The HITECH Act authorizes HHS to conduct periodic audits to ensure that covered entities and business associates are complying with the HIPAA Privacy and Security Rules. As a result, OCR, through the use of KPMG audit services, has begun to develop a pilot audit program. Audits will give OCR an ability to assess privacy and security protections and compliance issues on a systemic level, and to identify potential vulnerabilities to help entities prevent problems before they occur. This will complement the incident-based work that HHS currently conducts with respect to investigations. Site visits conducted as part of every audit would include interviews with leadership (e.g., CIO, Privacy Officer, legal counsel, health information management/medical records director); examination of physical features and operations; consistency of process to policy, observation of compliance with regulatory requirements After each site visit KPMG will submit an audit report. Audit reports consist of the following information: Best practices noted Raw data collection materials such as completed checklists and interview notes Future oversight recommendations Findings(if any): o The defect or noncompliant status observed, and evidence of each o A clear demonstration that each negative finding is a potential violation of the Privacy or Security Rules, with citation o The reason that the condition exists, along with identification of supporting documentation used o Recommendations for addressing each finding • Acknowledgement of any best practice(s) or success(es). Overall assessment In addition, OCR will decide on the resolution approach for each finding based on the severity of the finding. EHR 2.0 OCR HIPAA audit advisory services help healthcare organizations prepare for the audit by: 1) Assessing the current policies and procedures 2) Identifying key gaps and risk areas based on ePHI created, transmitted , received and stored 3) Training 4) Risk analysis 5) Plans to mitigate risks identified Visit our OCR audit resource section to learn more: http://ehr20.com/ocr-hhs-hitech-hipaa-audit-resources/

1. OCR/HHS HIPAA/HITECH
Audit Preparation
1

2. Webinar Objectives
To provide knowledge and background
information on OCR/HHS
HIPAA/HITECH audit program and to
provide guidelines for preparing and
keeping records.
E-mail: info@ehr20.com
2

3. Who are we …
EHR 2.0 Mission: To assist healthcare
organizations develop and implement
practices to secure IT systems and comply
with HIPAA/HITECH regulations.
 Education(Training, Webinar & Workshops)
 Consulting Services
 Toolkit(Tools, Best Practices & Checklist)
Goal: To make compliance an enjoyable and painless
experience, while building capability and confidence.

4. Glossary
1. HHS, OCR, DOJ and SAG:
2. PHI:
3. Findings:
4. HIPAA: Health Insurance Portability and
Accountability Act
5. HITECH: Health Information Technology for
Economic and Clinical Health Act
4

5. HITECH
HITECH modifications to HIPAA including:
 Creating incentives for developing a meaningful use of
electronic health records
 Changing the liability and responsibilities of Business
Associates
 Redefining what a breach is
 Creating stricter notification standards
 Tightening enforcement
 Raising the penalties for a violation
 Creating new code and transaction sets (HIPAA 5010,
ICD10) 5

6. Why do you need to care about
OCR/HHS Audit (Enforcement)?
 Federal Mandate
 Penalties(CMP) for non-compliance
 Reputation risk
 Business risk
 Increased number of breaches and attacks
6

7. Common fallacies related to OCR audit
 “Our compliance officer handles everything – there’s no
need to involve anyone else.” “We’re compliant; therefore,
we’re secure.”
 “The last time we had an audit they didn’t find anything of
concern.”
 “We have a security policy to keep our systems protected.”
 “We have a certified EHR system.”
7

8. Why OCR/HHS audit? (HHS Version)
 To assess HIPAA compliance efforts by a range
of covered entities
 Opportunity to examine mechanisms for
compliance and identify best practices
 Discover risks and vulnerabilities that may not
have come to light through OCR’s ongoing
complaint investigations and compliance
reviews.
8

9. Enforcement Authorities
 Office for Civil Rights (OCR)
 Investigating complaints filed with HHS
 Impose civil money penalties
 Department of Justice (DOJ)
 Investigates criminal violations
 State Attorney General (SAG)
 Civil actions on behalf of state residents
 Civil Money Penalties
9

10. HIPAA Titles - Overview
10

11. HIPAA Security Rule
11

12. Information Security Model
Confidentiality
Limiting information access and
disclosure to authorized users (the right
people)
Integrity
Trustworthiness of information
resources (no inappropriate changes)
Availability
Availability of information resources (at
the right time)
12

13. Covered Entity
 HIPAA applies to any entity that is a
 Health care provider - of services as a provider of
medical or other health services, and any other
person or organization who furnishes, bills, or is paid
for health care in the normal course of business
 Health care clearinghouse - public or private entity
that does billing services, re-pricing companies,
community health management information systems
or community health information systems, etc
 Health plan - means an individual or group plan that
provides, or pays the cost of, medical care
https://www.cms.gov/hipaageninfo/downloads/ 13
CoveredEntityCharts.pdf

14. Business Associates
 a person or entity that performs certain functions or
activities that involve the use or disclosure of protected
health information on behalf of, or provides services to, a
covered entity. A member of the covered entity’s
workforce is not a business associate.
Examples:
 A third party administrator that assists a health plan with claims processing.
 A CPA firm whose accounting services to a health care provider involve access to
protected health information.
 An attorney whose legal services to a health plan involve access to protected health
information.
 A consultant that performs utilization reviews for a hospital.
 A health care clearinghouse that translates a claim from a non-standard format into a
standard transaction on behalf of a health care provider and forwards the processed
transaction to a payer.
 An independent medical transcriptionist that provides transcription services to a
physician. 14
 A pharmacy benefits manager that manages a health plan’s pharmacist network.

15. OCR HITECH Audit Status
 KPMG to conduct 150 during 2012
 20 audits completed
 In the pilot phase, OCR is auditing eight health
plans, two claims clearinghouses plus 10 provider
organizations, including three hospitals, three
physicians' offices, and a laboratory, a dental
office, a nursing/custodial facility and a pharmacy.
15

16. How does HHS notify healthcare
organizations of an audit?
Sample
letter
16

17. Federal Audits
241 Pages
17

18. OCR Audit Schedule
Every covered entity and business associate is eligible
for an audit.
18
From HHS.gov site

19. OCR
Audit
Program
Civil Money
Penalties
19

20. 20

21. Top 5 issues investigated
Year Issue 1 Issue 2 Issue 3 Issue 4 Issue 5
2010 Impermissible Uses & Safeguards Access Minimum Notice
Disclosures Necessary
2009 Impermissible Uses & Safeguards Access Minimum Complaints to
Disclosures Necessary Covered
Entity
2008 Impermissible Uses & Safeguards Access Minimum Complaints to
Disclosures Necessary Covered
Entity
21

22. How to organize for an OCR/HHS Audit?
Policies
and
procedures
Risk
Analysis Document
and -ation
Mgmt.
OCR
Compliance
Audit
BA
Agreement
and
Training
Contracts

23. Policies and Procedures
 Physical Security Policy
 Maintenance record
 Disposal
 Access
 Information Security Policy
 Access Policy
 Sanction Policy
 Contingency Plan Policy
 Security Incident Procedure/Breach
23

24. Documentation
 Privacy and Security Notices
 Health Record Request Log
 Training Logs
 PHI/Chart Access Review
24

25. Business Associate Cycle
Covered
BA HHS/OCR
Entity
• BA Contract • HIPAA Privacy and
• Breach Notification Security Rule
• Assessment (Tier 1) • Minimum Necessary
• Breach Notification
Sub-
contractors
25

26. Sample Risk Analysis Template
Likelihood
High Medium Low
High Unencrypted Lack of auditing on Missing security
laptop ePHI EHR systems patches on web server
hosting patient
information
Impact
Medium Unsecured Outdated anti-virus External hard drives
wireless network software not being backed up
in doctor’s office
Sales presentation Web server backup Weak password on
Low on USB thumb tape not stored in a internal document
drive secured location server
26

27. PHI
Health
Information
Individually
Identifiable
Health
Information
PHI
27

28. ePHI – 18 Elements
Elements Examples
Name Max Bialystock
1355 Seasonal Lane
Address (all geographic subdivisions smaller than state,
including street address, city, county, or ZIP code)
Dates related to an individual Birth, death, admission, discharge
212 555 1234, home, office, mobile etc.,
Telephone numbers
212 555 1234
Fax number
Email address LeonT@Hotmail.com, personal, official
Social Security number 239-68-9807
Medical record number 189-88876
Health plan beneficiary number 123-ir-2222-98
Account number 333389
Certificate/license number 3908763 NY
Any vehicle or other device serial number SZV4016
Device identifiers or serial numbers Unique Medical Devices
Web URL www.rickymartin.com
Internet Protocol (IP) address numbers 19.180.240.15
Finger or voice prints finger.jpg
Photographic images mypicture.jpg
Any other characteristic that could uniquely 28
identify the individual

29. Trends in Healthcare IT
Informatics Collaboration
Mobile EHR
Computing HIE
29

30. Handheld Usage in Healthcare
• 25% usage with providers
• Another 21% expected to use
• 38% physicians use medical
apps
• 70% think it is a high priority
• 1/3 use hand-held for accessing EMR/EHR
30
compTIA 2011 Survey

31. EMR and EHR systems
31

32. Health Information Exchange (HIE)
32

33. Social Media
 How does your practice use it?
 How do your employees use it?
 Do you have policies?
33

34. Cloud-based services
 Public Cloud
 EHR Applications
HIPAA regulations  Private-label e-mail
remain barriers to full
cloud adoption
 Private Cloud
 Archiving of Images
 File Sharing
Cloud Computing is taking
all batch processing, and  On-line Backups
farming it out to a huge
central or virtualized
 Hybrid 34
computers.

35. Top 5 Recommendations
1. Ensure encryption on all protected health information
in storage and transit.(at least de-identification)
2. Implement a mobile device security program.
3. Strengthen information security user awareness and
training programs.
4. Ensure that business associate due diligence includes
clearly written contract, a periodic assessment of tier 1
BAs
5. Minimize sensitive data capture, storage and sharing.
35

36. What happens after an OCR/HHS audit?
OCR will attempt to resolve the case with the covered
entity by obtaining:
1. Voluntary compliance
2. Corrective action which might include penalty
3. Resolution agreement
OCR will not post a listing of audited entities or the findings of an
individual audit which clearly identifies the audited entity.
36

37. Where do you start?
Identify privacy/security requirements
Contract Law
Legal Regulation
Adopt & Develop Program
Review Security Model/Framework
Breach/Incident Management
Administrative, Technical and Physical
Assess the program
Document Monitor
37
Governance Improve

38. Key Takeaways
 HITECH act enforces HIPAA guidelines with new audit,
penalties, notifications requirements etc.,
 ePHI elements drives the security and compliance
requirements
 There is no silver bullet for audit issues. It is a journey of
continuous assessment and improvement
38

39. References
 http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/in
dex.html
 http://ehr20.com/resources
 http://www.natlawreview.com/practice-groups/healthcare-
HIPPA-Stark-law-professional-licensing-Medicare-
Medicaid-fraud-abuse-audits-kickback-false-claims
39

40. Next Steps
 Don’t’ wait till the last minute
 Sample polices and procedures kit with 4-hour OCR audit
advisory consulting ($1500)
 http://ehr20.com/services/
 Next Live Webinars:
 Social Media Compliance for Healthcare Professionals (4/11/2012)
 Meaningful Use Security Risk Analysis (4/18/2012)
Sign-up at ehr20.com/webinars
40

41. Questions?
E-mail: info@ehr20.com
Call: 802-448-2255
41

42. Thank you!!
42