EHR20.COM

INFO@EHR20.COM

866- 276-8309

OCR/HHS HIPAA Phase 2

Audit Update

Thank you for joining us today

27 July, 2016

1

To purchase reprints of this document, please email info@ehr20.com.

DIY TOOLKIT Tools, Best Practices

and Checklist

EDUCATION Online Training, Webinars and

Customized Workshop

CONSULTING Professional services

to help you with your

Compliance needs

WHO WE ARE …

Assist healthcare organizations develop and implement practices to secure IT systems and comply with

HIPAA/HITECH regulations

2

Disclaimer Consult your attorney

ALL WEBINARS ARE RECORDED AND AVAILABLE AS AN “ON DEMAND” SUBSCRIPTION

3

This webinar has been provided for educational and informational purposes only and is not intended and should not be construed to constitute legal advice. Please consult your attorneys in connection with any fact-specific situation under federal law and the applicable state or local laws that may impose additional obligations on you and your company.

1 HIPAA & HITECH Basics

2 Recent HHS Settlements

3 Phase 1 Overview

7 Key Takeaways

4 Phase 2 Launch

6 Phase 2 Desk Audit

TODAY’S AGENDA

4

8 Questions & Answers

5 Phase 2 Program Overview

TERMS YOU MAY HEAR …

5

Acronyms

HHS

HIPAA

PHI

OCR

HITECH

HITECH MODIFICATIONS TO HIPAA

• Creating incentives for developing a meaningful use of electronic

health records

• Changing the liability and responsibilities of Business Associates

• Redefining what a breach is

• Creating stricter notification standards

• Tightening enforcement

• Raising the penalties for a violation

• Creating new code and transaction sets (HIPAA 5010, ICD10)

Since 2011 Medicare/Medicaid have paid more than 20+ billion as incentive for adopting EHR

6

PROTECTED HEALTH INFORMATION BASICS Review

PHI Health

Data

PII Patient

Identifiable

Information

1. Medical records:

• electronic and paper

case histories

• treatment records

• tests

• charts

• progress reports

• X-rays

• MRI's

2. Claims

3. Payments

4. Eligibility

5. Other health plan related

insurance data

1. Name

2. Address

3. Dates related to an individual

4. Telephone numbers

5. Fax number

6. Email address

7. Social Security number

8. Medical record number

9. Health plan beneficiary number

10. Account number

11. Certificate/license number

12. Any vehicle or other device serial

13. Device identifiers or serial numbers

14. Web URL

15. Internet Protocol (IP) address

16. Finger or voice prints

17. Photographic images

18. Any other characteristic that would

uniquely identify the individual

7

PII when combined with health data becomes PHI

HIPAA/HITECH RULES Review

8

Privacy

• Confidentiality of PHI

Security

• Protection of ePHI

Breach

• Notification

Covered Entities

Business Associates

9

Multiple alleged HIPAA violations result in $2.75 million settlement with

the University of Mississippi Medical Center (UMMC) - July 21, 2016

Widespread HIPAA vulnerabilities result in $2.7 million settlement with

Oregon Health & Science University - July 18, 2016

Business Associate’s Failure to Safeguard Nursing Home Residents’ PHI

Leads to $650,000 HIPAA Settlement – June 29, 2016

Unauthorized Filming for “NY Med” Results in $2.2 Million Settlement with

New York Presbyterian Hospital – Apr’ 21, 2016

and many more …

Civil Money Penalties in 2016

Penalties

Violation category Each violation All such violations( of

an identical provision in a calendar year)

Did Not Know $100–$50,000 $1,500,000

Reasonable Cause 1,000–50,000 $1,500,000

Willful Neglect-Corrected

10,000–50,000 $1,500,000

Willful Neglect-Not Corrected

50,000 $1,500,000

11

OCR

Audit

Program

Civil Money

Penalties

Phase 2 Program Overview

Onsite

Audit

5 1

Communication

from OCR

Pre-audit

Questionnaire

2 3

Desk Audit

4

Potential

Compliance

Review

6

12

Sample

Selection

Summary: Phase 1 Audit Results “Bad news travels fast”

• KPMG conducted 115 CE audit during

2012

• Published OCR audit program protocol

– Security Criteria: 78

– Privacy Criteria: 81

– Breach Notification Criteria: 10

• Phase 2 program

– Covered entities and BAs in scope

“It takes many good deeds to build a good reputation, and only one bad one to lose it.”

Benjamin Franklin 13

14

How does HHS notify healthcare Organizations?

OCR Audit Protocol

15

1) Privacy Rule requirements:

(1.1) Notice of privacy practices for PHI

(1.2) Rights to request privacy protection for PHI

(1.3) Access of individuals to PHI

(1.4) Administrative requirements

(1.5) Uses and disclosures of PHI

(1.6) Amendment of PHI

(1.7) Accounting of disclosures.

2) Breach Notification Requirements

3) Security Rule requirements:

(3.1) Administrative

(3.2) Physical

(3.3) Technical safeguards

Phase 2 Desk Audit Update

16

On July 11, 2016 OCR has notified 167 Covered Entities of

selection to participate in the HIPAA desk audits

• Include both Covered Entities(CE) and Business Associates(BA)

• Be comprised of 200-250 audits in total

• Over 200 desk audits

• Smaller number of comprehensive on-site audits Phase II designed

to enable OCR to examine mechanisms for compliance

- Identify industry best practices

- Discover risks and vulnerabilities not surfaced through

enforcement activities

- Enable OCR to get out in front of problems before they result in

breaches

Phase 2 Audit: Selection Process

17

OCR identified pools of CEs that represent a wide range of health

care providers, health plans, health care clearinghouses, to better

assess HIPAA compliance across the industry.

• Sampling criteria included size, affiliations, location, public or

private, etc.

• Health plans were divided into group plans and issuers and

providers were further categorized by type

o hospital, practitioner, elder care/SNF, health system,

pharmacy

• OCR then ran a randomized selection algorithm that drew from

each of the categories, resulting in 167 CEs.

Phase 2: Next Steps

18

• The covered entity desk audits are now underway, and will continue

through the end of the year

• Desk audit scope is limited to a total of 7 controls drawn from the

Security Rule, the Privacy Rule, and the Breach Notification Rule.

Entities will either be audited on SR controls or PR & BNR

compliance

• Onsite audits will begin in early 2017

• Onsite audits will evaluate auditees against comprehensive set of

HIPAA compliance controls.

• A desk auditee subject may be subject to an onsite audit

Phase 2: Next Steps

19

Covered entities have 10 business days to provide their responses:

• Responses should contain the specified documentation-- applicable

policies, procedures, evidence of implementation

• Complete and relevant materials

The desk audits of BAs will commence in late September

• The same rules and expectations apply to the BA auditees

• The selection pool of the BAs largely drawn from the Bas identified by

CEs

Phase 2: Documentation Submission

Process

20

Sent to selected auditees via email

• Comprised of two separate requests o one listing policies, procedures,

and/or other related documentation o one requesting a list of all the CE’s

BAs

Specify the documentation elements to be provided

• BA listings must be returned electronically, via email, to OCR

within 10 business days

All other items must be submitted using the secure online portal link

provided in the notification email

If a CE does not have the requested documentation, it must submit

an explanation for the deficiency in its response

Phase 2: What happens after the audit ?

21

After review of submitted documentation:

• OCR will develop and share draft findings with the entity. Entity

may respond to draft findings—such written responses will be

included in the final audit report

• Final audit reports will describe how the audit was conducted,

present any findings, and contain entity responses to the draft

findings

• Under OCR’s separate, broad authority to open compliance

reviews, OCR could decide to open a separate compliance

review in a circumstance where significant threats to the privacy

and security of PHI are revealed through the audit

Phase 2: Requirements Selected for

Desk Audit Review

22

Privacy Rule

Notice of Privacy Practices & Content

Requirements [§164.520(a)(1) & (b)(1)]

Provision of Notice – Electronic

Notice [§164.520(c)(3)]

Right to Access [§164.524(a)(1), (b)(1),

(b)(2), (c)(2), (c)(3), (c)(4), (d)(1), (d)(3)]

Breach Notification Rule Timeliness of Notification [§164.404(b)]

Content of Notification [§164.404(c)(1)]

Security Rule

Security Management Process -- Risk

Analysis [§164.308(a)(1)(ii)(A)]

Security Management Process -- Risk

Management [§164.308(a)(1)(ii)(B)]

How to organize for an OCR/HHS Audit?

HHS/OCR Audit

Policies and

procedures

Docume-ntation

Training

BA Agreemen

t and Contracts

Risk Analysis

and Mgmt.

1. Policies and Procedures Physical Security Policy

Maintenance record

Disposal

Access

Information Security Policy

Access Policy

Sanction Policy

Contingency Plan Policy

Security Incident Procedure/Breach

24

• Master Security Policy

• Master Privacy Policy

• Master Breach Policy

2. Documentation

Privacy and Security Notices

Health Record Request Log

Training Logs

PHI/Chart Access Review

25

Potentially up to 6 years worth of documentation are required

3. Training

Senior Management

CIO

Privacy and Security Officers

Workforce handling PHI

IT Team

26

Training/Communication are key part of interview outcomes

4. BA Agreements

A person or entity that performs certain functions or

activities that involve the use or disclosure of protected

health information

27

Keep an up-to-date list of BA vendors

5. Sample Risk Analysis Template

Likelihood High Medium Low

Imp

act

High

Unencrypted laptop

ePHI

Lack of auditing on

EHR systems

Missing security patches

on web server hosting

patient information

Medium

Unsecured wireless

network in doctor’s

office

Outdated anti-virus

software

External hard drives not

being backed up

Low Sales presentation on

USB thumb drive

Web server backup

tape not stored in a

secured location

Weak password on

internal document server

28

Planning ahead is key to successfully managing a HHS/OCR audit.

KEY TAKEAWAYS

• Desk Audits are underway!

• OCR will base its audit only on the documents submitted in the specified

electronic process.

• Business Associates desk audits will commence in the Fall, and the selection

pool will be comprised largely of the BAs identified by the CEs in their

document responses

• Comprehensive onsite audits of both CEs and BAs will begin in early 2017

• Policies, documentation and risk analysis are key areas of focus during OCR

audit

• There is no silver bullet for audit preparation. It is a journey of continuous

assessment and improvement

29

REFERENCES

HHS Civil Money Penalties

HHS Wall of Shame

HIPAA Audit Phase 2 Program – FAQ

OCR Phase 2 Audit – Q & A

30 #HIPAASocial

CALL US

866-276 8309 SERVICE

info@ehr20.com

LOCATION

150, Cornerstone

Dr. Cary, NC

SOCIALIZE

Facebook

Twitter

FIND US

Twitter: @ehr_20 Facebook: ehr20

31

for your attention

Thank You

32

Please don’t hesitate to ask

Questions

33