presentation for gnyha€¦ · privacy, security and breach notification. can include a physical...
TRANSCRIPT
Presentation for
AITP "What You Need to Know to Be Prepared for HIPAA-
HITECH and MU Audits from CMS and the OCR”
Friday, October 10,, 2014
8am
1
Table of Contents About ComplyAssistant …… 4
Definitions…………….. 5
OCR and MU Audits
High Level Discussion…6
OCR Audits …………… 8
MU Audits……………… 12
2
Table of Contents MU Objectives and Measures . 14
OCR Audit Scope ……………… 17
Prepare Now…………………….. 29
Q+A………………………………… 32
Contact Information…………… 33
3
About ComplyAssistant We provide software and professional consulting services for healthcare IT
and compliance.
ComplyAssistant Software Application is a cloud portal for documenting and managing compliance activities:
Rule content and guidance
Secure communication / collaboration
All evidence is centrally organized
Unlimited regulations, even beyond MU
Only client requirement is for a supported browser (IE9 and above, Chrome, Firefox)
User training utilizes the “Train the Trainer” approach.
No technical training is required.
Major recent focus of our professional consulting services has been HIPAA-HITECH Privacy, Security and Breach Notification Rule Assessments, and for the MU measure that requires an information security risk assessment of EMR systems.
4
Definitions OCR – Office of Civil Rights
MU – Meaningful Use of Certified EMR
EMR – Electronic Medical Record System
Certified – EMR has been tested and certified for technical safeguards.
CE – Covered entity under the rules
BA – Business Associate
EH – Eligible hospital under the MU rule.
CAH – Eligible critical access hospital under the MU Rule.
EP – Eligible Professional (physician practices) under the MU Rule.
5
OCR and MU Audits – High
Level Discussion OCR Audits cover HIPAA-HITECH Privacy, Security
and Breach Notification rules.
All Healthcare covered entities and BAs are eligible to
be audited.
Notice is 2 weeks.
MU Audits cover all objectives and measures of the MU
Rule, and can occur after attestation either pre-
payment (sooner) or post payment (later).
6
OCR and MU Audits – High
Level Discussion Our MU scope for this presentation is regarding the MU
measure for requiring an information security risk
assessment of certified EMR systems.
For both kinds of audits, covered entities must be able
to provide documented evidence of due diligence and
operational compliance in the form of policies and
procedures, audits, assessments, risk mitigation,
incident management, third party contract and risk
management, etc.
7
OCR Audits Based on published OCR Audit Protocols which translate
into approximately 200 questions regarding information
privacy, security and breach notification.
Can include a physical security walk thru of facilities along
with random workforce interviews.
Can be pro-active (2 week notice) or reactive (based on an
incident or a complaint).
Can apply to all healthcare covered entities (providers,
payers, and clearinghouses), along with HIPAA-HITECH
business associates.
8
History and Statistics OCR’s Overall Cause Analysis for Phase 1 is as
follows1:
For every finding and observation cited in the audit
reports, OCR has identified a “cause.”
Most common cause (30 percent) across all entities
was “entity unaware of the requirement.”
Most of these related to elements of the rules that
explicitly state what a CE must do to comply.
9
History and Statistics Other causes include:
Lack of application of sufficient resources
Incomplete implementation
Complete disregard
In Phase 2 audits, OCR can select any CE along with a
number of BAs that will be audited through the CEs.
Selected CEs will receive notification and data requests
in fall 2014. OCR will begin to select BAs for review in
2015.
10
History and Statistics In 2014, the plan is to audit as follows:
Privacy: 33 health plans, 67 providers.
Security: 45 health plans, 100 providers, and 5
clearinghouses.
Breach Notification: 31 health plans, 65 providers, and 4
clearinghouses.
In 2015, the plan is to audit 50 BAs—all in security.
Also need to keep in mind that the OCR will conduct
reactive audits due to an incident such as a breach.
11
MU Audits Apply to eligible hospitals and critical access hospitals,
and eligible professionals.
Long term care healthcare organizations and certain physician practices are not eligible for MU $$ under the MU rule.
Eligible healthcare organizations must implement certified EMR technology and meet measures that are defined for multiple stages (currently stages 1 and 2 are final), and $$ is available in most cases from both state (Medicaid) and Medicare (Federal) programs.
12
MU Audits EHs can receive $millions in MU $. EPs can receive
$thousands.
Some or all of the MU $ can be at risk during an audit,
for example, if an information security risk assessment
was not conducted during the respective reporting
timeframe for an MU Stage and Year.
13
MU Objectives and Measures MU requirements are organized into objectives and
measures.
For information security risk assessment, the objectives and measures are:
MU Core Objective: Protect electronic health information created or maintained by the certified EHR technology through the implementation of appropriate technical capabilities.
MU Core Measure 15 for Stage 1: Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308 (a)(1) and implement security updates as necessary and correct identified security deficiencies as part of its risk management process.
14
MU Objectives and Measures MU Core Measure 16 for Stage 2: Conduct or review a
security risk analysis in accordance with the
requirements under 45 CFR 164.308(a)(1), including
addressing the encryption/security of data stored in
Certified EHR Technology in accordance with
requirements under 45 CFR 164.312(a)(2)(iv) and 45
CFR 164.306(d)(3), and implement security updates as
necessary and correct identified security deficiencies
as part of the risk management process
15
MU Objectives and Measures The MU measures reference §164.308(a)(1) Security
Management – Implement policies and procedures to
prevent, detect, contain, and correct security violations;
specifically §164.308(a)(1)(ii)(A) Risk Analysis - Conduct an
accurate and thorough assessment of the potential risks and
vulnerabilities to the confidentiality, integrity, and availability
of electronic protected health information (ePHI) held by the
covered entity; and §164.308(a)(1)(ii)(B) - Risk Management
- Implement security measures sufficient to reduce risks and
vulnerabilities to a reasonable and appropriate level to
comply with 164.306(a).
16
OCR Audit Scope Basically cover the entire HIPAA-HITECH Privacy,
Security and Breach Notification Rules.
The following slides illustrate the standards and
implementation specifications of each rule.
17
HIPAA – HITECH Security
Rule
18
HIPAA – HITECH Security
Rule
19
HIPAA – HITECH Security
Rule
20
HIPAA – HITECH Security
Rule
21
HIPAA – HITECH Privacy
Rule
22
HIPAA – HITECH Privacy
Rule
23
HIPAA – HITECH Privacy
Rule
24
HIPAA – HITECH Privacy
Rule
25
HIPAA – HITECH Privacy
Rule
26
HIPAA – HITECH Privacy
Rule
27
HIPAA – HITECH Breach
Notification Rule
28
Prepare Now Get organized and implement an oversight governance
committee
Do thorough assessments to identify gaps and to
create a risk mitigation road map.
Go for best practice in order to be ready for both OCR
and MU audits.
Major goal is to reduce the risk of a breach of PHI.
Keep policies and procedures up to date.
Conduct audits to confirm policy compliance.
29
Prepare Now Document, Document, Document
Policies
Operational compliance (e.g. sanctions, training, testing
of plans).
Incidents and mitigation
Physical security audits
Other proactive audits
BA agreements and assessments
Risk Mitigation
Etc.
30
ComplyAssistant
31
Q+A Any remaining questions?
We can use this slide to document any questions that
require follow-up.
32
Contact Information
Gerry Blass
President & CEO
ComplyAssistant
www.complyassistant.com
732-845-9508 office
732-539-5827 mobile
33
Thank You!! "What You Need to Know to Be Prepared for HIPAA-
HITECH and MU Audits from CMS and the OCR”
Friday, October 10,, 2014
8am
34