Office of Civil Rights HIPAA Audits READY OR

Office of Civil Rights HIPAA Audits READY OR NOT – HERE THEY COME Prepared for KALHD Midyear Meeting Presenter: Susan Thomas, MHSA, CHC®, CIA, CRMA, CPC® June 21, 2017

Objectives § Understand the Office of Civil Rights (“OCR”) Health Information Technology for Economic and Clinical Health (“HITECH”) audit program § Review lessons learned from Phase 1 audits § Discuss the scope and selection for Phase 2 audits § Determine Health Insurance Portability and Accountability Act (“HIPAA”) audit readiness § Review a breach investigation case study § Consider additional resources Prepared for KALHD Midyear Meeting Page 1

The HITECH Audit Program § The HITECH Act Section 13411 requires the U. S. Department of Health and Human Services (“HHS”) to perform periodic audits of covered entity (“CE”) and business associate (“BA”) HIPAA compliance. § OCR views this program as a method to expand their capacity to ensure compliance with HIPAA. § In 2011, OCR established a pilot audit program and developed an audit protocol. § In 2012, OCR used the protocol to evaluate the HIPAA compliance efforts of 115 covered entities. Prepared for KALHD Midyear Meeting Page 2

First Round of OCR HIPAA Audits § Notification Letters from KPMG § Included a request for documents and onsite review scheduling information § Initial 20 entities selected for Phase 1 audits: § Physicians – 3 § Clearinghouses – 2 § Hospitals – 3 § Dentist – 1 § Pharmacy – 1 § Laboratory – 1 § Post-acute care facilities – 1 § Medicaid – 1 § Group health plans – 3 § State Children’s Health Insurance Program (“SCHIP”) – 1 § Health insurance issuer – 3 Prepared for KALHD Midyear Meeting Page 3

Phase 1 Audit Findings § General Findings § Privacy Issues § Security Issues § Breach Notification § Reasons for findings § Entity unaware of the requirements § Lack of application of sufficient resources § Incomplete implementation § Complete disregard Prepared for KALHD Midyear Meeting Page 4

Phase 1 Audit Lessons § Don't wait until you get an audit letter to think about HIPAA compliance. § Risk assessment and analysis are a big deal § Relevant training is crucial – all employees must understand their role. § Addressable security standards are important – especially encryption. § A binder of policies and procedures is not sufficient. Prepared for KALHD Midyear Meeting Page 5

Phase 2 Audits – Scope and Selection § Scope § OCR is concentrating on protected health information (“PHI”) security and non-compliance as noted in Phase 1 § Audits include both CEs AND BAs § Audits started in 2016 and will take place over 3 years § CE Selection § Pre-audit screening surveys – Spring 2015 § Random selection of CEs through the National Provider Identifier (“NPI”) database and other external sources § BA Selection § Screening surveys identified BAs § IT-related BAs and non-IT-related BAs selected from survey pool Prepared for KALHD Midyear Meeting Page 6

HIPAA Audit Readiness § Each OCR Priority Item must have an appropriate Action Step: § Risk Analysis and Risk Management § Device & Media Controls § Transmission Security § Encryption § Facility Access § Breach Notification and Reporting § Individual Right to Access to PHI § Notice of Privacy Practices § Training § Defined Policies Prepared for KALHD Midyear Meeting Page 7

Additional Steps to Prepare for Audits § Maintain a complete list of BAs with current contact information and an associated inventory of signed, upstream and downstream BA agreements. § Alternative Security Measures § If any of the Security Rule’s addressable implementation standards have not been implemented, assure that the following is formally documented: § Why the implementation specification was not “reasonable” and “appropriate”, as defined by OCR § The alternative security measures implemented Prepared for KALHD Midyear Meeting Page 8

OCR Audit Reviews § Data requests § Response content § Response timeline § OCR evaluation of response § Completion § Clarifications § Desk and on-site audits § Feedback from OCR Prepared for KALHD Midyear Meeting Page 9

Case Study § Small Health System § Hospital § Physician Practices § Outpatient Departments § Post-Acute Care Facilities § Use of a contracted vendor for online bill payment § Business Associate Agreement § Unknown subcontractor § Information security issue § 8, 500 patients Prepared for KALHD Midyear Meeting Page 10

Additional Resources § OCR’s security risk analysis tool for small providers: § http: //www. healthit. gov/providers-professionals/securityriskassessment-tool § OCR and NIST guidance on security rule, including links to relevant NIST publications: § http: //www. hhs. gov/ocr/privacy/hipaa/administrative/securityrule/s ecurityruleguidance. html § Security risk analysis self-assessment § Assessment tools and model policies and procedures for CEs and BAs Prepared for KALHD Midyear Meeting Page 11

Questions? Prepared for KALHD Midyear Meeting Page 12

Susan Thomas MHSA, CHC®, CIA, CRMA, CPC® Consulting Manager sthomas@pyapc. com PERSHING YOAKLEY & ASSOCIATES, P. C. 800. 270. 9629 | www. pyapc. com