HIPAA Audits and Compliance: What To Expect From Regulators and How to Comply

HIPAA Audits and Compliance: What To Expect From Regulators and How to Comply October 18, 2013

ACEDS Membership Benefits Training, Resources and Networking for the ediscovery Community Exclusive News and Analysis Weekly Web Seminars Podcasts On-Demand Training Networking Resources Jobs Board & Career Center bits + bytes Newsletter CEDS Certification And Much More! ACEDS provides an excellent, much needed forum to train, network and stay current on critical information. Kimarie Stratos, General Counsel, Memorial Health Systems, Ft. Lauderdale Join Today! aceds.org/join or Call ACEDS Member Services 786-517-2701 2

Crucial Training Through ACEDS Web Seminars Some Vital Topics We Cover Computer Assisted Review International E-Discovery Social Media Cloud-Based Discovery E-Discovery Malpractice Workplace Privacy State E-Discovery Rules And Many More! aceds.org/join 3

Presenters Abbie P. Maliniak Partner Fenton Nelson, LLP amaliniak@fentonnelson.com Allison J. Walton Chief Executive Officer Fortis Quay awalton@fortisquay.com Valarie E. Williams Managing Director, HIPAA Consulting Practice OnlineSecurityRX valarie@onlinesecurity.com

Agenda Introduction How to Comply HIPAA, HITECH, ARRA What To Expect from Auditors Fortis Quay

Agenda Introduction How to Comply HIPAA, HITECH, ARRA What To Expect from Auditors Fortis Quay

Health Insurance Portability and Accountability Act of 1996 ( HIPAA ) Ensures privacy protection for patients by limiting the ways covered entities can use patients protected health information ( PHI ) Protects PHI whether it is on paper, in computers or communicated orally- medium unimportant

HIPAA Key Provisions Access to Medical Records Notice of Privacy Practices Limits on Use of Personal Medical Information Prohibition on Marketing Stronger State Laws Will Trump Confidential Communications Complaints

Who Does HIPAA Apply to? Covered Entities (CEs) and Their Business Associates (BAs) Privacy Rule requires covered entities to establish policies and procedures to protect the confidentiality of Protected Health Information (PHI) about their patients Covered entities must provide protections for patients, such as providing notice of their privacy practices and limiting the use and disclosure of information as required under the rule

Health Plans and Providers Written Privacy Procedures Employee Training Privacy and Security Officer Designation Public Responsibilities Equivalent Requirements for Government

Health Information Technology for Economic and Clinical Health Act ( HITECH ) HITECH is a part of the American Recovery and Reinvestment Act of 2009 ( ARRA ) (Pub. L 111-5) Changes to the HIPAA Privacy and Security Rules: Apply the HIPAA privacy and security requirements directly to Business Associates ( BAs ); Establish mandatory federal security breach reporting requirements for HIPAA covered entities and their BAs; Create new privacy requirements for HIPAA covered entities and their BAs, including new accounting requirements and restrictions on marketing and fundraising; and Establish new criminal and civil penalties for noncompliance and new enforcement responsibilities.

HITECH (cont.) Security Requirements The HITECH Act expands the scope of the HIPAA Privacy and Security Rule by applying most of the rules provisions to BAs Privacy Requirements Section 13404 requires BAs to comply with privacy terms required in HIPAA BA agreements Criminal and Civil Penalties The Act makes HIPAA s criminal and civil penalties applicable to BAs Set Meaningful Use of Interoperable Electronic Health Record ( EHR ) adoption in the national health care system as a critical national goal and incentivized EHR adoption

Meaningful Use Inventive payments for Medicaid to those who adopt and use certified EHRS Starting in 2015, hospitals and doctors will be subject to financial penalties under Medicare if they are not using EHRs Three main components of Meaningful Use: Use of a certified EHR in a meaningful manner, such as e- prescribing Use of certified EHR technology for electronic exchange of PHI to improve quality of health care Use of certified EHR technology to submit clinical quality and other measures Provides grants for development of Health Information Exchange ( HIE )

Final Omnibus Rule Effective date March 26, 2013 Compliance date September 23, 2013 With the exception of the existing BA agreement must be revised by September 22, 2014 Implements privacy, security and enforcement measures under HIPAA and HITECH Affects both covered entities and BAs Burden of Proof and Presumption under Omnibus Rule

Relationships Between Regulations Privacy Security HIPPA Shift to Electronic Records and Information Exchanges Continuing Duty to Stay Current Compliance Training Covered Entities and Business Associates Must Address these challenges ARRA/HITECH OMNIBUS RULE

Agenda Introduction How to Comply HIPAA, HITECH, ARRA What To Expect from Auditors Fortis Quay

The Audits are Coming! How is the Office of Civil Rights (OCR) implementing this audit program? Audit program will be off & running in the beginning of 2014 Hiring internal auditors & coordinating efforts of contract auditors Will be leveraging civil penalties! Penalties will be used to fund audit activities $4.5 million in fines recovered so far

The Audits are Coming (cont d) What should be expected from an audit? Much more targeted audits, especially for repeat offenders Will be driven by vulnerabilities seen year to year Many breaches occur at the Business Associate (BA) level, not the Covered Entity (CE) level BAs should be prepared for audit per OCR!

The Audits are Coming (cont d) What should CEs and BAs do to prepare? Review all HIPAA related policies (Privacy, Security and Data Breach Communication) Update policies as needed and perform/document any needed training for staff Confirm that any State HIPAA requirements are addressed Confirm that staff are actually following the policies Confirm that Business Associate Agreements exist for all BAs and that Agreements include up to date language that includes the Omnibus Rule

The Audits are Coming (cont d) What should CEs and BAs do to prepare? Perform regular risk assessments Risk Analysis is weak throughout the Healthcare Industry Encourage CEs and BAs to encrypt PHI Their [OCR] analysis shows that the best, cost effective method to protect information and reduce risk is to encrypt. -Leon Rodriguez Director, Health and Human Services - Office of Civil Rights

Agenda Introduction How to Comply HIPAA, HITECH, ARRA What To Expect from Auditors Fortis Quay

Regulation/Initiativ e Review Policies Review BA Agreements Technology Implemented Compliance Training Security HIPAA/Omnibus Rule Both CEs and BAs liable- now is the time to review!!! DLP, Encryption, Penetration Testing Custom Training for your Organization - actionable Incident Response/Remediati on CMIA (Or state equivalent) Incident Response/Remediati on Information Governance/Record s Retention Know where all of your data is- cloud, on prem, for how long, how do you get it back? Etc. Archive, Classification, Records Management, Expiry, Cloud, Saas, Mobility, Virtualization Custom Training for your Organization - actionable Litigation Profile Know where all of your data is- cloud, on prem, for how Archive and in-house tools for collection/review ediscovery Best Practices Module

Compliance Training Self-reporting is still a duty, but secondary as the regulatory environment becomes more aggressive for CEs and BAs Out of the box compliance programs and policies do not necessarily consider a CE s unique environment and can be insufficient from a regulatory point of view The business processes and technologies organizations have are an integral part of compliance training, especially for emerging technologies that present erisk Granular reporting capabilities and easy content updates Remediation of risks through education and feedback from employees and BAs

Data Breach and Litigation

Data Breach and Litigation The Second District Court of Appeal ruled Tuesday October 15, 2013 that a hospital's negligent storage of medical data culminating in its loss during a burglary does not give rise to a private action if no unauthorized parties actually viewed or otherwise accessed the data. Regents v. Superior Court (Platter)The Second District Court of Appeal- Judge Perluss http://www.courts.ca.gov/opinions/documents/b249148.p DF

Recap for CEs and BAs Regulation/ Initiative Policy Creation Privacy Litigation Compliance Security Meaningful Use HIPAA/Omn ibus Rule HITECH CMIA (Or state equivalent) Information Governance /Records Retention

Key Trends to Watch Covered Entities and Their Business Associates will be forced into an Information Governance Overhaul via HIPAA Auditing and Enforcementhttp://www.clearwellsystems.com/e-discoveryblog/2012/04/11/take-two-and-call-me-in-the-morning-u-s-hospitals-need-an-information-governanceremedy/ Medical Fraud will Be Exposed Due to Heightened Sensitivity to Regulators and their Auditshttp://www.acfcs.org/regulators-perfect-storm-hippa-audits-and-more-medical-fraud/ HIPAA Assessments will Become a Common Business Process for CEs and BAs on a more frequent basis Increased Litigation Against CEs and BAs for Data Breach, HIPAA/State Equivalent violations, and Medical Fraud www.clearwellsystems.com/e-discovery-blog/2012/11/12/where-theres-smoke-theres-fire-poweringediscovery-with-data-loss-prevention/ Health and Human Services OCR Office WWW.HHS.GOV/OCR/PRIVACY/

http://lawatlas.org/preview?dataset=public-health-departments-andstate-patient-confidentiality-laws&id=524d6ce339fac3cd03d79295

Questions and Answers