AUDITING TECHNIQUES TO ASSESS FRAUD RISKS IN ELECTRONIC HEALTH RECORDS



Similar documents
HIPAA Security Rule Compliance

Data Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, :15pm 3:30pm

HIPAA Compliance Guide

HIPAA and Mental Health Privacy:

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics

HIPAA SECURITY RULES FOR IT: WHAT ARE THEY?

HIPAA Compliance: Are you prepared for the new regulatory changes?

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc.

Hospital Certified Electronic Health Record (EHR) Technology Questionnaire

HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant

HIPAA/HITECH PRIVACY & SECURITY CHECKLIST SELF ASSESSMENT INSTRUCTIONS

Securing the FOSS VistA Stack HIPAA Baseline Discussion. Jack L. Shaffer, Jr. Chief Operations Officer

Privacy and Security Meaningful Use Requirement HIPAA Readiness Review

HIPAA and HITECH Compliance for Cloud Applications

HIPAA Information Security Overview

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)

FINAL May Guideline on Security Systems for Safeguarding Customer Information

SECURITY RISK ASSESSMENT SUMMARY

HIPAA Security Alert

HIPAA Compliance Evaluation Report

Nationwide Review of CMS s HIPAA Oversight. Brian C. Johnson, CPA, CISA. Wednesday, January 19, 2011

DHHS Information Technology (IT) Access Control Standard

C.T. Hellmuth & Associates, Inc.

plantemoran.com What School Personnel Administrators Need to know

VMware vcloud Air HIPAA Matrix

HIPAA 203: Security. An Introduction to the Draft HIPAA Security Regulations

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

Datto Compliance 101 1

Information Technology General Controls Review (ITGC) Audit Program Prepared by:

An Oracle White Paper December Leveraging Oracle Enterprise Single Sign-On Suite Plus to Achieve HIPAA Compliance

Information Systems Access Policy

Your responses will be saved every time you click the NEXT button.

Appendix 4-2: Sample HIPAA Security Risk Assessment For a Small Physician Practice

HIPAA and Health Information Privacy and Security

2/9/ HIPAA Privacy and Security Audit Readiness. Table of contents

12/19/2014. HIPAA More Important Than You Realize. Administrative Simplification Privacy Rule Security Rule

Security Is Everyone s Concern:

HIPAA Audit Processes HIPAA Audit Processes. Erik Hafkey Rainer Waedlich

HIPAA SECURITY RISK ASSESSMENT SMALL PHYSICIAN PRACTICE

Healthcare Management Service Organization Accreditation Program (MSOAP)

HIPAA Security. 1 Security 101 for Covered Entities. Security Topics

HIPAA PRIVACY AND SECURITY AWARENESS

HIPAA Compliance Guide

IBM Internet Security Systems. The IBM Internet Security Systems approach for Health Insurance Portability and Accountability Act compliance overview

State HIPAA Security Policy State of Connecticut

CHIS, Inc. Privacy General Guidelines

Compliance HIPAA Training. Steve M. McCarty, Esq. General Counsel Sound Physicians

Authorized. User Agreement

Welcome to the Privacy and Security PowerPoint presentation in the Data Analytics Toolkit. This presentation will provide introductory information

HIPAA for HIT and EHRs. Latest on Meaningful Use and EHR Certification: For Privacy and Security Professionals

The second section of the HIPAA Security Rule is related to physical safeguards. Physical safeguards are physical measures, policies and procedures

HIPAA Security Checklist

Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification

HIPAA Security. assistance with implementation of the. security standards. This series aims to

ACCOUNTABLE HEALTHCARE IPA HIPAA PRIVACY AND SECURITY TRAINING. By: Jerry Jackson Compliance and Privacy Officer

HIPAA Security. 4 Security Standards: Technical Safeguards. Security Topics

Joseph Suchocki HIPAA Compliance 2015

Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES

Greenway Marketplace. Hear from GSG Compliance & White Plume November 14, 2013

3/13/2015 HIPAA/HITECH WHAT S YOUR COMPLIANCE STATUS? Daniel B. Mills Pretzel & Stouffer, Chartered WHAT IS HIPAA?

HIPAA Compliance for Students

Medical Privacy Version Standard. Business Associate Agreement. 1. Definitions

HIPAA and HITECH Regulations

Health Information Privacy Refresher Training. March 2013

HIPPA and HITECH NOTIFICATION Effective Date: September 23, 2013

HIPAA Security Education. Updated May 2016

Electronic Signature, Attestation, and Authorship

HIPAA Security COMPLIANCE Checklist For Employers

Patient Privacy and HIPAA/HITECH

Dissecting New HIPAA Rules and What Compliance Means For You

Technical Safeguards is the third area of safeguard defined by the HIPAA Security Rule. The technical safeguards are intended to create policies and

Health Insurance Portability and Accountability Act Enterprise Compliance Auditing & Reporting ECAR for HIPAA Technical Product Overview Whitepaper

HIPAA 100 Training Manual Table of Contents. V. A Word About Business Associate Agreements 10

6. AUDIT CHECKLIST FOR NETWORK ADMINISTRATION AND SECURITY AUDITING

Pennsylvania Department of Public Welfare. Bureau of Information Systems OBSOLETE. Secure User Guide. Version 1.0.

Research and the HIPAA Security Rule Prepared for the Association of American Medical Colleges by Daniel Masys, M.D. Professor and Chairman,

HIPAA Requirements and Mobile Apps

IT Security Management Risk Analysis and Controls

HIPAA: MANAGING ACCESS TO SYSTEMS STORING ephi WITH SECRET SERVER

A Technical Template for HIPAA Security Compliance

HIPAA Omnibus Rule Overview. Presented by: Crystal Stanton MicroMD Marketing Communication Specialist

Bridging the HIPAA/HITECH Compliance Gap

HIPAA Audits: How to Be Prepared. Lindsey Wiley, MHA, CHTS-IM, CHTS-TS HIT Manager Oklahoma Foundation for Medical Quality

The Impact of HIPAA and HITECH

Trust 9/10/2015. Why Does Privacy and Security Matter? Who Must Comply with HIPAA Rules? HIPAA Breaches, Security Risk Analysis, and Audits

Transcription:

AUDITING TECHNIQUES TO ASSESS FRAUD RISKS IN ELECTRONIC HEALTH RECORDS

OBJECTIVE Increase your IT vocab so that you can assess the risks related to your audits of EHRs and/or EHR related data

AGENDA What is an EHR? challenges facing ALL auditors and assessing risks copy&paste / cloning electronic signatures versioning access (password) controls logging

BACKGROUND 2009 American Recovery & Reinvestment Act electronic health records HITECH ACT meaningful use incentive payments $$$

IT S AN EHR! DUH! HITECH ACT electronic health record meaningful use/incentive payments improve health care

SECURITY REQUIREMENTS access control emergency access automatic log-off integrity audit log encryption authentication

CHALLENGES cloning copy&paste electronic signatures versioning passwords logging

Security Objective LOW MODERATE HIGH The unauthorized disclosure The unauthorized The unauthorized disclosure of Confidentiality of information could be disclosure of information information could be expected to Preserving authorized expected to have a limited could be expected to have a have a severe or catastrophic adverse restrictions on information adverse effect on organizational serious adverse effect on effect on organizational operations, access and disclosure, including means for protecting operations, organizational organizational operations, organizational assets, or individuals. personal privacy and assets, or individuals. organizational assets, or proprietary information. individuals. Integrity Guarding against improper information modification or destruction, and includes ensuring information nonrepudiation and authenticity. Availability Ensuring timely and reliable access to and use of information. POTENTIAL IMPACT DEFINITIONS FOR SECURITY OBJECTIVES The unauthorized modification or destruction of information could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. The disruption of access to or use of information or an information system could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. The unauthorized modification or destruction of information could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. The disruption of access to or use of information or an information system could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. The unauthorized modification or destruction of information could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. The disruption of access to or use of information or an information system could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.

CLONING 09.24.2012 President s Warning Letter 02.13.13 AHIMA acknowledged non-compliance remained an issue make me the author copying vital signs templates

AUDIT CHALLENGES: CLONING Document Review Legitimate Rate of Frequency

RISK ASSESSMENT: CLONING policies & procedures automated find features / advanced data analytics cloning detection tools

PASSWORDS EHR Audit Findings What type of lock do you have?

PASSWORDS minimum 8 characters, complex unable to reuse passwords prohibit group/shared passwords

RISK ASSESSMENT: PASSWORDS start with p&ps crack the sam file test: ask someone to reset his/her password

EHR SIGNATURES digitized signatures button, PIN, Biometric digital signature

DIGITAL SIGNATURE

RISK ASSESSMENT: EHR SIGNATURES Multiple, dual, co-signatures On behalf of another Auto-attestation Batch signing Scribes/Assistants Amendments, corrections, retractions, deletions

9 REASONS WHY LOGGING IS AN AUDITOR S BFF Detecting unauthorized access to patient information Detecting new threats and intrusion attempts Addressing compliance with regulatory and accreditation requirements Reducing the risk associated with inappropriate accesses Responding to patient privacy concerns Evaluating the overall effectiveness of policy and user education Providing forensic evidence Tracking disclosures of PHI Establishing a culture of responsibility and accountability

AUDIT LOGGING CONTEXT name application workstation id event (e.g. modification, deletion, etc.)

HIPAA SECURITY RULE Section 164.308(a)(1)(ii)(c), Information system activity review (required), which states organizations must "implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports." Section 164.312(1)(b), Audit controls (required), which states organizations must "implement hardware, software, and procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information."

EHR VERSIONING What s the latest version? How many? When was it installed? Are there similar features for a Mac vs. Windows? Tablets? Desktops? iphones?

HITECH PENALTIES Tier A -offender didn t realize he or she violated the Act and would have handled the matter differently if he or she had. $100 fine for each violation, cannot exceed $25,000 for the calendar year. Tier B -violations due to reasonable cause, but not willful neglect. The result is a $1,000 fine for each violation, and the fines cannot exceed $100,000 for the calendar year. Tier C - violations due to willful neglect that the organization ultimately corrected. The result is a $10,000 fine for each violation, and the fines cannot exceed $250,000 for the calendar year. Tier D -violations of willful neglect that the organization did not correct. The result is a $50,000 fine for each violation, and the fines cannot exceed $1,500,000 for the calendar year.

QUESTIONS/COMMENTS?

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information