The document discusses an upcoming audit of healthcare organizations by the Office of Civil Rights (OCR) to ensure compliance with HIPAA regulations. It notes that enforcement is increasing, with recent settlements ranging from $25,000 to $3.9 million. The audit will have two phases, with the initial phase focusing on document requests and the potential for on-site visits. Organizations are advised to ensure their security risk analysis, policies and procedures are up to date and organized in an "audit binder" to facilitate document production for the audit. Proper preparation is important to avoid noncompliance findings or further enforcement action from OCR.
Philippine FIRE CODE REVIEWER for Architecture Board Exam Takers
OCR Audits Are Coming – Is Your Organization Prepared?
1. OCR Audits Are Coming—
Is Your Organization Prepared?
Presented by: Jason T. Lundy, Lisa J. Acevedo,
Kathleen D. Kenney
2. Agenda
Current HIPAA Enforcement Landscape
Brief Overview of Phase I Audits
What to Expect in Phase 2
The Importance of Up-To-Date Security Risk
Analysis and Policy/Procedure Documentation
How to Build Your “HIPAA Audit Binder”
Key Recommendations
3. Current Government Enforcement
Landscape
Enforcement is on the rise!!
– In 2015, OCR settled 6 cases ranging from $125,000 to $3.5
million per settlement
– In 2016, OCR has already settled 5 cases and successfully
imposed civil monetary penalties in 1 case ranging from
$25,000 to $3.9 million
OCR has taken heat in the past for its “toothless” enforcement
efforts, but a whole new era has clearly arrived
4. Importance of Enforcement
Actions to Audit Process
There are themes and trends in the
underlying conduct
– OCR will be looking for these vulnerabilities
when reviewing your documents
– Even if you are not selected for a Phase 2 audit,
the lessons learned from these settlements are
invaluable
• For future breach avoidance
• For future audit preparation
5. Recent Settlements/Enforcement
Actions
Feinstein Institute for Medical Research (March 2016)
– Notified OCR of the theft of an unencrypted laptop from an
employee’s car – laptop contained ePHI of approximately
13,000 patients and research participants
– Agreed to pay $3.9 million and adopt a corrective action
plan (CAP)
– Key compliance issues included: insufficient security
management process; insufficient policies and procedures;
and failure to implement safeguards to restrict access to
unauthorized users
6. Recent Settlements/Enforcement
Actions
Lahey Hospital and Medical Center (Nov. 2015)
– Notified OCR of the theft of an unencrypted laptop that was
connected to a portable CT scanner; hard drive contained PHI of
599 individuals
– Lahey agreed to pay $850,000 and adopt a corrective action plan
(CAP) to correct deficiencies in its HIPAA compliance program
– Key compliance issues included: failure to conduct risk analysis;
failure to physically safeguard ePHI; lack of unique user name;
failure to implement policies and procedures
7. Recent Settlements/Enforcement
Actions
Triple-S Management Company
(Nov 2015)
– Insurance holding company
– Agreed to pay $3.5 million and adopt a corrective action plan
(CAP) to correct deficiencies in its HIPAA compliance program
– Deficiencies included failure to conduct risk analysis; failure to
implement sufficient security measures; disclosure of more PHI
than was necessary to carry out mailings
8. Recent Settlements/Enforcement
Actions
Raleigh Orthopedic Clinic, PA (Apr 2016)
– Notified OCR of a breach after releasing x-ray films and
related PHI of 17,300 patients to a vendor to transfer the
images to electronic media in exchange for harvesting the
silver from the x-ray film
– OCR found that Raleigh Orthopedic Clinic failed to execute a
business associate agreement with the vendor prior to
turning over PHI
– agreed to pay $750,000 and adopt a corrective action plan
(CAP) to correct deficiencies in its HIPAA compliance
program
9. Breaches Involving Hacking
Incidents
Anthem
– Almost 80 million individuals affected
– Cyber-attackers accessed social security numbers, medical ID numbers,
names, addresses and birth dates
Premera Blue Cross
– 11 million individuals affected
– Discovered in January 2015 that hackers had been accessing PHI since
May 2014
Community Health Systems
– Estimated 4.5 million individuals affected
– Hacker in China bypassed CHS’ security measures and accessed patient
names, addresses, birthdates, telephone numbers and social security
numbers
10. Overview of Phase 1 Audits
OCR contracted with KPMG to conduct
audits ($9.2 million dollar contract)
OCR stratified CEs into 4 tiers – sought wide
range of types and sizes
Phase 1 audits kitchen sink approach
115 audits conducted (47 health plans; 61
providers; 7 clearinghouses) all audits
included on-site visits
11. Phase 1 Lessons Learned
Improve document collection process (from
notification to document collection
throughout audit)
Address timing and staffing issues (on-site
audits ranged from 3-10 days)
Use representative sampling method
Prioritize focus on high risk areas
identified
12. Phase 1 Audit Results
60%30%
Phase 1 Results:
Areas of Noncompliance
The most common cause of noncompliance =
covered entity was unaware of the requirement.
13. Phase I versus Phase II
Fci Federal contract awarded - $1million
dollars
Verifying contact information and learning
more about the CE on the front end
Desk audits prior to on-site audits
Phase 2 desk audits focus on specific areas
identified as high risk in Phase 1
Likely less leniency with respect to
extensions, etc.
14. Status of HIPAA Audit Program
Phase 2 Audits:
– Notification of potential selection has begun
• Contact verification notification emails have been sent
• Audit pre-screening questionnaire will follow
– Questions intended to identify whether the entity is a
Covered Entity Health Care Provider, Health Plan or
Health Care Clearinghouse or a Business Associate.
• Purpose of these communications is to create a diverse
audit pool
15. Can I Avoid Being Chosen?
Entities that Fail to Respond May Still be
Selected
• Failing to respond could create the opposite effect!
Entities with Open Investigations Should not
be Selected
• Note: we are aware of such entities receiving the initial
notification communications
16. Past Compliance History
Impact of Past Compliance History
– Unclear if/when/how OCR will take this into
account
• Should not impact desk audit selection process
• May impact whether an organization is selected for
an onsite audit
– The under 500 breach report logs can be a source
of systemic compliance issues
17. Audit Structure
Scope of Auditees
• Covered Entities and Business Associates
Type of Audit
• “Desk” audits first
» Conducted via document requests
• Onsite audits to follow
18. Focus of Phase 2 Audits
Areas of focus for desk audits
• Likely to focus on…
1. Security risk analysis and risk management
2. Notice of Privacy Practices
3. Breach Notification letters-content and timeliness
4. Individual’s Right to Access PHI
– OCR Audit Protocol
• Updated protocol published on OCR’s website
Areas of focus for onsite audits
• Intended to be more comprehensive than desk audit
19. Audit Timeline
Phase 2 Audits:
– Timeline
• Desk audits 10 Days to Respond!
– Responsive documents must be submitted
electronically via OCR secure portal
– Auditors will send draft findings and you have 10 days
to provide written comments to the draft report
– Final report due back from auditors within 30 business
days
– All Phase 2 desk audits are scheduled to be concluded
by December 2016
20. Onsite Audit Timeline and Impact
To be Conducted Onsite over 3 to 5
Business Days
– Auditors will send draft findings and you have 10 days to
provide written comments to the draft report
• Final report due back from auditors within 30
business days
Impact
– OCR has reserved the right to initiate a compliance
review against an audited entity if the audit uncovers a
serious compliance issue
21. Key Desk Audit Documents
Up-to-Date Security Risk Analysis
– This is the foundation of your HIPAA Security Rule
program
• Phase 1 identified significant non-compliance
• Failure to do so was key contributing factor to many of
the large breaches and enforcement actions
– Be prepared to demonstrate that risk analysis is
current – also possible that OCR will ask for
documentation from years past
22. Key Desk Audit Documents
Risk Management Plan
– Plan to address vulnerabilities found in risk
analysis
– Review status of commitments made in this
plan
– Ensure all mitigation efforts have been
documented in a form/format that can be easily
produced
23. Risk Analysis Documentation Tool
Critical to Review Your Documentation!
– Ideally, the documentation should be easy for
an auditor to review, understand and map to
the Security Rule requirements
• Examples of less effective documentation
• Double check focus of reports created by third
parties
We can Help!
– Polsinelli’s Risk Analysis tool
24. Key Desk Audit Documents
Policies, Procedures, Compliance Documents
– Patient Right to Access
• Can you demonstrate timeliness?
• Review recent OCR guidance
– If you are using HIPAA authorization forms for access
requests, need to change that process
– Check your NPPs!
25. Key Desk Audit Documents
Breach Notification letters – ensure letters
to affected individuals meet the content and
timeliness requirements
– Be prepared to submit samples
If you have not had an incident rise to the
level of a reportable breach, you may want
to be prepared to produce your 4 factor risk
assessments for such incidents
26. Preparing for an Onsite Audit
More Comprehensive
– Review the OCR Audit Protocol – be prepared to
produce representative samples to demonstrate
compliance
– Prepare as if you will be selected for an onsite audit
• Preparation is time-consuming
• You do not want to have staff running around looking
for documents while the auditors are onsite
• Build your HIPAA Audit Binder!
27. Building Your HIPAA Audit Binder
Organization is key – make it as easy as
possible for OCR/contractor to review your
documentation
Be prepared to produce policies and
procedures but also key forms and possibly
representative samples
Ensure updates to documentation are
apparent (particularly with regard to risk
analysis)
28. Key Takeaways/Recommendations
• Confirm with IT that you have recently performed and
documented an accurate and thorough risk analysis and risk
mitigation plan
• Encrypt!! Especially mobile devices!! If PHI is not encrypted, ensure you
have the appropriate documentation in place specifying equivalent
alternative measures in place.
• Review and organize your policies and procedures, BAAs, and
other key documentation
• Train and re-train your employees Prepare for an onsite audit.
• Valuable even if your organization is never selected. Will help decrease
risk of breaches and complaints
• Learn from mistakes of other organizations and use as teaching
opportunities
29. Key Takeaways/Recommendations
***Keep in mind OCR Audit Program is a Permanent
Program
• If you are not selected for a Phase 2 audit, you should
still be evaluating your organization’s HIPAA compliance
program to prepare for the next round of audits
• Preparation is ultimately worthwhile and cost effective
because it will help improve your compliance program
and decrease risk of costly breaches
30. We Can Help!
Polsinelli’s Audit Preparation Tool and Services
– Phase 1:
• Off-site: Review of your organization’s HIPAA privacy
and security materials (BAAs (for those that are
business associates, your sub-contractor BAAs),
NPPs, privacy and security policies and procedures,
key forms, risk analyses, risk management plan, etc.)
• On-site: Mock OCR audit at your organization;
interview employees and collect representative
samples
31. Polsinelli’s Audit Preparation
Services
Phase 2:
– Analysis and findings from Phase 1
• We will identify any deficiencies, best practices,
areas of risk, and make recommendations for
changes and improvement
– Conference call with your compliance or legal
team to discuss findings, recommendations, and
to prepare for Phase 3
32. Polsinelli’s Audit Preparation
Services
Phase 3:
– Provide a formal report of audit findings and
recommendations.
– Provide an educational in-service to your
compliance team relating to the audit, areas of
risk, recommendations for improvement, etc.
• The educational in-service may be presented in
person or as a webinar.
33. Questions?
Feel free to contact us for more information:
– Jason Lundy jlundy@polsinelli.com
– Lisa Acevedo lacevedo@polsinelli.com
– Katie Kenney: kdkenney@polsinelli.com