Office of Civil Rights HIPAA Audits READY OR

  • Slides: 14
Download presentation
Office of Civil Rights HIPAA Audits READY OR NOT – HERE THEY COME Prepared

Office of Civil Rights HIPAA Audits READY OR NOT – HERE THEY COME Prepared for KALHD Midyear Meeting Presenter: Susan Thomas, MHSA, CHC®, CIA, CRMA, CPC® June 21, 2017

Objectives § Understand the Office of Civil Rights (“OCR”) Health Information Technology for Economic

Objectives § Understand the Office of Civil Rights (“OCR”) Health Information Technology for Economic and Clinical Health (“HITECH”) audit program § Review lessons learned from Phase 1 audits § Discuss the scope and selection for Phase 2 audits § Determine Health Insurance Portability and Accountability Act (“HIPAA”) audit readiness § Review a breach investigation case study § Consider additional resources Prepared for KALHD Midyear Meeting Page 1

The HITECH Audit Program § The HITECH Act Section 13411 requires the U. S.

The HITECH Audit Program § The HITECH Act Section 13411 requires the U. S. Department of Health and Human Services (“HHS”) to perform periodic audits of covered entity (“CE”) and business associate (“BA”) HIPAA compliance. § OCR views this program as a method to expand their capacity to ensure compliance with HIPAA. § In 2011, OCR established a pilot audit program and developed an audit protocol. § In 2012, OCR used the protocol to evaluate the HIPAA compliance efforts of 115 covered entities. Prepared for KALHD Midyear Meeting Page 2

First Round of OCR HIPAA Audits § Notification Letters from KPMG § Included a

First Round of OCR HIPAA Audits § Notification Letters from KPMG § Included a request for documents and onsite review scheduling information § Initial 20 entities selected for Phase 1 audits: § Physicians – 3 § Clearinghouses – 2 § Hospitals – 3 § Dentist – 1 § Pharmacy – 1 § Laboratory – 1 § Post-acute care facilities – 1 § Medicaid – 1 § Group health plans – 3 § State Children’s Health Insurance Program (“SCHIP”) – 1 § Health insurance issuer – 3 Prepared for KALHD Midyear Meeting Page 3

Phase 1 Audit Findings § General Findings § Privacy Issues § Security Issues §

Phase 1 Audit Findings § General Findings § Privacy Issues § Security Issues § Breach Notification § Reasons for findings § Entity unaware of the requirements § Lack of application of sufficient resources § Incomplete implementation § Complete disregard Prepared for KALHD Midyear Meeting Page 4

Phase 1 Audit Lessons § Don't wait until you get an audit letter to

Phase 1 Audit Lessons § Don't wait until you get an audit letter to think about HIPAA compliance. § Risk assessment and analysis are a big deal § Relevant training is crucial – all employees must understand their role. § Addressable security standards are important – especially encryption. § A binder of policies and procedures is not sufficient. Prepared for KALHD Midyear Meeting Page 5

Phase 2 Audits – Scope and Selection § Scope § OCR is concentrating on

Phase 2 Audits – Scope and Selection § Scope § OCR is concentrating on protected health information (“PHI”) security and non-compliance as noted in Phase 1 § Audits include both CEs AND BAs § Audits started in 2016 and will take place over 3 years § CE Selection § Pre-audit screening surveys – Spring 2015 § Random selection of CEs through the National Provider Identifier (“NPI”) database and other external sources § BA Selection § Screening surveys identified BAs § IT-related BAs and non-IT-related BAs selected from survey pool Prepared for KALHD Midyear Meeting Page 6

HIPAA Audit Readiness § Each OCR Priority Item must have an appropriate Action Step:

HIPAA Audit Readiness § Each OCR Priority Item must have an appropriate Action Step: § Risk Analysis and Risk Management § Device & Media Controls § Transmission Security § Encryption § Facility Access § Breach Notification and Reporting § Individual Right to Access to PHI § Notice of Privacy Practices § Training § Defined Policies Prepared for KALHD Midyear Meeting Page 7

Additional Steps to Prepare for Audits § Maintain a complete list of BAs with

Additional Steps to Prepare for Audits § Maintain a complete list of BAs with current contact information and an associated inventory of signed, upstream and downstream BA agreements. § Alternative Security Measures § If any of the Security Rule’s addressable implementation standards have not been implemented, assure that the following is formally documented: § Why the implementation specification was not “reasonable” and “appropriate”, as defined by OCR § The alternative security measures implemented Prepared for KALHD Midyear Meeting Page 8

OCR Audit Reviews § Data requests § Response content § Response timeline § OCR

OCR Audit Reviews § Data requests § Response content § Response timeline § OCR evaluation of response § Completion § Clarifications § Desk and on-site audits § Feedback from OCR Prepared for KALHD Midyear Meeting Page 9

Case Study § Small Health System § Hospital § Physician Practices § Outpatient Departments

Case Study § Small Health System § Hospital § Physician Practices § Outpatient Departments § Post-Acute Care Facilities § Use of a contracted vendor for online bill payment § Business Associate Agreement § Unknown subcontractor § Information security issue § 8, 500 patients Prepared for KALHD Midyear Meeting Page 10

Additional Resources § OCR’s security risk analysis tool for small providers: § http: //www.

Additional Resources § OCR’s security risk analysis tool for small providers: § http: //www. healthit. gov/providers-professionals/securityriskassessment-tool § OCR and NIST guidance on security rule, including links to relevant NIST publications: § http: //www. hhs. gov/ocr/privacy/hipaa/administrative/securityrule/s ecurityruleguidance. html § Security risk analysis self-assessment § Assessment tools and model policies and procedures for CEs and BAs Prepared for KALHD Midyear Meeting Page 11

Questions? Prepared for KALHD Midyear Meeting Page 12

Questions? Prepared for KALHD Midyear Meeting Page 12

Susan Thomas MHSA, CHC®, CIA, CRMA, CPC® Consulting Manager sthomas@pyapc. com PERSHING YOAKLEY &

Susan Thomas MHSA, CHC®, CIA, CRMA, CPC® Consulting Manager sthomas@pyapc. com PERSHING YOAKLEY & ASSOCIATES, P. C. 800. 270. 9629 | www. pyapc. com