december 13 th game changers: understanding impacts of ocr … · 2013-12-11 · game changers:...
TRANSCRIPT
12/11/2013
1
Name of Presentation
December 13th, 2013
www.cynergistek.com
Securing the Mission of Care
Game Changers: Understanding
Impacts of OCR Audits & the
Omnibus RuleGulf Coast Regional Annual Conference
Presented on behalf of Mac McMIllan by:
Melissa Stice LarsonVP of Audit Compliance Services
CynergisTek, Inc.
Today’s Presenter
• Melissa Stice Larson, Vice President of
Audit Compliance Services for CynergisTek, Inc.
• Certified Information Systems Auditor, Certified Internal Auditor and Certified
Fraud Examiner.
• Audited Meaningful Use Readiness and
Metric Validation for past three years at
nation’s largest faith-based Health System.
• 15 years experience in IT Auditing for Medicare, Medicaid and Healthcare
compliance.
• Changing Security Landscape
• The Omnibus Rule
• 2012 OCR Audits Results & Outlook
• Achieving Readiness Awareness
• Wrap Up/Questions
Agenda
12/11/2013
2
“Who Moved My Computer?”
Increased Reliance/Regulation
Mobile Devices
Physician Alignment
Business Associates
Patient Engagement
Accountable Care
Organization
Meaningful Use
ICD-10 Research
Telemedicine
Medical Devices
Health Information
Exchange
Mobile Applications
Where’s My Data?
90% of companies will support corporate applications on personal mobile devices
by 2014 – Gartner, Nov. 2011
By 2016, over 350 million will use their smartphones for work. – Forrester, April
2012
900 Million tablets in the market 980 Million Smartphones shipping annually
by 2015– Gartner, Sept. 2011
Embrace the inevitable, the Borg will prevail…
98% of all clinical staff report using texting on a regular basis to consult, review
results, place orders/instructions, etc.
12/11/2013
3
• Email, calendars, contacts
• Text messages
• Pictures
• Video recording
• Audio recording
• Internet access
• Application access
• Uploading/downloading data, images and music
• Scanning barcodes/QR Codes
• Transactions
• Every once in a while a phone call is made…maybe
You Never Call Anymore…
2013 Threat Outlook: More…
In 2012 healthcare retains number
one position in total number of
breaches reported, and fifth in
overall identities exposed.
The total number of breaches
reported in healthcare exceeds
80 thousand when considering
those less than 500 records.
Symantec Internet Security Threat Report
Quote: “Since no boundaries exist in cyber space, health care records are
attractive targets for transnational organized criminal enterprises. Once
the cyber criminals steal your information, recovery by law enforcement is
very difficult.”
-Scott E. Augenbaum, Federal Bureau of Investigation
The Real Cost of Incidents
Incident/Breach
Discovery, Notification
& Response
Business Disruption
ID Theft Monitoring
Size of Breach
Investigation/Review
Law Suit Defenses State Actions
CAP/RA
Civil Penalties
Criminal Penalties
Insurance
Patient
Confidence/Loyalty
The real cost of privacy and security incidents is lost
productivity, fewer dollars for positive initiatives and
negative reputational impacts.
12/11/2013
4
The Audit Program
• The American Recovery & Reinvestment Act 2009, in Section 13411, requires HHS to conduct periodic audits to ensure covered entities and business associates are meeting HIPAA compliance requirements
• The OCR Random Audit Program commenced FY 2012 and initial audits were completed CY 2012
• Audits expected to resume some time after October 2013
HITECH: Establishes Requirement
Selection Categories
Level 1 Entities
• Large Provider / Health Plan
• Extensive use of HIT - complicated HIT
enabled clinical /business work streams
• Revenues and or assets greater than $1
billion
Level 2 Entities
• Large regional hospital system (3-10
hospitals/region) / Regional Insurance
Company
• Paper and HIT enabled work flows
• Revenues and or assets between $300 million
and $1 billion
Level 3 Entities
• Community hospitals, outpatient surgery,
regional pharmacy / All Self-Insured entities
that don’t adjudicate their claims
• Some but not extensive use of HIT – mostly
paper based workflows
• Revenues between $50 million and $300
million
Level 4 Entities
• Small Providers (10 to 50 Provider Practices,
Community or rural pharmacy)
• Little to no use of HIT – almost exclusively
paper based workflows
• Revenues less than $50 million
12/11/2013
5
2012 Entities Selected
Audit Procedure/Timeline
Audit Protocol Basics
• Procedures, key activities
and requirements
• Covers security, privacy
and breach notification
• Follows GAPP model
• Guides process only
• Dynamic and
compartmented
• Available at hhs.gov/ocr
12/11/2013
6
Applying Audit Protocol
• Inquire of management…
• Obtain and review policies and
procedures…
• Obtain and review evidence/documentation…
• If CE has chosen not to fully implement, then
must have documentation of why…
Interesting Observations
• 10% of selectees had no audit findings, 10% of selectees
were totally unprepared for audit
• Significantly fewer findings for those entities who fully
implemented addressable specifications
• Three biggest contributing factors for non compliance:
insufficient resources applied, incomplete
implementations and complete disregard
• Most common reasons for non-compliance given:
Unaware of the requirement, didn’t understand what to
do and not a priority
Size, Security & Providers
By Rule By Level
By Type
60%
30%
10%
Security
Privacy
Breach
20%
20%
19%
41% Level 1
Level 2
Level 3
Level 4
65%
32%
3%
Provider
Health Plan
Clearinghouse
12/11/2013
7
Privacy Outcomes by Issue
18%
8%
17%
7%
9%
11%
4%
2%
Business Associates
Identify Verification
Minimum Necessary
Authorizations
Deceased Individuals
Personal Representatives
Judical and Administrative
Procedures
Group Health Plan Requirements
Privacy Outcomes by Function
26%
47%
11%
15%
Training
Policies & Procedures
Complaints
Sanctions
Security Outcomes by Issue
12%
14%
7%
18%4%
14%
8%
14%
9%Risk Analysis
Access Management
Security Incident Procedures
Contingency Planning and Backups
Workstation Security
Media Movement and Destruction
Encryption
Audit Controls and Monitoring
Integrity Controls
12/11/2013
8
What’s Next/When
• Complete OCR audit program evaluation, all elements
• Reviewing feedback from audited organizations
• Identify changes to program elements and update
process and protocol (Omnibus)
• Develop technical assistance for industry based on
results of audits
• Determine where follow up is appropriate
• Resume audits and include Business Associates
The Omnibus Rule
• The American Recovery & Reinvestment Act 2009, identifies several changes to the Privacy & Security Rules
• Effective date for all provisions was March 26, 2013
• Enforcement date for most provisions was September 23, 2013
• Business Associate agreements in force prior to January 25, 2013 may be grandfathered until September 23, 2014
Another HITECH Gift
12/11/2013
9
• Implements more elements of the HITECH Act
• Specifically changes to breach, privacy, security and enforcement rules
• Does not address:
– Minimum Necessary,
– Accounting for Disclosures
– Distribution of CMPs, or
– Changes to other requirements such as; SAMHSA, CLIA or the Common Rules
Omnibus Changes
• An impermissible acquisition, access, use or
disclosure of protected health information
• Presumed to be reportable
• Unless the entity can demonstrate through
risk analysis that there is a low probability
that protected health information has been
compromised
• Risk of Harm consideration is removed
Breach Notification
• To demonstrate low probability of compromise entity must
• Document a risk analysis
• Address four factors of consideration:
– The nature and extent of PHI involved
– The unauthorized person who used the PHI or to whom the disclosure was made
– Whether the PHI was actually acquired or viewed
– The extent of mitigation present
• Other factors may also be considered
Breach Notification
12/11/2013
10
• Notifications of breaches affecting 500 or
more
–Without undue delay within 60 days of discovery
• Notifications of breaches affecting less
than 500
–Within 60 days of the end of the calendar year in
which the breach was discovered
–Looking at options to make submissions easier
Breach Notification
• Expanded categories (department, treating physician,
outcomes, insurance status) of PHI that may be used for
fundraising with greater and more restrictive provisions for
opting out and notification as part of NPP
• Expanded definition of what uses and disclosures are
considered marketing and therefore require authorization,
tied to financial remuneration
– Guidance on Prescription Refills and other Biologics issued September
19, 2013
• Omnibus generally prohibits an entity from receiving payment
for PHI without consent, certain exceptions apply
Privacy Updates
• Omnibus introduces multiple changes to what is permitted under authorizations for research
• Omnibus limits application of HIPAA to decedent information (50 yrs) and communications with individuals involved with the decedent after death
– Guidance on Decedent Information released on September 19, 2013
• Relaxed requirements around disclosure of student immunization records
– Guidance on Student Immunizations released September 19, 2013
Privacy Updates
12/11/2013
11
• Omnibus defines genetic information as health
information and applies protections to include
prohibition for a health plan to use such information
in underwriting
• Provides for restrictions to access to information if
individual pays in cash, in full, to health plan,
subsequent notifications responsibility of patient
Privacy Updates
• Omnibus provides for expanded Rights of Access and to
request restrictions
– Expands the right to an electronic copy of any PHI stored electronically
in a designated record set
– The preamble of the rule states that entities will need to invest in
additional technology to meet this requirement
– Individual has a right to direct the information be sent to another
individual
– Information may be transmitted using unencrypted email so long as
entity warns the recipient of the risks
– Provides 30 days fewer to provide information (30/30 rule)
• Updates to Notice of Privacy Practice required
Privacy Updates
• Duty to notify individuals of breach of unsecured PHI
• May not refuse to restrict access to record when patient pays in full in cash
• May contact for fundraising with right to opt out of fundraising communications
• Plans: restriction from using or disclosing genetic information for underwriting purposes
• Types of uses and disclosures requiring authorization
• Statement that patients may revoke authorization
Notice of Privacy Practices
12/11/2013
12
• Expands definition of Business Associate to any organization that
creates, receives, maintains, or transmits PHI on behalf of a
covered entity
• Also identifies subcontractors, patient safety organizations, health
information organizations, e-prescribing gateways and vendors of
personal health records
• Omnibus makes BAs directly liable for the Security Rule and parts
of the Privacy Rule
• Omnibus makes CEs and BAs responsible for the actions of their
“Agents”
• Omnibus reminds CEs to use Business Associate Agreements, but
makes it clear that BAs are liable regardless
Business Associates
• Must provide appropriate protection for electronic protected health information
• Must observe rules regarding uses and disclosures
• Must make notification to CE in case of a breach
• Must provide an e-copy of PHI if requested as specified in contract
• Must disclose PHI to HHS when conducting a compliance review/investigation
• Must provide an accounting for disclosure
• Must comply with the HIPAA Security & elements of the Privacy Rule
Business Associates Must
• Omnibus Rule retains the definition of willful neglect as “conscious, intentional failure or reckless indifference to the obligation to comply” with HIPAA.
• Requirement to proceed to informal resolution first removed.• Omnibus redefines reasonable cause for determination of
penalties:– The nature and extent of any violation, including the number of individuals
affected and the duration of the violation;
– The nature and extent of any individual’s resulting physical, financial, or reputational harm, including any hindrance to the individual’s ability to obtain health care;
– The history of prior noncompliance, including similar prior indications of non-compliance and the offending party’s responses to them;
– The financial condition of the offending party, including difficulties that could have affected compliance or that could cause a money penalty to jeopardize the future provision of health care; and
– Such other matters as justice may require.
New Enforcement Paradigm
12/11/2013
13
Wrap Up & Questions
The Focus Remains
Privacy & Security matters for three primary reasons:
• To ensure patient safety and quality of care
• To respect patient rights and protect personal privacy
• To provide adequate protections for patient information and meet regulatory requirements
• To seek balance between operations and protection
• To enable the mission of the organization
Plan For Success
Rules and regulations will come, audits will
happen, incidents will occur:
• Build a program on industry standards
• Assess and measure effectiveness of controls
regularly
• Focus on building a culture of compliance and
accountability
• Engage business associates proactively
12/11/2013
14
Prepare For Success
The effectiveness of any security program is determined by its measurement:
• Implement active auditing and testing of controls
• Conduct regular technical testing of enterprise and controls
• Perform routine risk analysis of enterprise and changes
• Employ mock audits for realism and to heighten awareness and training
Thank You
For more information
please check out the
CynergisTek blog site.
www.cynergistek.com
Melissa Stice Larson
Vice President, Audit Compliance
(512) 402-8550 x7017
Mac McMillan, [email protected]
(512) 402-8555