office of civil rights hipaa audits preparing your clients and yourself
TRANSCRIPT
Prepared for The Florida Bar – Health Law SectionPresenter: Susan Thomas, MHSA, CHC®, CIA, CRMA, CPC®
February 3, 2017
REPRESENTING THE PHYSICIAN: IT IS HARDER THAN IT LOOKS
Office of Civil Rights HIPAA AuditsPreparing Your Clients and Yourself
Prepared for The Florida Bar – Health Law Section Page 2
Objectives
Understand the Office of Civil Rights (OCR) Health Information Technology for Economic and Clinical Health (HITECH) audit program
Review lessons learned from Phase 1 audits Discuss the scope and selection for Phase 2 audits Determine Health Insurance Portability and Accountability
Act (HIPAA) audit readiness Review a breach investigation case study Consider additional resources
Prepared for The Florida Bar – Health Law Section Page 3
The HITECH Audit Program
The HITECH Act Section 13411 requires the U.S. Department of Health and Human Services (HHS) to perform periodic audits of covered entity (CE) and business associate (BA) HIPAA compliance.
OCR views this program as a method to expand its capacity to ensure compliance with HIPAA.
In 2011, OCR established a pilot audit program and developed an audit protocol.
In 2012, OCR used the protocol to evaluate the HIPAA compliance efforts of 115 covered entities.
Prepared for The Florida Bar – Health Law Section Page 4
First Round of OCR HIPAA Audits
Notification Letters from KPMG Included a request for documents and onsite review scheduling
information
Initial 20 entities selected for Phase 1 audits: Physicians – 3
Hospitals – 3
Pharmacy – 1
Post-acute care facilities – 1
Group health plans – 3
Health insurance issuer – 3
Clearinghouses – 2
Dentist – 1
Laboratory – 1
Medicaid – 1
State Children’s Health Insurance Program (SCHIP) – 1
Prepared for The Florida Bar – Health Law Section Page 5
Phase 1 Audit Findings
General Findings Privacy Issues Security Issues Breach Notification Reasons for Findings
Entity unaware of the requirements
Lack of application of sufficient resources
Incomplete implementation
Complete disregard
Prepared for The Florida Bar – Health Law Section Page 6
Phase 1 Audit Lessons
Don't wait until you get an audit letter to think about HIPAA compliance.
Risk assessment and analysis are a big deal. Relevant training is crucial – all employees must
understand their role. Addressable security standards are important –
especially encryption. A binder of policies and procedures is not sufficient.
Prepared for The Florida Bar – Health Law Section Page 7
Phase 2 Audits – Scope and Selection
Scope OCR is concentrating on protected health information (PHI)
security and non-compliance as noted in Phase 1 Audits include both CEs AND BAs Audits started in 2016 and will take place over 3 years
CE Selection Pre-audit screening surveys – Spring 2015 Random selection of CEs through the National Provider Identifier
(NPI) database and other external sources
BA Selection Screening surveys identified BAs IT-related BAs and non-IT-related BAs selected from survey pool
Prepared for The Florida Bar – Health Law Section Page 8
HIPAA Audit Readiness
Each OCR Priority Item must have an appropriate Action Step: Risk Analysis and Risk Management Device & Media Controls Transmission Security Encryption Facility Access Breach Notification & Reporting Individual Right to Access to PHI Notice of Privacy Practices Training Defined Policies
Prepared for The Florida Bar – Health Law Section Page 9
Additional Steps to Prepare for Audits
Maintain a complete list of BAs with current contact information and an associated inventory of signed, upstream and downstream BA agreements.
Alternative Security Measures If any of the Security Rule’s addressable implementation
standards have not been implemented, ensure that the following is formally documented:
Why the implementation specification was not “reasonable” and “appropriate,” as defined by OCR
The alternative security measures implemented
Prepared for The Florida Bar – Health Law Section Page 10
OCR Audit Reviews
Data requests Response content
Response timeline
OCR evaluation of response Completion
Clarifications
Desk and on-site audits Feedback from OCR
Prepared for The Florida Bar – Health Law Section Page 11
Case Study
Small Health System Hospital
Physician Practices
Outpatient Departments
Post-Acute Care Facilities
Use of a contracted vendor for online bill payment Business Associate Agreement Unknown subcontractor Information security issue 8,500 patients
Prepared for The Florida Bar – Health Law Section Page 12
Additional Resources
OCR’s security risk analysis tool for small providers: http://www.healthit.gov/providers-professionals/security-riskasses
sment-tool
OCR and NIST guidance on security rule, including links to relevant NIST publications: http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/s
ecurityruleguidance.html
Security risk analysis self-assessment Assessment tools and model policies and procedures for
CEs and BAs
PERSHING YOAKLEY & ASSOCIATES, P.C.800.270.9629 | www.pyapc.com
Susan ThomasMHSA, CHC®, CIA, CRMA, CPC®
Consulting [email protected]