Presentation for

AITP "What You Need to Know to Be Prepared for HIPAA-

HITECH and MU Audits from CMS and the OCR”

Friday, October 10,, 2014

8am

1

Table of Contents About ComplyAssistant …… 4

Definitions…………….. 5

OCR and MU Audits

High Level Discussion…6

OCR Audits …………… 8

MU Audits……………… 12

2

Table of Contents MU Objectives and Measures . 14

OCR Audit Scope ……………… 17

Prepare Now…………………….. 29

Q+A………………………………… 32

Contact Information…………… 33

3

About ComplyAssistant We provide software and professional consulting services for healthcare IT

and compliance.

ComplyAssistant Software Application is a cloud portal for documenting and managing compliance activities:

Rule content and guidance

Secure communication / collaboration

All evidence is centrally organized

Unlimited regulations, even beyond MU

Only client requirement is for a supported browser (IE9 and above, Chrome, Firefox)

User training utilizes the “Train the Trainer” approach.

No technical training is required.

Major recent focus of our professional consulting services has been HIPAA-HITECH Privacy, Security and Breach Notification Rule Assessments, and for the MU measure that requires an information security risk assessment of EMR systems.

4

Definitions OCR – Office of Civil Rights

MU – Meaningful Use of Certified EMR

EMR – Electronic Medical Record System

Certified – EMR has been tested and certified for technical safeguards.

CE – Covered entity under the rules

BA – Business Associate

EH – Eligible hospital under the MU rule.

CAH – Eligible critical access hospital under the MU Rule.

EP – Eligible Professional (physician practices) under the MU Rule.

5

OCR and MU Audits – High

Level Discussion OCR Audits cover HIPAA-HITECH Privacy, Security

and Breach Notification rules.

All Healthcare covered entities and BAs are eligible to

be audited.

Notice is 2 weeks.

MU Audits cover all objectives and measures of the MU

Rule, and can occur after attestation either pre-

payment (sooner) or post payment (later).

6

OCR and MU Audits – High

Level Discussion Our MU scope for this presentation is regarding the MU

measure for requiring an information security risk

assessment of certified EMR systems.

For both kinds of audits, covered entities must be able

to provide documented evidence of due diligence and

operational compliance in the form of policies and

procedures, audits, assessments, risk mitigation,

incident management, third party contract and risk

management, etc.

7

OCR Audits Based on published OCR Audit Protocols which translate

into approximately 200 questions regarding information

privacy, security and breach notification.

Can include a physical security walk thru of facilities along

with random workforce interviews.

Can be pro-active (2 week notice) or reactive (based on an

incident or a complaint).

Can apply to all healthcare covered entities (providers,

payers, and clearinghouses), along with HIPAA-HITECH

business associates.

8

History and Statistics OCR’s Overall Cause Analysis for Phase 1 is as

follows1:

For every finding and observation cited in the audit

reports, OCR has identified a “cause.”

Most common cause (30 percent) across all entities

was “entity unaware of the requirement.”

Most of these related to elements of the rules that

explicitly state what a CE must do to comply.

9

History and Statistics Other causes include:

Lack of application of sufficient resources

Incomplete implementation

Complete disregard

In Phase 2 audits, OCR can select any CE along with a

number of BAs that will be audited through the CEs.

Selected CEs will receive notification and data requests

in fall 2014. OCR will begin to select BAs for review in

2015.

10

History and Statistics In 2014, the plan is to audit as follows:

Privacy: 33 health plans, 67 providers.

Security: 45 health plans, 100 providers, and 5

clearinghouses.

Breach Notification: 31 health plans, 65 providers, and 4

clearinghouses.

In 2015, the plan is to audit 50 BAs—all in security.

Also need to keep in mind that the OCR will conduct

reactive audits due to an incident such as a breach.

11

MU Audits Apply to eligible hospitals and critical access hospitals,

and eligible professionals.

Long term care healthcare organizations and certain physician practices are not eligible for MU $$ under the MU rule.

Eligible healthcare organizations must implement certified EMR technology and meet measures that are defined for multiple stages (currently stages 1 and 2 are final), and $$ is available in most cases from both state (Medicaid) and Medicare (Federal) programs.

12

MU Audits EHs can receive $millions in MU $. EPs can receive

$thousands.

Some or all of the MU $ can be at risk during an audit,

for example, if an information security risk assessment

was not conducted during the respective reporting

timeframe for an MU Stage and Year.

13

MU Objectives and Measures MU requirements are organized into objectives and

measures.

For information security risk assessment, the objectives and measures are:

MU Core Objective: Protect electronic health information created or maintained by the certified EHR technology through the implementation of appropriate technical capabilities.

MU Core Measure 15 for Stage 1: Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308 (a)(1) and implement security updates as necessary and correct identified security deficiencies as part of its risk management process.

14

MU Objectives and Measures MU Core Measure 16 for Stage 2: Conduct or review a

security risk analysis in accordance with the

requirements under 45 CFR 164.308(a)(1), including

addressing the encryption/security of data stored in

Certified EHR Technology in accordance with

requirements under 45 CFR 164.312(a)(2)(iv) and 45

CFR 164.306(d)(3), and implement security updates as

necessary and correct identified security deficiencies

as part of the risk management process

15

MU Objectives and Measures The MU measures reference §164.308(a)(1) Security

Management – Implement policies and procedures to

prevent, detect, contain, and correct security violations;

specifically §164.308(a)(1)(ii)(A) Risk Analysis - Conduct an

accurate and thorough assessment of the potential risks and

vulnerabilities to the confidentiality, integrity, and availability

of electronic protected health information (ePHI) held by the

covered entity; and §164.308(a)(1)(ii)(B) - Risk Management

- Implement security measures sufficient to reduce risks and

vulnerabilities to a reasonable and appropriate level to

comply with 164.306(a).

16

OCR Audit Scope Basically cover the entire HIPAA-HITECH Privacy,

Security and Breach Notification Rules.

The following slides illustrate the standards and

implementation specifications of each rule.

17

HIPAA – HITECH Security

Rule

18

HIPAA – HITECH Security

Rule

19

HIPAA – HITECH Security

Rule

20

HIPAA – HITECH Security

Rule

21

HIPAA – HITECH Privacy

Rule

22

HIPAA – HITECH Privacy

Rule

23

HIPAA – HITECH Privacy

Rule

24

HIPAA – HITECH Privacy

Rule

25

HIPAA – HITECH Privacy

Rule

26

HIPAA – HITECH Privacy

Rule

27

HIPAA – HITECH Breach

Notification Rule

28

Prepare Now Get organized and implement an oversight governance

committee

Do thorough assessments to identify gaps and to

create a risk mitigation road map.

Go for best practice in order to be ready for both OCR

and MU audits.

Major goal is to reduce the risk of a breach of PHI.

Keep policies and procedures up to date.

Conduct audits to confirm policy compliance.

29

Prepare Now Document, Document, Document

Policies

Operational compliance (e.g. sanctions, training, testing

of plans).

Incidents and mitigation

Physical security audits

Other proactive audits

BA agreements and assessments

Risk Mitigation

Etc.

30

ComplyAssistant

31

Q+A Any remaining questions?

We can use this slide to document any questions that

require follow-up.

32

Contact Information

Gerry Blass

President & CEO

ComplyAssistant

www.complyassistant.com

732-845-9508 office

732-539-5827 mobile

gerry@complyassistant.com

33

Thank You!! "What You Need to Know to Be Prepared for HIPAA-

HITECH and MU Audits from CMS and the OCR”

Friday, October 10,, 2014

8am

34