouses 2 2 2 4 10 1 1 0 0 2 5 6 3 6 20 10

THE AUDIT PROCESS 11

The Audit Timeline Notification letter sent to Covered Entity On-site field work Covered Entities review and comment on draft audit report 1 Day Min. 15 Days 3 10 Days 20 30 Days 10 Days 30 Days Receiving and reviewing documentation and planning the audit field work Draft audit report Final audit report 12

Notification Notification will come by registered mail. The letter is addressed to the CEO so organizations need to redirect it as soon as it arrives. The clock starts with receipt of the letter. 15 days for documentation, 30 90 days until on-site activity begins. Activate the audit response team, begin notifications, initiate action to respond to initial tasks. 13

Submit Documentation Attachment to the Notification letter. Items such as policies, procedures, plans, demographic information, forms, etc. Information is due within 15 business days of receipt of the Notification letter. Focus on initial tasks and coordination with Audit Team. 14

On-Site Data Collection Occurs 30 90 days from receipt of Notification. On-site data collection can last from 3 10 business days and involve up to 5 auditors. Interviews of key personnel, other staff members, site walkthroughs, operational reviews, and requests for further information. Focus on final preparations and refresher training for staff. 15

Post On-Site Activity 20 30 days after on-site visit to produce draft report. Expect additional questions/requests for information while report is being written. Focus on preparing response to audit findings Draft report is provided to the site. It includes site information, findings/recommendations, and request for response. 16

Draft Report & Response 10 business days to respond to deficiencies noted. Review report closely, identify clarifying questions, mitigating information, and plans for remediation. Take full advantage of expert advise from consultants and legal when developing response. 17

THE AUDIT PROTOCOL 18

Audit Procedures 68 Privacy Audit Procedures 77 Security Audit Procedures 10 Breach Notification Audit Procedures 19

Example of Audit Procedure 164.312(a)(1) Access Control - Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in 164.308(a)(4). 20

Example of Audit Procedure Key Activity Terminate Access If It Is No Longer Required (Cont d) Inquire of management as to whether there are separate procedures for terminating access to ephi when the employment of a workforce member ends, i.e., voluntary termination (retirement, promotion, transfer, change of employment) vs. involuntary termination (termination for cause, reduction in force, involuntary transfer). Inquire of management as to whether a standard set of procedures are in place to recover access control devices and deactivate computer access upon termination of employment. 21

Example of Audit Procedure Key Activity Terminate Access If It Is No Longer Required (Cont d) Obtain and review policy and procedures for terminating access to ephi and evaluate the content in relation to the specified performance criteria. Obtain and review evidence of monitoring to determine whether access to ephi is terminated in a timely manner. 22

Example of Audit Procedure Key Activity Terminate Access If It Is No Longer Required Obtain and review a standard set of procedures and evaluate the content in relation to the specified performance criteria. If the covered entity has chosen not to fully implement this specification, the entity must have documentation on where they have chosen not to fully implement this specification and their rationale for doing so. 23

Contents of Audit Procedures Inquire of management Obtain and review policies and procedures Obtain and review evidence/documentation If CE has chosen not to fully implement, then must have documentation of why 24

What s Missing? Standards against which CEs will be judged E.g., how often is periodic basis E.g., what safeguards are appropriate How is protocol applied differently to different sized entities? What is regulatory basis for much of protocol? E.g., For evaluations conducted by external consultants, determine if an agreement or contract exists and if it includes verification of consultants' credentials and experience. 25

The Audit Protocol can be found at: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/protocol.html Remember: The Audit Protocol Is Not Law. Corollary 1: The Audit Protocol Is Not Even Agency Guidance Corollary 2: But, OCR likely has reviewed and approved the audit protocol. 26

INITIAL AUDIT RESULTS 27

28

29

30

31

32

AUDIT READINESS 33

Demonstration is key Policies are only the beginning. Auditors will want to see how policy has been enabled and is being enforced Testing, monitoring, auditing, investigative activity, log files, configurations, and other documentation will be required to prove controls exist Completeness, compliance, consistency and currency of policies, procedures and practices will be evaluated 34

It Starts With Policy Auditors will review policies for privacy, security and breach notification Conduct a gap analysis Understand relationship between policy written and controls employed and intelligence gleaned from risk analysis Organize policies, plans and procedures in an easily retrievable platform Ensure staff orientation 35

Proof of Implementation The audit protocol calls for developing proof that policies and controls have been effectively implemented Determine for each policy, plan or procedure what evidence can be produced to demonstrate compliance Incorporate periodic evaluations as part of an internal audit process Audit, test, repeat. 36

The Four C s Do you have a complete set of policies and procedures Do your policies and procedures meet all compliance requirements? Is all documentation current within appropriate guidelines? Is the consistency between policies, practices and controls? 37

Organize Documentation The initial request for documentation is time sensitive Create either a central repository or index for all documents related to compliance Determine appropriate retention periods Conduct periodic audits to ensure readiness to produce 38

Audit Response Team Identify audit response team Align readiness plans and activities with audit phases Establish primary POC for communications with audit team Prepare an orientation for the team Apply minimal necessary and access control practices Identify logistics support 39

Refresher Training Helps Conduct orientation for Management and workforce members Alert business associates and others of audit Conduct refresher training on compliance/policy information Review non-essential activities and eliminate distractions Engage legal and consulting support 40

Preparing for the On-Site Conduct walkthroughs and mock interviews with staff Create simple checklists for senior management, department heads and other key personnel Interview senior management personally Conduct mock audits (readiness/performance) Conduct review of documentation 41

Leadership is Key Keep motivation high; stress learning aspect of audit Institute system of regular feedback and reminders Communicate lessons learned to inform audit performance Remain flexible, positive, unflappable Stress transparency, openness and integrity in interactions 42

Preparing a Response Collect feedback all through audit process Conduct frequent debriefs to collect observations Identify any areas believed to be not relevant Engage consultants and legal advice when crafting responses Focus on plans for remediation and timelines 43

Final Report & Disposition Audits are designed to be a compliance improvement tool enforcement is not the intent OCR will use the audit reports to identify types of technical assistance and guidance should be developed OCR may determine that it is necessary to open a compliance review based on initial findings or evidence of neglect 44

The Role for Counsel: Pre-Audit Bring privacy and security audit program to the attention of client(s). Bring audit protocol to the attention of clients. Encourage use of protocol to improve preparedness. Clarify that protocol does not equate to legal requirements. Go beyond audit protocol where necessary. Use attorney-client privilege judiciously (e.g., analyzing strengths and weaknesses of compliance program). 45

The Role for Counsel: During Audit Ensure management understands risks. Not a routine audit. HHS has indicated that enforcement is not focus. Nevertheless, could lead to substantial settlement or penalty. Assist with limiting responses to facts and to scope of questions. Initial responses could become admissions in future settlement discussions or appeals. Coordinate response to draft audit report. Recognize that audience is OCR, not KPMG. 46

Questions 47

Thank You mac.mcmillan@cynergistek.com 512.402.8555 adamgreene@dwt.com 202.973.4213 48

Interpreting the HIPAA Audit Protocol for Health Lawyers 2012 is published by the American Health Lawyers Association. All rights reserved. No part of this publication may be reproduced in any form except by prior written permission from the publisher. Printed in the United States of America. Any views or advice offered in this publication are those of its authors and should not be construed as the position of the American Health Lawyers Association. This publication is designed to provide accurate and authoritative information in regard to the subject matter covered. It is provided with the understanding that the publisher is not engaged in rendering legal or other professional services. If legal advice or other expert assistance is required, the services of a competent professional person should be sought from a declaration of the American Bar Association 49