![Page 1: Presentation for GNYHA€¦ · privacy, security and breach notification. Can include a physical security walk thru of facilities along with random workforce interviews. Can be pro-active](https://reader036.vdocuments.net/reader036/viewer/2022071018/5fd1bc3a6036d051b41aa00f/html5/thumbnails/1.jpg)
Presentation for
AITP "What You Need to Know to Be Prepared for HIPAA-
HITECH and MU Audits from CMS and the OCR”
Friday, October 10,, 2014
8am
1
![Page 2: Presentation for GNYHA€¦ · privacy, security and breach notification. Can include a physical security walk thru of facilities along with random workforce interviews. Can be pro-active](https://reader036.vdocuments.net/reader036/viewer/2022071018/5fd1bc3a6036d051b41aa00f/html5/thumbnails/2.jpg)
Table of Contents About ComplyAssistant …… 4
Definitions…………….. 5
OCR and MU Audits
High Level Discussion…6
OCR Audits …………… 8
MU Audits……………… 12
2
![Page 3: Presentation for GNYHA€¦ · privacy, security and breach notification. Can include a physical security walk thru of facilities along with random workforce interviews. Can be pro-active](https://reader036.vdocuments.net/reader036/viewer/2022071018/5fd1bc3a6036d051b41aa00f/html5/thumbnails/3.jpg)
Table of Contents MU Objectives and Measures . 14
OCR Audit Scope ……………… 17
Prepare Now…………………….. 29
Q+A………………………………… 32
Contact Information…………… 33
3
![Page 4: Presentation for GNYHA€¦ · privacy, security and breach notification. Can include a physical security walk thru of facilities along with random workforce interviews. Can be pro-active](https://reader036.vdocuments.net/reader036/viewer/2022071018/5fd1bc3a6036d051b41aa00f/html5/thumbnails/4.jpg)
About ComplyAssistant We provide software and professional consulting services for healthcare IT
and compliance.
ComplyAssistant Software Application is a cloud portal for documenting and managing compliance activities:
Rule content and guidance
Secure communication / collaboration
All evidence is centrally organized
Unlimited regulations, even beyond MU
Only client requirement is for a supported browser (IE9 and above, Chrome, Firefox)
User training utilizes the “Train the Trainer” approach.
No technical training is required.
Major recent focus of our professional consulting services has been HIPAA-HITECH Privacy, Security and Breach Notification Rule Assessments, and for the MU measure that requires an information security risk assessment of EMR systems.
4
![Page 5: Presentation for GNYHA€¦ · privacy, security and breach notification. Can include a physical security walk thru of facilities along with random workforce interviews. Can be pro-active](https://reader036.vdocuments.net/reader036/viewer/2022071018/5fd1bc3a6036d051b41aa00f/html5/thumbnails/5.jpg)
Definitions OCR – Office of Civil Rights
MU – Meaningful Use of Certified EMR
EMR – Electronic Medical Record System
Certified – EMR has been tested and certified for technical safeguards.
CE – Covered entity under the rules
BA – Business Associate
EH – Eligible hospital under the MU rule.
CAH – Eligible critical access hospital under the MU Rule.
EP – Eligible Professional (physician practices) under the MU Rule.
5
![Page 6: Presentation for GNYHA€¦ · privacy, security and breach notification. Can include a physical security walk thru of facilities along with random workforce interviews. Can be pro-active](https://reader036.vdocuments.net/reader036/viewer/2022071018/5fd1bc3a6036d051b41aa00f/html5/thumbnails/6.jpg)
OCR and MU Audits – High
Level Discussion OCR Audits cover HIPAA-HITECH Privacy, Security
and Breach Notification rules.
All Healthcare covered entities and BAs are eligible to
be audited.
Notice is 2 weeks.
MU Audits cover all objectives and measures of the MU
Rule, and can occur after attestation either pre-
payment (sooner) or post payment (later).
6
![Page 7: Presentation for GNYHA€¦ · privacy, security and breach notification. Can include a physical security walk thru of facilities along with random workforce interviews. Can be pro-active](https://reader036.vdocuments.net/reader036/viewer/2022071018/5fd1bc3a6036d051b41aa00f/html5/thumbnails/7.jpg)
OCR and MU Audits – High
Level Discussion Our MU scope for this presentation is regarding the MU
measure for requiring an information security risk
assessment of certified EMR systems.
For both kinds of audits, covered entities must be able
to provide documented evidence of due diligence and
operational compliance in the form of policies and
procedures, audits, assessments, risk mitigation,
incident management, third party contract and risk
management, etc.
7
![Page 8: Presentation for GNYHA€¦ · privacy, security and breach notification. Can include a physical security walk thru of facilities along with random workforce interviews. Can be pro-active](https://reader036.vdocuments.net/reader036/viewer/2022071018/5fd1bc3a6036d051b41aa00f/html5/thumbnails/8.jpg)
OCR Audits Based on published OCR Audit Protocols which translate
into approximately 200 questions regarding information
privacy, security and breach notification.
Can include a physical security walk thru of facilities along
with random workforce interviews.
Can be pro-active (2 week notice) or reactive (based on an
incident or a complaint).
Can apply to all healthcare covered entities (providers,
payers, and clearinghouses), along with HIPAA-HITECH
business associates.
8
![Page 9: Presentation for GNYHA€¦ · privacy, security and breach notification. Can include a physical security walk thru of facilities along with random workforce interviews. Can be pro-active](https://reader036.vdocuments.net/reader036/viewer/2022071018/5fd1bc3a6036d051b41aa00f/html5/thumbnails/9.jpg)
History and Statistics OCR’s Overall Cause Analysis for Phase 1 is as
follows1:
For every finding and observation cited in the audit
reports, OCR has identified a “cause.”
Most common cause (30 percent) across all entities
was “entity unaware of the requirement.”
Most of these related to elements of the rules that
explicitly state what a CE must do to comply.
9
![Page 10: Presentation for GNYHA€¦ · privacy, security and breach notification. Can include a physical security walk thru of facilities along with random workforce interviews. Can be pro-active](https://reader036.vdocuments.net/reader036/viewer/2022071018/5fd1bc3a6036d051b41aa00f/html5/thumbnails/10.jpg)
History and Statistics Other causes include:
Lack of application of sufficient resources
Incomplete implementation
Complete disregard
In Phase 2 audits, OCR can select any CE along with a
number of BAs that will be audited through the CEs.
Selected CEs will receive notification and data requests
in fall 2014. OCR will begin to select BAs for review in
2015.
10
![Page 11: Presentation for GNYHA€¦ · privacy, security and breach notification. Can include a physical security walk thru of facilities along with random workforce interviews. Can be pro-active](https://reader036.vdocuments.net/reader036/viewer/2022071018/5fd1bc3a6036d051b41aa00f/html5/thumbnails/11.jpg)
History and Statistics In 2014, the plan is to audit as follows:
Privacy: 33 health plans, 67 providers.
Security: 45 health plans, 100 providers, and 5
clearinghouses.
Breach Notification: 31 health plans, 65 providers, and 4
clearinghouses.
In 2015, the plan is to audit 50 BAs—all in security.
Also need to keep in mind that the OCR will conduct
reactive audits due to an incident such as a breach.
11
![Page 12: Presentation for GNYHA€¦ · privacy, security and breach notification. Can include a physical security walk thru of facilities along with random workforce interviews. Can be pro-active](https://reader036.vdocuments.net/reader036/viewer/2022071018/5fd1bc3a6036d051b41aa00f/html5/thumbnails/12.jpg)
MU Audits Apply to eligible hospitals and critical access hospitals,
and eligible professionals.
Long term care healthcare organizations and certain physician practices are not eligible for MU $$ under the MU rule.
Eligible healthcare organizations must implement certified EMR technology and meet measures that are defined for multiple stages (currently stages 1 and 2 are final), and $$ is available in most cases from both state (Medicaid) and Medicare (Federal) programs.
12
![Page 13: Presentation for GNYHA€¦ · privacy, security and breach notification. Can include a physical security walk thru of facilities along with random workforce interviews. Can be pro-active](https://reader036.vdocuments.net/reader036/viewer/2022071018/5fd1bc3a6036d051b41aa00f/html5/thumbnails/13.jpg)
MU Audits EHs can receive $millions in MU $. EPs can receive
$thousands.
Some or all of the MU $ can be at risk during an audit,
for example, if an information security risk assessment
was not conducted during the respective reporting
timeframe for an MU Stage and Year.
13
![Page 14: Presentation for GNYHA€¦ · privacy, security and breach notification. Can include a physical security walk thru of facilities along with random workforce interviews. Can be pro-active](https://reader036.vdocuments.net/reader036/viewer/2022071018/5fd1bc3a6036d051b41aa00f/html5/thumbnails/14.jpg)
MU Objectives and Measures MU requirements are organized into objectives and
measures.
For information security risk assessment, the objectives and measures are:
MU Core Objective: Protect electronic health information created or maintained by the certified EHR technology through the implementation of appropriate technical capabilities.
MU Core Measure 15 for Stage 1: Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308 (a)(1) and implement security updates as necessary and correct identified security deficiencies as part of its risk management process.
14
![Page 15: Presentation for GNYHA€¦ · privacy, security and breach notification. Can include a physical security walk thru of facilities along with random workforce interviews. Can be pro-active](https://reader036.vdocuments.net/reader036/viewer/2022071018/5fd1bc3a6036d051b41aa00f/html5/thumbnails/15.jpg)
MU Objectives and Measures MU Core Measure 16 for Stage 2: Conduct or review a
security risk analysis in accordance with the
requirements under 45 CFR 164.308(a)(1), including
addressing the encryption/security of data stored in
Certified EHR Technology in accordance with
requirements under 45 CFR 164.312(a)(2)(iv) and 45
CFR 164.306(d)(3), and implement security updates as
necessary and correct identified security deficiencies
as part of the risk management process
15
![Page 16: Presentation for GNYHA€¦ · privacy, security and breach notification. Can include a physical security walk thru of facilities along with random workforce interviews. Can be pro-active](https://reader036.vdocuments.net/reader036/viewer/2022071018/5fd1bc3a6036d051b41aa00f/html5/thumbnails/16.jpg)
MU Objectives and Measures The MU measures reference §164.308(a)(1) Security
Management – Implement policies and procedures to
prevent, detect, contain, and correct security violations;
specifically §164.308(a)(1)(ii)(A) Risk Analysis - Conduct an
accurate and thorough assessment of the potential risks and
vulnerabilities to the confidentiality, integrity, and availability
of electronic protected health information (ePHI) held by the
covered entity; and §164.308(a)(1)(ii)(B) - Risk Management
- Implement security measures sufficient to reduce risks and
vulnerabilities to a reasonable and appropriate level to
comply with 164.306(a).
16
![Page 17: Presentation for GNYHA€¦ · privacy, security and breach notification. Can include a physical security walk thru of facilities along with random workforce interviews. Can be pro-active](https://reader036.vdocuments.net/reader036/viewer/2022071018/5fd1bc3a6036d051b41aa00f/html5/thumbnails/17.jpg)
OCR Audit Scope Basically cover the entire HIPAA-HITECH Privacy,
Security and Breach Notification Rules.
The following slides illustrate the standards and
implementation specifications of each rule.
17
![Page 18: Presentation for GNYHA€¦ · privacy, security and breach notification. Can include a physical security walk thru of facilities along with random workforce interviews. Can be pro-active](https://reader036.vdocuments.net/reader036/viewer/2022071018/5fd1bc3a6036d051b41aa00f/html5/thumbnails/18.jpg)
HIPAA – HITECH Security
Rule
18
![Page 19: Presentation for GNYHA€¦ · privacy, security and breach notification. Can include a physical security walk thru of facilities along with random workforce interviews. Can be pro-active](https://reader036.vdocuments.net/reader036/viewer/2022071018/5fd1bc3a6036d051b41aa00f/html5/thumbnails/19.jpg)
HIPAA – HITECH Security
Rule
19
![Page 20: Presentation for GNYHA€¦ · privacy, security and breach notification. Can include a physical security walk thru of facilities along with random workforce interviews. Can be pro-active](https://reader036.vdocuments.net/reader036/viewer/2022071018/5fd1bc3a6036d051b41aa00f/html5/thumbnails/20.jpg)
HIPAA – HITECH Security
Rule
20
![Page 21: Presentation for GNYHA€¦ · privacy, security and breach notification. Can include a physical security walk thru of facilities along with random workforce interviews. Can be pro-active](https://reader036.vdocuments.net/reader036/viewer/2022071018/5fd1bc3a6036d051b41aa00f/html5/thumbnails/21.jpg)
HIPAA – HITECH Security
Rule
21
![Page 22: Presentation for GNYHA€¦ · privacy, security and breach notification. Can include a physical security walk thru of facilities along with random workforce interviews. Can be pro-active](https://reader036.vdocuments.net/reader036/viewer/2022071018/5fd1bc3a6036d051b41aa00f/html5/thumbnails/22.jpg)
HIPAA – HITECH Privacy
Rule
22
![Page 23: Presentation for GNYHA€¦ · privacy, security and breach notification. Can include a physical security walk thru of facilities along with random workforce interviews. Can be pro-active](https://reader036.vdocuments.net/reader036/viewer/2022071018/5fd1bc3a6036d051b41aa00f/html5/thumbnails/23.jpg)
HIPAA – HITECH Privacy
Rule
23
![Page 24: Presentation for GNYHA€¦ · privacy, security and breach notification. Can include a physical security walk thru of facilities along with random workforce interviews. Can be pro-active](https://reader036.vdocuments.net/reader036/viewer/2022071018/5fd1bc3a6036d051b41aa00f/html5/thumbnails/24.jpg)
HIPAA – HITECH Privacy
Rule
24
![Page 25: Presentation for GNYHA€¦ · privacy, security and breach notification. Can include a physical security walk thru of facilities along with random workforce interviews. Can be pro-active](https://reader036.vdocuments.net/reader036/viewer/2022071018/5fd1bc3a6036d051b41aa00f/html5/thumbnails/25.jpg)
HIPAA – HITECH Privacy
Rule
25
![Page 26: Presentation for GNYHA€¦ · privacy, security and breach notification. Can include a physical security walk thru of facilities along with random workforce interviews. Can be pro-active](https://reader036.vdocuments.net/reader036/viewer/2022071018/5fd1bc3a6036d051b41aa00f/html5/thumbnails/26.jpg)
HIPAA – HITECH Privacy
Rule
26
![Page 27: Presentation for GNYHA€¦ · privacy, security and breach notification. Can include a physical security walk thru of facilities along with random workforce interviews. Can be pro-active](https://reader036.vdocuments.net/reader036/viewer/2022071018/5fd1bc3a6036d051b41aa00f/html5/thumbnails/27.jpg)
HIPAA – HITECH Privacy
Rule
27
![Page 28: Presentation for GNYHA€¦ · privacy, security and breach notification. Can include a physical security walk thru of facilities along with random workforce interviews. Can be pro-active](https://reader036.vdocuments.net/reader036/viewer/2022071018/5fd1bc3a6036d051b41aa00f/html5/thumbnails/28.jpg)
HIPAA – HITECH Breach
Notification Rule
28
![Page 29: Presentation for GNYHA€¦ · privacy, security and breach notification. Can include a physical security walk thru of facilities along with random workforce interviews. Can be pro-active](https://reader036.vdocuments.net/reader036/viewer/2022071018/5fd1bc3a6036d051b41aa00f/html5/thumbnails/29.jpg)
Prepare Now Get organized and implement an oversight governance
committee
Do thorough assessments to identify gaps and to
create a risk mitigation road map.
Go for best practice in order to be ready for both OCR
and MU audits.
Major goal is to reduce the risk of a breach of PHI.
Keep policies and procedures up to date.
Conduct audits to confirm policy compliance.
29
![Page 30: Presentation for GNYHA€¦ · privacy, security and breach notification. Can include a physical security walk thru of facilities along with random workforce interviews. Can be pro-active](https://reader036.vdocuments.net/reader036/viewer/2022071018/5fd1bc3a6036d051b41aa00f/html5/thumbnails/30.jpg)
Prepare Now Document, Document, Document
Policies
Operational compliance (e.g. sanctions, training, testing
of plans).
Incidents and mitigation
Physical security audits
Other proactive audits
BA agreements and assessments
Risk Mitigation
Etc.
30
![Page 31: Presentation for GNYHA€¦ · privacy, security and breach notification. Can include a physical security walk thru of facilities along with random workforce interviews. Can be pro-active](https://reader036.vdocuments.net/reader036/viewer/2022071018/5fd1bc3a6036d051b41aa00f/html5/thumbnails/31.jpg)
ComplyAssistant
31
![Page 32: Presentation for GNYHA€¦ · privacy, security and breach notification. Can include a physical security walk thru of facilities along with random workforce interviews. Can be pro-active](https://reader036.vdocuments.net/reader036/viewer/2022071018/5fd1bc3a6036d051b41aa00f/html5/thumbnails/32.jpg)
Q+A Any remaining questions?
We can use this slide to document any questions that
require follow-up.
32
![Page 33: Presentation for GNYHA€¦ · privacy, security and breach notification. Can include a physical security walk thru of facilities along with random workforce interviews. Can be pro-active](https://reader036.vdocuments.net/reader036/viewer/2022071018/5fd1bc3a6036d051b41aa00f/html5/thumbnails/33.jpg)
Contact Information
Gerry Blass
President & CEO
ComplyAssistant
www.complyassistant.com
732-845-9508 office
732-539-5827 mobile
33
![Page 34: Presentation for GNYHA€¦ · privacy, security and breach notification. Can include a physical security walk thru of facilities along with random workforce interviews. Can be pro-active](https://reader036.vdocuments.net/reader036/viewer/2022071018/5fd1bc3a6036d051b41aa00f/html5/thumbnails/34.jpg)
Thank You!! "What You Need to Know to Be Prepared for HIPAA-
HITECH and MU Audits from CMS and the OCR”
Friday, October 10,, 2014
8am
34