The HITECH Act authorizes HHS to conduct periodic audits to ensure that covered entities and business associates are complying with the HIPAA Privacy and Security Rules. As a result, OCR, through the use of KPMG audit services, has begun to develop a pilot audit program.
Audits will give OCR an ability to assess privacy and security protections and compliance issues on a systemic level, and to identify potential vulnerabilities to help entities prevent problems before they occur. This will complement the incident-based work that HHS currently conducts with respect to investigations.
Site visits conducted as part of every audit would include interviews with leadership (e.g., CIO, Privacy Officer, legal counsel, health information management/medical records director); examination of physical features and operations; consistency of process to policy, observation of compliance with regulatory requirements
After each site visit KPMG will submit an audit report. Audit reports consist of the following information:
Best practices noted
Raw data collection materials such as completed checklists and interview notes
Future oversight recommendations
Findings(if any):
o The defect or noncompliant status observed, and evidence of each
o A clear demonstration that each negative finding is a potential violation of the Privacy or Security Rules, with citation
o The reason that the condition exists, along with identification of supporting documentation used
o Recommendations for addressing each finding
• Acknowledgement of any best practice(s) or success(es).
Overall assessment
In addition, OCR will decide on the resolution approach for each finding based on the severity of the finding.
EHR 2.0 OCR HIPAA audit advisory services help healthcare organizations prepare for the audit by:
1) Assessing the current policies and procedures
2) Identifying key gaps and risk areas based on ePHI created, transmitted , received and stored
3) Training
4) Risk analysis
5) Plans to mitigate risks identified
Visit our OCR audit resource section to learn more: http://ehr20.com/ocr-hhs-hitech-hipaa-audit-resources/
2. Webinar Objectives
To provide knowledge and background
information on OCR/HHS
HIPAA/HITECH audit program and to
provide guidelines for preparing and
keeping records.
E-mail: info@ehr20.com
2
3. Who are we …
EHR 2.0 Mission: To assist healthcare
organizations develop and implement
practices to secure IT systems and comply
with HIPAA/HITECH regulations.
Education(Training, Webinar & Workshops)
Consulting Services
Toolkit(Tools, Best Practices & Checklist)
Goal: To make compliance an enjoyable and painless
experience, while building capability and confidence.
4. Glossary
1. HHS, OCR, DOJ and SAG:
2. PHI:
3. Findings:
4. HIPAA: Health Insurance Portability and
Accountability Act
5. HITECH: Health Information Technology for
Economic and Clinical Health Act
4
5. HITECH
HITECH modifications to HIPAA including:
Creating incentives for developing a meaningful use of
electronic health records
Changing the liability and responsibilities of Business
Associates
Redefining what a breach is
Creating stricter notification standards
Tightening enforcement
Raising the penalties for a violation
Creating new code and transaction sets (HIPAA 5010,
ICD10) 5
6. Why do you need to care about
OCR/HHS Audit (Enforcement)?
Federal Mandate
Penalties(CMP) for non-compliance
Reputation risk
Business risk
Increased number of breaches and attacks
6
7. Common fallacies related to OCR audit
“Our compliance officer handles everything – there’s no
need to involve anyone else.” “We’re compliant; therefore,
we’re secure.”
“The last time we had an audit they didn’t find anything of
concern.”
“We have a security policy to keep our systems protected.”
“We have a certified EHR system.”
7
8. Why OCR/HHS audit? (HHS Version)
To assess HIPAA compliance efforts by a range
of covered entities
Opportunity to examine mechanisms for
compliance and identify best practices
Discover risks and vulnerabilities that may not
have come to light through OCR’s ongoing
complaint investigations and compliance
reviews.
8
9. Enforcement Authorities
Office for Civil Rights (OCR)
Investigating complaints filed with HHS
Impose civil money penalties
Department of Justice (DOJ)
Investigates criminal violations
State Attorney General (SAG)
Civil actions on behalf of state residents
Civil Money Penalties
9
12. Information Security Model
Confidentiality
Limiting information access and
disclosure to authorized users (the right
people)
Integrity
Trustworthiness of information
resources (no inappropriate changes)
Availability
Availability of information resources (at
the right time)
12
13. Covered Entity
HIPAA applies to any entity that is a
Health care provider - of services as a provider of
medical or other health services, and any other
person or organization who furnishes, bills, or is paid
for health care in the normal course of business
Health care clearinghouse - public or private entity
that does billing services, re-pricing companies,
community health management information systems
or community health information systems, etc
Health plan - means an individual or group plan that
provides, or pays the cost of, medical care
https://www.cms.gov/hipaageninfo/downloads/ 13
CoveredEntityCharts.pdf
14. Business Associates
a person or entity that performs certain functions or
activities that involve the use or disclosure of protected
health information on behalf of, or provides services to, a
covered entity. A member of the covered entity’s
workforce is not a business associate.
Examples:
A third party administrator that assists a health plan with claims processing.
A CPA firm whose accounting services to a health care provider involve access to
protected health information.
An attorney whose legal services to a health plan involve access to protected health
information.
A consultant that performs utilization reviews for a hospital.
A health care clearinghouse that translates a claim from a non-standard format into a
standard transaction on behalf of a health care provider and forwards the processed
transaction to a payer.
An independent medical transcriptionist that provides transcription services to a
physician. 14
A pharmacy benefits manager that manages a health plan’s pharmacist network.
15. OCR HITECH Audit Status
KPMG to conduct 150 during 2012
20 audits completed
In the pilot phase, OCR is auditing eight health
plans, two claims clearinghouses plus 10 provider
organizations, including three hospitals, three
physicians' offices, and a laboratory, a dental
office, a nursing/custodial facility and a pharmacy.
15
16. How does HHS notify healthcare
organizations of an audit?
Sample
letter
16
22. How to organize for an OCR/HHS Audit?
Policies
and
procedures
Risk
Analysis Document
and -ation
Mgmt.
OCR
Compliance
Audit
BA
Agreement
and
Training
Contracts
23. Policies and Procedures
Physical Security Policy
Maintenance record
Disposal
Access
Information Security Policy
Access Policy
Sanction Policy
Contingency Plan Policy
Security Incident Procedure/Breach
23
24. Documentation
Privacy and Security Notices
Health Record Request Log
Training Logs
PHI/Chart Access Review
24
25. Business Associate Cycle
Covered
BA HHS/OCR
Entity
• BA Contract • HIPAA Privacy and
• Breach Notification Security Rule
• Assessment (Tier 1) • Minimum Necessary
• Breach Notification
Sub-
contractors
25
26. Sample Risk Analysis Template
Likelihood
High Medium Low
High Unencrypted Lack of auditing on Missing security
laptop ePHI EHR systems patches on web server
hosting patient
information
Impact
Medium Unsecured Outdated anti-virus External hard drives
wireless network software not being backed up
in doctor’s office
Sales presentation Web server backup Weak password on
Low on USB thumb tape not stored in a internal document
drive secured location server
26
27. PHI
Health
Information
Individually
Identifiable
Health
Information
PHI
27
28. ePHI – 18 Elements
Elements Examples
Name Max Bialystock
1355 Seasonal Lane
Address (all geographic subdivisions smaller than state,
including street address, city, county, or ZIP code)
Dates related to an individual Birth, death, admission, discharge
212 555 1234, home, office, mobile etc.,
Telephone numbers
212 555 1234
Fax number
Email address LeonT@Hotmail.com, personal, official
Social Security number 239-68-9807
Medical record number 189-88876
Health plan beneficiary number 123-ir-2222-98
Account number 333389
Certificate/license number 3908763 NY
Any vehicle or other device serial number SZV4016
Device identifiers or serial numbers Unique Medical Devices
Web URL www.rickymartin.com
Internet Protocol (IP) address numbers 19.180.240.15
Finger or voice prints finger.jpg
Photographic images mypicture.jpg
Any other characteristic that could uniquely 28
identify the individual
30. Handheld Usage in Healthcare
• 25% usage with providers
• Another 21% expected to use
• 38% physicians use medical
apps
• 70% think it is a high priority
• 1/3 use hand-held for accessing EMR/EHR
30
compTIA 2011 Survey
33. Social Media
How does your practice use it?
How do your employees use it?
Do you have policies?
33
34. Cloud-based services
Public Cloud
EHR Applications
HIPAA regulations Private-label e-mail
remain barriers to full
cloud adoption
Private Cloud
Archiving of Images
File Sharing
Cloud Computing is taking
all batch processing, and On-line Backups
farming it out to a huge
central or virtualized
Hybrid 34
computers.
35. Top 5 Recommendations
1. Ensure encryption on all protected health information
in storage and transit.(at least de-identification)
2. Implement a mobile device security program.
3. Strengthen information security user awareness and
training programs.
4. Ensure that business associate due diligence includes
clearly written contract, a periodic assessment of tier 1
BAs
5. Minimize sensitive data capture, storage and sharing.
35
36. What happens after an OCR/HHS audit?
OCR will attempt to resolve the case with the covered
entity by obtaining:
1. Voluntary compliance
2. Corrective action which might include penalty
3. Resolution agreement
OCR will not post a listing of audited entities or the findings of an
individual audit which clearly identifies the audited entity.
36
37. Where do you start?
Identify privacy/security requirements
Contract Law
Legal Regulation
Adopt & Develop Program
Review Security Model/Framework
Breach/Incident Management
Administrative, Technical and Physical
Assess the program
Document Monitor
37
Governance Improve
38. Key Takeaways
HITECH act enforces HIPAA guidelines with new audit,
penalties, notifications requirements etc.,
ePHI elements drives the security and compliance
requirements
There is no silver bullet for audit issues. It is a journey of
continuous assessment and improvement
38
40. Next Steps
Don’t’ wait till the last minute
Sample polices and procedures kit with 4-hour OCR audit
advisory consulting ($1500)
http://ehr20.com/services/
Next Live Webinars:
Social Media Compliance for Healthcare Professionals (4/11/2012)
Meaningful Use Security Risk Analysis (4/18/2012)
Sign-up at ehr20.com/webinars
40
This pie chart gives you an idea of the numbers involved in the total stimulus of 2009, though much of the money was dedicated to longer term projects. We see that the expenditures under HITECH were only budgeted at 5% of the stimulus.
Will be discussing txn. sets in unit 2HITECH changed the privacy and security landscape by imposing a direct legal obligation on business associates (“BAs”) of entities covered by HIPAA’s requirements (“covered entities,” or “CEs”) to comply with many new and existing requirements under the HIPAA privacy regulations (“Privacy Rule”) and security regulations (“Security Rule”). Further, HITECH imposes new data breach notification obligations on CEs and BAs and enhances enforcement authority with respect to HIPAA violations. New Privacy Requirements for Business Associates - We will define BA and Breach in more detail a bit later.Breach notificationUse and disclosure limitations apply directly to business associatesMinimum necessary principle applies directly, must use limited datasetsIncreased penaltiesBusiness Associates directly liable for violationsBusiness Associate Agreements must be amendedBusiness Associates must impose same requirements on subcontractors that access PHI
Brief overview of this with emphasis on where we are going later.
What do you think. HIPAA applies to every organization or just to some?Refer to the link for workflow to decide whether your organization is a covered entity.
This is the sample letter covered entities would get if they’re part of audit
As per OCR, the selected entities will be audited based on govt. auditing std. which is available on our resources section
http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/index.html2011 and 2012
Each fallacy need to be supported with some e.g., from real world
Any device that electronically stores or transmits information using a software programComputers include PCs/Laptops/DesktopNetworking – To connect internal and external parties Medical Devices – E.g., RFID Devices (CIA + Accountability)Scanner, Fax Machines and Photocopiers are not considered technology assets by many folksVoIP phones Mobile devices like smart phones and tablets (IPAD)Any information stored on the internet is stored somewhere on the cloud which has less control
An HIE automates the transfer of health-related information that is typically stored in multipleOrganizations, while maintaining the context and integrity of the information being exchanged. AnHIE provides access to and retrieval of patient information to authorized users in order to provide safe, efficient, effectiveand timely patient care. Formal organizations have been formed in a number of states and regions that providetechnology, governance and support for HIE efforts. Those formal organizations are termed healthInformation organizations (HIO) or even regional health information organizations (RHIO).Key- Multi-directional
Rao – we need to provide details on HIPAA compliance for cloud based services. This is brand new area and needs to be discussed thoroughly. Srini
Rao – we need to provide details on HIPAA compliance for cloud based services. This is brand new area and needs to be discussed thoroughly. Srini
Identify the privacy/security legal requirements that apply to your organization, whether by law, regulation or contractDriven by industry sector, type of information and jurisdiction Laws, regs, contracts, enforcement all sources of lawAdopt measures to address those requirementsAdministrative (policies, procedures, training, governance, etc.)PhysicalTechnicalProgram must be fully documentedProgram must be periodically assessed and updated (often required by law, but always a good idea)Review your privacy notices (web, hard copy, etc.)Legal requirementsOverpromisingLeaving out material informationIncluding how a cloud provider’s involvement implicates privacy promisesCreate a breach response planNot just a security incident response planNotification planUnderstand exposure to regulators, client, customers, banks in Advance