OCR-HHS HIPAA/HITECH Audit Preparation


Published on

The HITECH Act authorizes HHS to conduct periodic audits to ensure that covered entities and business associates are complying with the HIPAA Privacy and Security Rules. As a result, OCR, through the use of KPMG audit services, has begun to develop a pilot audit program.
Audits will give OCR an ability to assess privacy and security protections and compliance issues on a systemic level, and to identify potential vulnerabilities to help entities prevent problems before they occur. This will complement the incident-based work that HHS currently conducts with respect to investigations.
Site visits conducted as part of every audit would include interviews with leadership (e.g., CIO, Privacy Officer, legal counsel, health information management/medical records director); examination of physical features and operations; consistency of process to policy, observation of compliance with regulatory requirements
After each site visit KPMG will submit an audit report. Audit reports consist of the following information:
Best practices noted
Raw data collection materials such as completed checklists and interview notes
Future oversight recommendations
Findings(if any):
o The defect or noncompliant status observed, and evidence of each
o A clear demonstration that each negative finding is a potential violation of the Privacy or Security Rules, with citation
o The reason that the condition exists, along with identification of supporting documentation used
o Recommendations for addressing each finding
• Acknowledgement of any best practice(s) or success(es).
Overall assessment
In addition, OCR will decide on the resolution approach for each finding based on the severity of the finding.
EHR 2.0 OCR HIPAA audit advisory services help healthcare organizations prepare for the audit by:
1) Assessing the current policies and procedures
2) Identifying key gaps and risk areas based on ePHI created, transmitted , received and stored
3) Training
4) Risk analysis
5) Plans to mitigate risks identified
Visit our OCR audit resource section to learn more: http://ehr20.com/ocr-hhs-hitech-hipaa-audit-resources/

  • Be the first to comment

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • This pie chart gives you an idea of the numbers involved in the total stimulus of 2009, though much of the money was dedicated to longer term projects. We see that the expenditures under HITECH were only budgeted at 5% of the stimulus.
  • Will be discussing txn. sets in unit 2HITECH changed the privacy and security landscape by imposing a direct legal obligation on business associates (“BAs”) of entities covered by HIPAA’s requirements (“covered entities,” or “CEs”) to comply with many new and existing requirements under the HIPAA privacy regulations (“Privacy Rule”) and security regulations (“Security Rule”).  Further, HITECH imposes new data breach notification obligations on CEs and BAs and enhances enforcement authority with respect to HIPAA violations. New Privacy Requirements for Business Associates - We will define BA and Breach in more detail a bit later.Breach notificationUse and disclosure limitations apply directly to business associatesMinimum necessary principle applies directly, must use limited datasetsIncreased penaltiesBusiness Associates directly liable for violationsBusiness Associate Agreements must be amendedBusiness Associates must impose same requirements on subcontractors that access PHI
  • Brief overview of this with emphasis on where we are going later.
  • What do you think. HIPAA applies to every organization or just to some?Refer to the link for workflow to decide whether your organization is a covered entity.
  • This is the sample letter covered entities would get if they’re part of audit
  • As per OCR, the selected entities will be audited based on govt. auditing std. which is available on our resources section
  • http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/index.html2011 and 2012
  • http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/index.html
  • Each fallacy need to be supported with some e.g., from real world
  • Any device that electronically stores or transmits information using a software programComputers include PCs/Laptops/DesktopNetworking – To connect internal and external parties Medical Devices – E.g., RFID Devices (CIA + Accountability)Scanner, Fax Machines and Photocopiers are not considered technology assets by many folksVoIP phones Mobile devices like smart phones and tablets (IPAD)Any information stored on the internet is stored somewhere on the cloud which has less control
  • http://www.securedgenetworks.com/secure-edge-networks-blog/bid/54690/4-Healthcare-Technology-Trends-from-HIMSS11
  • CDC Survey
  • An HIE automates the transfer of health-related information that is typically stored in multipleOrganizations, while maintaining the context and integrity of the information being exchanged. AnHIE provides access to and retrieval of patient information to authorized users in order to provide safe, efficient, effectiveand timely patient care. Formal organizations have been formed in a number of states and regions that providetechnology, governance and support for HIE efforts. Those formal organizations are termed healthInformation organizations (HIO) or even regional health information organizations (RHIO).Key- Multi-directional
  • Rao – we need to provide details on HIPAA compliance for cloud based services. This is brand new area and needs to be discussed thoroughly. Srini
  • Rao – we need to provide details on HIPAA compliance for cloud based services. This is brand new area and needs to be discussed thoroughly. Srini
  • Identify the privacy/security legal requirements that apply to your organization, whether by law, regulation or contractDriven by industry sector, type of information and jurisdiction Laws, regs, contracts, enforcement all sources of lawAdopt measures to address those requirementsAdministrative (policies, procedures, training, governance, etc.)PhysicalTechnicalProgram must be fully documentedProgram must be periodically assessed and updated (often required by law, but always a good idea)Review your privacy notices (web, hard copy, etc.)Legal requirementsOverpromisingLeaving out material informationIncluding how a cloud provider’s involvement implicates privacy promisesCreate a breach response planNot just a security incident response planNotification planUnderstand exposure to regulators, client, customers, banks in Advance
  • Who is you, yourself? Who does what?
  • OCR-HHS HIPAA/HITECH Audit Preparation

    1. 1. OCR/HHS HIPAA/HITECHAudit Preparation 1
    2. 2. Webinar ObjectivesTo provide knowledge and backgroundinformation on OCR/HHSHIPAA/HITECH audit program and toprovide guidelines for preparing andkeeping records. E-mail: info@ehr20.com 2
    3. 3. Who are we …EHR 2.0 Mission: To assist healthcareorganizations develop and implementpractices to secure IT systems and complywith HIPAA/HITECH regulations. Education(Training, Webinar & Workshops) Consulting Services Toolkit(Tools, Best Practices & Checklist)Goal: To make compliance an enjoyable and painlessexperience, while building capability and confidence.
    4. 4. Glossary1. HHS, OCR, DOJ and SAG:2. PHI:3. Findings:4. HIPAA: Health Insurance Portability and Accountability Act5. HITECH: Health Information Technology for Economic and Clinical Health Act 4
    5. 5. HITECHHITECH modifications to HIPAA including: Creating incentives for developing a meaningful use of electronic health records Changing the liability and responsibilities of Business Associates Redefining what a breach is Creating stricter notification standards Tightening enforcement Raising the penalties for a violation Creating new code and transaction sets (HIPAA 5010, ICD10) 5
    6. 6. Why do you need to care aboutOCR/HHS Audit (Enforcement)? Federal Mandate Penalties(CMP) for non-compliance Reputation risk Business risk Increased number of breaches and attacks 6
    7. 7. Common fallacies related to OCR audit “Our compliance officer handles everything – there’s no need to involve anyone else.” “We’re compliant; therefore, we’re secure.” “The last time we had an audit they didn’t find anything of concern.” “We have a security policy to keep our systems protected.” “We have a certified EHR system.” 7
    8. 8. Why OCR/HHS audit? (HHS Version) To assess HIPAA compliance efforts by a range of covered entities Opportunity to examine mechanisms for compliance and identify best practices Discover risks and vulnerabilities that may not have come to light through OCR’s ongoing complaint investigations and compliance reviews. 8
    9. 9. Enforcement Authorities Office for Civil Rights (OCR)  Investigating complaints filed with HHS  Impose civil money penalties Department of Justice (DOJ)  Investigates criminal violations State Attorney General (SAG)  Civil actions on behalf of state residents  Civil Money Penalties 9
    10. 10. HIPAA Titles - Overview 10
    11. 11. HIPAA Security Rule 11
    12. 12. Information Security Model Confidentiality Limiting information access and disclosure to authorized users (the right people) Integrity Trustworthiness of information resources (no inappropriate changes) Availability Availability of information resources (at the right time) 12
    13. 13. Covered Entity HIPAA applies to any entity that is a  Health care provider - of services as a provider of medical or other health services, and any other person or organization who furnishes, bills, or is paid for health care in the normal course of business  Health care clearinghouse - public or private entity that does billing services, re-pricing companies, community health management information systems or community health information systems, etc  Health plan - means an individual or group plan that provides, or pays the cost of, medical care https://www.cms.gov/hipaageninfo/downloads/ 13 CoveredEntityCharts.pdf
    14. 14. Business Associates a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity. A member of the covered entity’s workforce is not a business associate.Examples: A third party administrator that assists a health plan with claims processing. A CPA firm whose accounting services to a health care provider involve access to protected health information. An attorney whose legal services to a health plan involve access to protected health information. A consultant that performs utilization reviews for a hospital. A health care clearinghouse that translates a claim from a non-standard format into a standard transaction on behalf of a health care provider and forwards the processed transaction to a payer. An independent medical transcriptionist that provides transcription services to a physician. 14 A pharmacy benefits manager that manages a health plan’s pharmacist network.
    15. 15. OCR HITECH Audit Status KPMG to conduct 150 during 2012 20 audits completed  In the pilot phase, OCR is auditing eight health plans, two claims clearinghouses plus 10 provider organizations, including three hospitals, three physicians offices, and a laboratory, a dental office, a nursing/custodial facility and a pharmacy. 15
    16. 16. How does HHS notify healthcareorganizations of an audit? Sample letter 16
    17. 17. Federal Audits 241 Pages 17
    18. 18. OCR Audit Schedule Every covered entity and business associate is eligible for an audit. 18From HHS.gov site
    19. 19. OCR AuditProgram Civil Money Penalties 19
    20. 20. 20
    21. 21. Top 5 issues investigated Year Issue 1 Issue 2 Issue 3 Issue 4 Issue 5 2010 Impermissible Uses & Safeguards Access Minimum Notice Disclosures Necessary 2009 Impermissible Uses & Safeguards Access Minimum Complaints to Disclosures Necessary Covered Entity 2008 Impermissible Uses & Safeguards Access Minimum Complaints to Disclosures Necessary Covered Entity 21
    22. 22. How to organize for an OCR/HHS Audit? Policies and procedures Risk Analysis Document and -ation Mgmt. OCR Compliance Audit BA Agreement and Training Contracts
    23. 23. Policies and Procedures Physical Security Policy  Maintenance record  Disposal  Access Information Security Policy  Access Policy  Sanction Policy Contingency Plan Policy Security Incident Procedure/Breach 23
    24. 24. Documentation Privacy and Security Notices Health Record Request Log Training Logs PHI/Chart Access Review 24
    25. 25. Business Associate Cycle Covered BA HHS/OCR Entity • BA Contract • HIPAA Privacy and • Breach Notification Security Rule • Assessment (Tier 1) • Minimum Necessary • Breach Notification Sub- contractors 25
    26. 26. Sample Risk Analysis Template Likelihood High Medium Low High Unencrypted Lack of auditing on Missing security laptop ePHI EHR systems patches on web server hosting patient informationImpact Medium Unsecured Outdated anti-virus External hard drives wireless network software not being backed up in doctor’s office Sales presentation Web server backup Weak password on Low on USB thumb tape not stored in a internal document drive secured location server 26
    27. 27. PHI Health Information Individually Identifiable Health Information PHI 27
    28. 28. ePHI – 18 Elements Elements ExamplesName Max Bialystock 1355 Seasonal LaneAddress (all geographic subdivisions smaller than state, including street address, city, county, or ZIP code)Dates related to an individual Birth, death, admission, discharge 212 555 1234, home, office, mobile etc.,Telephone numbers 212 555 1234Fax numberEmail address LeonT@Hotmail.com, personal, officialSocial Security number 239-68-9807Medical record number 189-88876Health plan beneficiary number 123-ir-2222-98Account number 333389Certificate/license number 3908763 NYAny vehicle or other device serial number SZV4016Device identifiers or serial numbers Unique Medical DevicesWeb URL www.rickymartin.comInternet Protocol (IP) address numbers or voice prints finger.jpgPhotographic images mypicture.jpgAny other characteristic that could uniquely 28identify the individual
    29. 29. Trends in Healthcare IT Informatics Collaboration Mobile EHR Computing HIE 29
    30. 30. Handheld Usage in Healthcare• 25% usage with providers• Another 21% expected to use• 38% physicians use medical apps• 70% think it is a high priority• 1/3 use hand-held for accessing EMR/EHR 30compTIA 2011 Survey
    31. 31. EMR and EHR systems 31
    32. 32. Health Information Exchange (HIE) 32
    33. 33. Social Media How does your practice use it? How do your employees use it? Do you have policies? 33
    34. 34. Cloud-based services  Public Cloud  EHR Applications HIPAA regulations  Private-label e-mail remain barriers to full cloud adoption  Private Cloud  Archiving of Images  File SharingCloud Computing is takingall batch processing, and  On-line Backupsfarming it out to a hugecentral or virtualized  Hybrid 34computers.
    35. 35. Top 5 Recommendations 1. Ensure encryption on all protected health information in storage and transit.(at least de-identification) 2. Implement a mobile device security program. 3. Strengthen information security user awareness and training programs. 4. Ensure that business associate due diligence includes clearly written contract, a periodic assessment of tier 1 BAs 5. Minimize sensitive data capture, storage and sharing. 35
    36. 36. What happens after an OCR/HHS audit? OCR will attempt to resolve the case with the covered entity by obtaining: 1. Voluntary compliance 2. Corrective action which might include penalty 3. Resolution agreement OCR will not post a listing of audited entities or the findings of an individual audit which clearly identifies the audited entity. 36
    37. 37. Where do you start? Identify privacy/security requirements Contract Law Legal Regulation Adopt & Develop Program Review Security Model/Framework Breach/Incident ManagementAdministrative, Technical and Physical Assess the program Document Monitor 37 Governance Improve
    38. 38. Key Takeaways HITECH act enforces HIPAA guidelines with new audit, penalties, notifications requirements etc., ePHI elements drives the security and compliance requirements There is no silver bullet for audit issues. It is a journey of continuous assessment and improvement 38
    39. 39. References http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/in dex.html http://ehr20.com/resources http://www.natlawreview.com/practice-groups/healthcare- HIPPA-Stark-law-professional-licensing-Medicare- Medicaid-fraud-abuse-audits-kickback-false-claims 39
    40. 40. Next Steps Don’t’ wait till the last minute Sample polices and procedures kit with 4-hour OCR audit advisory consulting ($1500) http://ehr20.com/services/ Next Live Webinars:  Social Media Compliance for Healthcare Professionals (4/11/2012)  Meaningful Use Security Risk Analysis (4/18/2012) Sign-up at ehr20.com/webinars 40
    41. 41. Questions?E-mail: info@ehr20.com Call: 802-448-2255 41
    42. 42. Thank you!! 42