SlideShare a Scribd company logo

OCR Audits Season is About to Begin

ID Experts
ID Experts

The OCR Audits Season is About to Begin discusses the upcoming Phase 2 of HIPAA audits by the Office of Civil Rights (OCR). Key points: - OCR will audit 350 covered entities in 2014-2015, focusing on security risk analysis, breach notifications, and privacy practices. - Entities should review Phase 1 audit findings, perform self-audits, and ensure policies and documentation are updated to address audit focus areas and reflect HIPAA rules. - Thorough risk analysis and risk management programs are especially important given their prominence in Phase 1 findings. Entities must identify risks, vulnerabilities, and implement security measures to address them.

Technology
1 of 41
The OCR Audits Season is About to Begin June 10, 2014 Get Your Ducks in a Row ID Experts www2.idexpertscorp.com
1 Presenters Rebecca Williams, RN, JD Co-Chair, Health Information Practice Davis Wright Tremaine Mahmood Sher-Jan, CHPC VP and GM, RADAR Product Unit ID Experts
2 Agenda • OCR Phase 2 Audit scope, process and timeline • Changes you can expect in Phase 2 audit and how they could impact you • How to prepare for them based on a risk based approach • Breach notification rule – Stages of the rule’s evolution – Regulatory Obligation for CEs & BAs – Audit readiness • Questions
3 Audit Program Mandate • Reasonably new enforcement approach under HIPAA • HITECH Act, part of the American Recovery and Reinvestment Act of 2009 – Requires HHS to provide for periodic audits to ensure covered entities and business associates are complying with the HIPAA Privacy, Breach Notification and Security Rules – Section 13411 – Audits
4 Multi-year Phase 1 − How Did We Get Here? Description Vendor Status/Timeframe Audit program development study Booz Allen Hamilton Closed 2010 Covered entity identification and cataloguing Booz Allen Hamilton Closed 2011 Develop audit protocol and conduct audits KPMG Closed 2011-2012 Evaluation of audit program PwC Closed 2013
5 Phase 1: Pilot 2011 – 2012 • Phase 1 of the HIPAA Audits • Conducted 115 performance audits through 12/2012 • Two parts: – Initial 20 audits to test original audit protocol – Final 95 audits using modified audit protocol • Covered broad range of topics regarding adherence with HIPAA standards
6 Overall Findings & Observations No findings or observations for 11% of the entities 2 Providers 9 Health Plans 2 Clearinghouses Security accounted for 60% of findings and observations – although only 28% of potential total Providers had a greater proportion of findings and observations (65%) than reflected by their proportion of the total set (53%) Smaller, Level 4 entities struggle with all three areas
7 Privacy Findings & Observations 20% 2% 16% 18% 44% Notice of Privacy Practices for PHI Right to Request Privacy Protection for PHI Access of Individuals to PHI Administrative Requirements Uses and Disclosures of PHI Percentage of Findings and Observations by Area of Focus
8 Security Results 58 of 59 providers had at least one Security finding or observation 2/3 of entities had no complete, accurate risk analysis 47 of 59 providers 20 of 35 plans 2 of 7 clearinghouses Addressable implementation specifications: most entities without a finding or observation met the standard by fully implementing the addressable specification
9 Security Elements 12% 14% 7% 18% 4% 14% 8% 14% 9% Risk Analysis Access Management Security Incident Procedures Contingency Planning and Backups Workstation Security Media Movement and Destruction Encryption Audit Controls and Monitoring Percentage of Audit Findings and Observations by Area of Focus
10 Breach Notification Findings Notification to individuals Timeliness of notice Method of notification to individuals Burden of proof
11 Overall Cause Analysis • For every finding and observation cited, audit identified a“Cause.” • Most common across all entities: entity unaware of the requirement – In 30% (289 of 980 findings and observations) • 39% (115 of 293) of Privacy • 27% (163 of 593) of Security • 12% (11) of Breach Notification – Most related to explicit requirements • Other causes noted included: – Lack of application of sufficient resources – Incomplete implementation – Complete disregard
12 Cause Analysis – Top Elements Unaware of the Requirement Privacy Security • Notice of Privacy Practices • Access of Individuals • Minimum Necessary • Authorizations • Risk Analysis • Media Movement and Disposal • Audit Controls and Monitoring
13 Phase 2: Who Can Be Audited? Any Covered Entity Health plans of all types Health care clearinghouses Individual and organizational providers Any Business Associate Selection through covered entities
14 Phase 2 Covered Entity Pool • Have a pool of covered entities eligible for audit – Health care providers selected through NPI database – Clearinghouses & Health Plans from external databases (e.g., AHIP) • Random selection used when possible within types • Wide range (e.g., group health plans, physicians and group practices, dental, hospitals, laboratories)
15 Pre-audit – Timing of Audit Spring • Address verification Summer • “Pre-survey”for on-line screening – Questions address size measures, location, services, best contacts – Expect to contact 550-800 entities Fall • Notification and data request letters to selected entities – Anticipate 350 covered entities • Two weeks for entity response
16 Audit 2015: Business Associates • Covered entities will be asked to identify their business associates and provide their current contact information • Will select business associate audit subjects for 2015 first wave from among those identified by covered entities
17 Phase 2 Audit Distribution Projections Entity Type Privacy Breach Security Covered Entities 100 100 150 • Health Plans 33 31 45 • Providers 67 65 100 • Clearinghouses - 4 5
18 Phase 2 Protocol Criteria • Updated protocols – Reflect Omnibus Rule changes – More specific test procedures • Sampling methodology • Target provisions that were the source of a high number of compliance failures in the pilot audits • Updated protocol to be available on web site
19 Phase 2 Audit Focus 2014 – Covered Entities • Security—Risk analysis and risk management • Breach—Content and timeliness of notifications • Privacy—Notice and access 2015 Round 1 Business Associates • Security—Risk analysis and risk management • Breach—Breach reporting to covered entity Round 2 Covered Entities (Projected) • Security—Device and media controls, transmission security • Privacy—Safeguards, training to policies and procedures 2016 (Projected) • Security—Encryption and decryption, facility access control (physical); other areas of high risk as identified by 2014 audits, breach reports, and complaints
20 Audit Phase 2 Approach • Primarily OCR internally staffed • Desk audits of selected provisions • Comprehensive on-site audits, as resources allow • Data request will specify content and file organization, file names, and any other document submission requirements
21 Desk Audit Expectations • Only requested data submitted on time will be assessed • All documentation must be current as of the date of the request • Likely will not consider documentation developed after data request • Likely will not ask for clarification • Don’t submit extraneous information • Respond! Otherwise may result in compliance review
22 How to Help Yourself • Review Audit Protocols (Phase I and Phase II) – Likened to an“open book test” • Perform own assessment/audit – Internal or external – Use audit protocol – Identify other toolkits – Consider use of attorney-directed investigation  Begin corrective action for gaps  On-going monitoring
23 How to Help Yourself • Document, Document, Document • Verify policies and procedures are updated • Critical that the documents accurately reflect the program • Have supplemental documentation ready – Limited time period to provide documents – To prove compliance – Make it relatively self-explanatory (e.g., clearly labeled) – Focus on targeted areas, but that could be extended
24 How to Help Yourself • Maintain a current list of business associates and their contact information • Covered entities: remind your business associates audits are coming • Concern that not all Business Associates know: – They are business associates – What they need to do • Goal: Develop and maintain a culture of compliance
25 How to Help Yourself – Privacy • Access • Policies and procedures – Update to reflect Omnibus Rule • Additional documentation • How to prove – Access was provided? – Timely compliance?
26 How to Help Yourself - Privacy • Notice of Privacy Practices – Update to reflect Omnibus Rule – Verify NPP reflects actual practices • Post NPP – Remember website • Policies and procedures • Additional documentation • How to prove – NPPs were provided – Acknowledgements were obtained
27 How to Help Yourself − Security Rule Risk Analysis Risk analysis (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate. 45 C.F.R. § 164.308(a)(1)(ii)(A)
28 How to Help Yourself − Security Rule Risk Management Risk management (Required). Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to: • ensure the confidentiality, integrity, and availability of electronic protected health information • protect against reasonably anticipated threats or hazard • protect against reasonably anticipated impermissible uses and disclosures and • ensure workforce compliance. 45 C.F.R. § 164.308(a)(1)(ii)(A)
29 How to Help Yourself − Risk Analysis/Risk Management • Identify locations of PHI • Identify reasonable vulnerabilities and anticipated threats (e.g., human, natural, and environmental) • Assign risk levels (e.g., low, medium, high) based on likelihood and impact • Make sure it is a HIPAA risk analysis – Not a list of controls – Not an“evaluation”or“gap analysis” • Verify appropriate policies, procedures, and safeguards are in place • Revisit regularly and when changes occur • See OCR Guidance on Risk Analysis and HHS Risk Assessment tool
30 Agenda • OCR Phase 2 Audit scope, process and timeline • Changes you can expect in Phase 2 audit and how they could impact you • How to prepare for them based on a risk based approach • Breach notification rule – Stages of the rule’s evolution – Regulatory Obligation for CEs & BAs – Audit readiness • Questions
31 4 Stages of Flirting with “Breach Notification” Acceptance 2013: Final Breach Notification Rule Bargaining Harm Test Advocates vs. Opponents Denial The Interim Final Rule Era Risk of Harm Revisited ANGER 2009: “Risk of Harm” Backlash & Fury
32 Breach Compliance Obligations Obligations Covered Entity Business Associate Incident Management Policies & Procedures Yes & Business Associate(s) Yes & Downstream sub-contractor(s) Incident Risk Assessment & Outcome Retention Yes Yes Breach Notification Individuals; Regulator(s); CRAs Covered Entity Accounting of Disclosures Yes (including PHI incidents) Yes (including PHI incidents) HIPAA Investigations HHS/OCR HHS/OCR Covered Entities & Business Associates
33 Foundation of Breach Rule Compliance Risk Factors & Mitigation Factors Low Probability of Compromise (LoProCo?) If Wrong: Low Probability of Compliance! Your Incident Risk Assessment Consistency & Outcome
34 Incident Risk Assessment Challenges 4th Annual Benchmark Study on Patient Privacy & Data Security 0% 10% 20% 30% 40% 50% 60% 70% 80% Lack of consistency Inability to scale Difficult to use
35 Addressing Risk Assessment Challenges by Using the Right Tools Requires more than issue tracking & ad-hoc risk assessment Solution Scope & Automation EaseofUse&Affordability
36 Multi-Factor & Multi-Jurisdictions Risk Scoring •Relevance •Risk Score •Weight •Relevance •Risk Score •Weight •Relevance •Risk Score •Weight •Relevance •Risk Score •Weight Disclosed Data Type & Scope Recipient & Intent Risk Mitigation Access / Viewing/ Re- disclosing Breach Not Breach Voluntary FACTORS • 47 States & DC • +3 Territories • Most have“harm”test • Different notification timelines, obligations, thresholds
37 Breach Notification Rule: Audit Preparedness • Multi-Factor Risk Assessment • Multi-Jurisdiction Risk Assessment • Always Up to Date • Easy to Use • Purpose-Built Work-flow • Collaboration Platform • Reports & Audit Logs • Central Repository Moving Beyond Compliance & Audits Know the rules Follow the rules Prove it!
38 Where to learn more • www2.idexpertscorp.com/resources • www2.idexpertscorp.com/radar • www2.idexpertscorp.com/ponemon
39 Questions & Answers If you are having a breach now, call 866-726-4271 Becky Williams, RN, JD Co-Chair, Health Information Practice Davis Wright Tremaine LLP 206.757.8171 beckywilliams@dwt.com Mahmood Sher-Jan, CHPC VP and GM, RADAR Product Unit ID Experts 800-298-7558 mahmood.sher-jan@idexpertscorp.com
40 ID Experts Webinar Series ID Experts provides software and services for managing the disclosure and breaches of regulated data. Leading organizations in healthcare, insurance, financial services, universities, higher education, and government rely on ID Experts’patented RADAR™ data incident management software and data breach response services for managing risks. Exclusively endorsed by the American Hospital Association. ID Experts is an advocate for privacy and a leading contributor to legislation and industry organizations that focus on the protection of PHI and PII. On the web: http://www2.idexpertscorp.com/. For more information visit: • www2.idexpertscorp.com • Complete Data Breach Care • Cyber Liability Insurance • RADAR

Recommended

Just In Time Clinical Trial Monitoring Final
Just In Time Clinical Trial Monitoring FinalJust In Time Clinical Trial Monitoring Final
Just In Time Clinical Trial Monitoring Finalguestc78124
 
Demonstrating Clinical Utility
Demonstrating Clinical UtilityDemonstrating Clinical Utility
Demonstrating Clinical UtilityIMARC Research
 
Centralized vs. Onsite Monitoring
Centralized vs. Onsite MonitoringCentralized vs. Onsite Monitoring
Centralized vs. Onsite MonitoringIMARC Research
 
Strategies for Auditors to Prepare Clinical Research Personnel For a Regulato...
Strategies for Auditors to Prepare Clinical Research Personnel For a Regulato...Strategies for Auditors to Prepare Clinical Research Personnel For a Regulato...
Strategies for Auditors to Prepare Clinical Research Personnel For a Regulato...IMARC Research
 
CLINICAL TRIAL PROJECT MANAGEMENT
CLINICAL TRIAL PROJECT MANAGEMENTCLINICAL TRIAL PROJECT MANAGEMENT
CLINICAL TRIAL PROJECT MANAGEMENTRohit K.
 
GVP-Module IV Pharmacovigilance Audit
GVP-Module IV Pharmacovigilance AuditGVP-Module IV Pharmacovigilance Audit
GVP-Module IV Pharmacovigilance AuditMohamed Raouf
 
CRO - Clinical Vendor Oversight Webinar.
CRO - Clinical Vendor Oversight Webinar.CRO - Clinical Vendor Oversight Webinar.
CRO - Clinical Vendor Oversight Webinar.DDi Drug Development informatics
 
Clinical Trial Management Systems 101
Clinical Trial Management Systems 101Clinical Trial Management Systems 101
Clinical Trial Management Systems 101Perficient
 

Recommended

Just In Time Clinical Trial Monitoring Final
Just In Time Clinical Trial Monitoring FinalJust In Time Clinical Trial Monitoring Final
Just In Time Clinical Trial Monitoring Finalguestc78124
 
Demonstrating Clinical Utility
Demonstrating Clinical UtilityDemonstrating Clinical Utility
Demonstrating Clinical UtilityIMARC Research
 
Centralized vs. Onsite Monitoring
Centralized vs. Onsite MonitoringCentralized vs. Onsite Monitoring
Centralized vs. Onsite MonitoringIMARC Research
 
Strategies for Auditors to Prepare Clinical Research Personnel For a Regulato...
Strategies for Auditors to Prepare Clinical Research Personnel For a Regulato...Strategies for Auditors to Prepare Clinical Research Personnel For a Regulato...
Strategies for Auditors to Prepare Clinical Research Personnel For a Regulato...IMARC Research
 
CLINICAL TRIAL PROJECT MANAGEMENT
CLINICAL TRIAL PROJECT MANAGEMENTCLINICAL TRIAL PROJECT MANAGEMENT
CLINICAL TRIAL PROJECT MANAGEMENTRohit K.
 
GVP-Module IV Pharmacovigilance Audit
GVP-Module IV Pharmacovigilance AuditGVP-Module IV Pharmacovigilance Audit
GVP-Module IV Pharmacovigilance AuditMohamed Raouf
 
CRO - Clinical Vendor Oversight Webinar.
CRO - Clinical Vendor Oversight Webinar.CRO - Clinical Vendor Oversight Webinar.
CRO - Clinical Vendor Oversight Webinar.DDi Drug Development informatics
 
Clinical Trial Management Systems 101
Clinical Trial Management Systems 101Clinical Trial Management Systems 101
Clinical Trial Management Systems 101Perficient
 
Pharmacovigilance Surge Resource Calculator
Pharmacovigilance Surge Resource CalculatorPharmacovigilance Surge Resource Calculator
Pharmacovigilance Surge Resource CalculatorTimothy Roe
 
FDA News Presentation
FDA News PresentationFDA News Presentation
FDA News PresentationBoris Videlov
 
Ensuring a Quality Trial Master File
Ensuring a Quality Trial Master FileEnsuring a Quality Trial Master File
Ensuring a Quality Trial Master FileIsaiah Howard
 
Road to Quality Clinical Trials
Road to Quality Clinical TrialsRoad to Quality Clinical Trials
Road to Quality Clinical TrialsMNI08072014
 
Presentation: An Update on post-market regulatory requirements
Presentation: An Update on post-market regulatory requirementsPresentation: An Update on post-market regulatory requirements
Presentation: An Update on post-market regulatory requirementsTGA Australia
 
EU Clinical Regulation Webinar Slide Deck.pptx
EU Clinical Regulation Webinar Slide Deck.pptxEU Clinical Regulation Webinar Slide Deck.pptx
EU Clinical Regulation Webinar Slide Deck.pptxMMS Holdings
 
Sandra Maddock OMTEC Presentation 6-12
Sandra Maddock OMTEC Presentation 6-12Sandra Maddock OMTEC Presentation 6-12
Sandra Maddock OMTEC Presentation 6-12IMARC Research
 
EXL Clinical Quality Oversight Forum
EXL Clinical Quality Oversight ForumEXL Clinical Quality Oversight Forum
EXL Clinical Quality Oversight ForumThe Avoca Group
 
GxP in the Cloud is a good practice. Here's why.
GxP in the Cloud is a good practice. Here's why.GxP in the Cloud is a good practice. Here's why.
GxP in the Cloud is a good practice. Here's why.Appian
 
Auditor roles & responsibilities in CT as per ICHGCP
Auditor roles & responsibilities in CT as per ICHGCPAuditor roles & responsibilities in CT as per ICHGCP
Auditor roles & responsibilities in CT as per ICHGCPSuhas Reddy C
 
Clinical Trial Performance Metrics Conference Dec 2016
Clinical Trial Performance Metrics Conference Dec 2016Clinical Trial Performance Metrics Conference Dec 2016
Clinical Trial Performance Metrics Conference Dec 2016Mike Fitzpatrick
 
Keeping up with ICH E6(R2): Risk-Based Monitoring (RBM) Redefined
Keeping up with ICH E6(R2): Risk-Based Monitoring (RBM) RedefinedKeeping up with ICH E6(R2): Risk-Based Monitoring (RBM) Redefined
Keeping up with ICH E6(R2): Risk-Based Monitoring (RBM) RedefinedLife Sciences Network marcus evans
 
Risk-based Monitoring Strategies for Improved Clinical Trial Performance
Risk-based Monitoring Strategies for Improved Clinical Trial PerformanceRisk-based Monitoring Strategies for Improved Clinical Trial Performance
Risk-based Monitoring Strategies for Improved Clinical Trial PerformanceCognizant
 
Safety Audit in Chemical Industry
Safety Audit in Chemical IndustrySafety Audit in Chemical Industry
Safety Audit in Chemical IndustryVishal Patel
 
Mobile CRAs: Transforming Clinical Monitoring Processes through Mobile Techno...
Mobile CRAs: Transforming Clinical Monitoring Processes through Mobile Techno...Mobile CRAs: Transforming Clinical Monitoring Processes through Mobile Techno...
Mobile CRAs: Transforming Clinical Monitoring Processes through Mobile Techno...Xiu Wei Lim
 
Audit monitoring and inspections cro perspectives
Audit monitoring and inspections cro perspectivesAudit monitoring and inspections cro perspectives
Audit monitoring and inspections cro perspectivesDr Prashant Bodhe
 
PSM RM - Understand hazards and risk
PSM RM - Understand hazards and riskPSM RM - Understand hazards and risk
PSM RM - Understand hazards and riskProcess Safety Culture
 
Qc in clinical trials
Qc in clinical trialsQc in clinical trials
Qc in clinical trialsBhaswat Chakraborty
 
4 Quality System Musts for Medtech Startups to Get Safer Products to Market F...
4 Quality System Musts for Medtech Startups to Get Safer Products to Market F...4 Quality System Musts for Medtech Startups to Get Safer Products to Market F...
4 Quality System Musts for Medtech Startups to Get Safer Products to Market F...Greenlight Guru
 
Pharmacovigilance Inspections
Pharmacovigilance InspectionsPharmacovigilance Inspections
Pharmacovigilance InspectionsIFAH
 
HIPAA omnibus rule update
HIPAA omnibus rule updateHIPAA omnibus rule update
HIPAA omnibus rule updateO'Connor Davies CPAs
 
Insight into DHHS OCR Audit Protocols
Insight into DHHS OCR Audit ProtocolsInsight into DHHS OCR Audit Protocols
Insight into DHHS OCR Audit ProtocolsDavid Sweigert
 

More Related Content

What's hot

Pharmacovigilance Surge Resource Calculator
Pharmacovigilance Surge Resource CalculatorPharmacovigilance Surge Resource Calculator
Pharmacovigilance Surge Resource CalculatorTimothy Roe
 
FDA News Presentation
FDA News PresentationFDA News Presentation
FDA News PresentationBoris Videlov
 
Ensuring a Quality Trial Master File
Ensuring a Quality Trial Master FileEnsuring a Quality Trial Master File
Ensuring a Quality Trial Master FileIsaiah Howard
 
Road to Quality Clinical Trials
Road to Quality Clinical TrialsRoad to Quality Clinical Trials
Road to Quality Clinical TrialsMNI08072014
 
Presentation: An Update on post-market regulatory requirements
Presentation: An Update on post-market regulatory requirementsPresentation: An Update on post-market regulatory requirements
Presentation: An Update on post-market regulatory requirementsTGA Australia
 
EU Clinical Regulation Webinar Slide Deck.pptx
EU Clinical Regulation Webinar Slide Deck.pptxEU Clinical Regulation Webinar Slide Deck.pptx
EU Clinical Regulation Webinar Slide Deck.pptxMMS Holdings
 
Sandra Maddock OMTEC Presentation 6-12
Sandra Maddock OMTEC Presentation 6-12Sandra Maddock OMTEC Presentation 6-12
Sandra Maddock OMTEC Presentation 6-12IMARC Research
 
EXL Clinical Quality Oversight Forum
EXL Clinical Quality Oversight ForumEXL Clinical Quality Oversight Forum
EXL Clinical Quality Oversight ForumThe Avoca Group
 
GxP in the Cloud is a good practice. Here's why.
GxP in the Cloud is a good practice. Here's why.GxP in the Cloud is a good practice. Here's why.
GxP in the Cloud is a good practice. Here's why.Appian
 
Auditor roles & responsibilities in CT as per ICHGCP
Auditor roles & responsibilities in CT as per ICHGCPAuditor roles & responsibilities in CT as per ICHGCP
Auditor roles & responsibilities in CT as per ICHGCPSuhas Reddy C
 
Clinical Trial Performance Metrics Conference Dec 2016
Clinical Trial Performance Metrics Conference Dec 2016Clinical Trial Performance Metrics Conference Dec 2016
Clinical Trial Performance Metrics Conference Dec 2016Mike Fitzpatrick
 
Keeping up with ICH E6(R2): Risk-Based Monitoring (RBM) Redefined
Keeping up with ICH E6(R2): Risk-Based Monitoring (RBM) RedefinedKeeping up with ICH E6(R2): Risk-Based Monitoring (RBM) Redefined
Keeping up with ICH E6(R2): Risk-Based Monitoring (RBM) RedefinedLife Sciences Network marcus evans
 
Risk-based Monitoring Strategies for Improved Clinical Trial Performance
Risk-based Monitoring Strategies for Improved Clinical Trial PerformanceRisk-based Monitoring Strategies for Improved Clinical Trial Performance
Risk-based Monitoring Strategies for Improved Clinical Trial PerformanceCognizant
 
Safety Audit in Chemical Industry
Safety Audit in Chemical IndustrySafety Audit in Chemical Industry
Safety Audit in Chemical IndustryVishal Patel
 
Mobile CRAs: Transforming Clinical Monitoring Processes through Mobile Techno...
Mobile CRAs: Transforming Clinical Monitoring Processes through Mobile Techno...Mobile CRAs: Transforming Clinical Monitoring Processes through Mobile Techno...
Mobile CRAs: Transforming Clinical Monitoring Processes through Mobile Techno...Xiu Wei Lim
 
Audit monitoring and inspections cro perspectives
Audit monitoring and inspections cro perspectivesAudit monitoring and inspections cro perspectives
Audit monitoring and inspections cro perspectivesDr Prashant Bodhe
 
4 Quality System Musts for Medtech Startups to Get Safer Products to Market F...
4 Quality System Musts for Medtech Startups to Get Safer Products to Market F...4 Quality System Musts for Medtech Startups to Get Safer Products to Market F...
4 Quality System Musts for Medtech Startups to Get Safer Products to Market F...Greenlight Guru
 
Pharmacovigilance Inspections
Pharmacovigilance InspectionsPharmacovigilance Inspections
Pharmacovigilance InspectionsIFAH
 

What's hot (20)

Pharmacovigilance Surge Resource Calculator
Pharmacovigilance Surge Resource CalculatorPharmacovigilance Surge Resource Calculator
Pharmacovigilance Surge Resource Calculator
 
FDA News Presentation
FDA News PresentationFDA News Presentation
FDA News Presentation
 
Ensuring a Quality Trial Master File
Ensuring a Quality Trial Master FileEnsuring a Quality Trial Master File
Ensuring a Quality Trial Master File
 
Road to Quality Clinical Trials
Road to Quality Clinical TrialsRoad to Quality Clinical Trials
Road to Quality Clinical Trials
 
Presentation: An Update on post-market regulatory requirements
Presentation: An Update on post-market regulatory requirementsPresentation: An Update on post-market regulatory requirements
Presentation: An Update on post-market regulatory requirements
 
EU Clinical Regulation Webinar Slide Deck.pptx
EU Clinical Regulation Webinar Slide Deck.pptxEU Clinical Regulation Webinar Slide Deck.pptx
EU Clinical Regulation Webinar Slide Deck.pptx
 
Sandra Maddock OMTEC Presentation 6-12
Sandra Maddock OMTEC Presentation 6-12Sandra Maddock OMTEC Presentation 6-12
Sandra Maddock OMTEC Presentation 6-12
 
EXL Clinical Quality Oversight Forum
EXL Clinical Quality Oversight ForumEXL Clinical Quality Oversight Forum
EXL Clinical Quality Oversight Forum
 
GxP in the Cloud is a good practice. Here's why.
GxP in the Cloud is a good practice. Here's why.GxP in the Cloud is a good practice. Here's why.
GxP in the Cloud is a good practice. Here's why.
 
Auditor roles & responsibilities in CT as per ICHGCP
Auditor roles & responsibilities in CT as per ICHGCPAuditor roles & responsibilities in CT as per ICHGCP
Auditor roles & responsibilities in CT as per ICHGCP
 
Clinical Trial Performance Metrics Conference Dec 2016
Clinical Trial Performance Metrics Conference Dec 2016Clinical Trial Performance Metrics Conference Dec 2016
Clinical Trial Performance Metrics Conference Dec 2016
 
Keeping up with ICH E6(R2): Risk-Based Monitoring (RBM) Redefined
Keeping up with ICH E6(R2): Risk-Based Monitoring (RBM) RedefinedKeeping up with ICH E6(R2): Risk-Based Monitoring (RBM) Redefined
Keeping up with ICH E6(R2): Risk-Based Monitoring (RBM) Redefined
 
Risk-based Monitoring Strategies for Improved Clinical Trial Performance
Risk-based Monitoring Strategies for Improved Clinical Trial PerformanceRisk-based Monitoring Strategies for Improved Clinical Trial Performance
Risk-based Monitoring Strategies for Improved Clinical Trial Performance
 
Safety Audit in Chemical Industry
Safety Audit in Chemical IndustrySafety Audit in Chemical Industry
Safety Audit in Chemical Industry
 
Mobile CRAs: Transforming Clinical Monitoring Processes through Mobile Techno...
Mobile CRAs: Transforming Clinical Monitoring Processes through Mobile Techno...Mobile CRAs: Transforming Clinical Monitoring Processes through Mobile Techno...
Mobile CRAs: Transforming Clinical Monitoring Processes through Mobile Techno...
 
Audit monitoring and inspections cro perspectives
Audit monitoring and inspections cro perspectivesAudit monitoring and inspections cro perspectives
Audit monitoring and inspections cro perspectives
 
PSM RM - Understand hazards and risk
PSM RM - Understand hazards and riskPSM RM - Understand hazards and risk
PSM RM - Understand hazards and risk
 
Qc in clinical trials
Qc in clinical trialsQc in clinical trials
Qc in clinical trials
 
4 Quality System Musts for Medtech Startups to Get Safer Products to Market F...
4 Quality System Musts for Medtech Startups to Get Safer Products to Market F...4 Quality System Musts for Medtech Startups to Get Safer Products to Market F...
4 Quality System Musts for Medtech Startups to Get Safer Products to Market F...
 
Pharmacovigilance Inspections
Pharmacovigilance InspectionsPharmacovigilance Inspections
Pharmacovigilance Inspections
 

Similar to OCR Audits Season is About to Begin

Insight into DHHS OCR Audit Protocols
Insight into DHHS OCR Audit ProtocolsInsight into DHHS OCR Audit Protocols
Insight into DHHS OCR Audit ProtocolsDavid Sweigert
 
OCR Audits Are Coming – Is Your Organization Prepared?
OCR Audits Are Coming – Is Your Organization Prepared?OCR Audits Are Coming – Is Your Organization Prepared?
OCR Audits Are Coming – Is Your Organization Prepared?Polsinelli PC
 
HIPAA Audits Are Here to Stay – Key Preparation Strategies for Business Assoc...
HIPAA Audits Are Here to Stay – Key Preparation Strategies for Business Assoc...HIPAA Audits Are Here to Stay – Key Preparation Strategies for Business Assoc...
HIPAA Audits Are Here to Stay – Key Preparation Strategies for Business Assoc...Polsinelli PC
 
IND and CTA Webinar slides.pptx
IND and CTA Webinar slides.pptxIND and CTA Webinar slides.pptx
IND and CTA Webinar slides.pptxMMS Holdings
 
All Elements Lead an EHS Audit.pptx
All Elements Lead an EHS Audit.pptxAll Elements Lead an EHS Audit.pptx
All Elements Lead an EHS Audit.pptxMuhammad Adeel Ahmad
 
Monitoring and auditing in clinical trials
Monitoring and auditing in clinical trialsMonitoring and auditing in clinical trials
Monitoring and auditing in clinical trialsJyotsna Kapoor
 
Preparing & Responding to an OCR HIPAA Audit
Preparing & Responding to an OCR HIPAA AuditPreparing & Responding to an OCR HIPAA Audit
Preparing & Responding to an OCR HIPAA AuditPYA, P.C.
 
OCR HIPAA Audits…Will You Be Prepared?
OCR HIPAA Audits…Will You Be Prepared?OCR HIPAA Audits…Will You Be Prepared?
OCR HIPAA Audits…Will You Be Prepared?ID Experts
 
Elements of security risk assessment and risk management
Elements of security risk assessment and risk managementElements of security risk assessment and risk management
Elements of security risk assessment and risk managementhealthpoint
 
2 tools to identify and control patient safety risks
2 tools to identify and control patient safety risks2 tools to identify and control patient safety risks
2 tools to identify and control patient safety risksMohamed Mosaad Hasan
 
Office of Civil Rights HIPAA Audits--Ready or Not, Here They Come
Office of Civil Rights HIPAA Audits--Ready or Not, Here They ComeOffice of Civil Rights HIPAA Audits--Ready or Not, Here They Come
Office of Civil Rights HIPAA Audits--Ready or Not, Here They ComePYA, P.C.
 
What Covered Entities Need to Know about OCR HIPAA Audit​s
What Covered Entities Need to Know about OCR HIPAA Audit​sWhat Covered Entities Need to Know about OCR HIPAA Audit​s
What Covered Entities Need to Know about OCR HIPAA Audit​sIatric Systems
 
Safety Audit as per IS 14489.ppt
Safety Audit as per IS 14489.pptSafety Audit as per IS 14489.ppt
Safety Audit as per IS 14489.pptBimal Chandra Das
 
BSBWHS414 Contribute to WHS Risk Management
BSBWHS414 Contribute to WHS Risk ManagementBSBWHS414 Contribute to WHS Risk Management
BSBWHS414 Contribute to WHS Risk ManagementTimeLMS7
 
Introduction types, Objectives, Management of audit, Responsibilities, Planni...
Introduction types, Objectives, Management of audit, Responsibilities, Planni...Introduction types, Objectives, Management of audit, Responsibilities, Planni...
Introduction types, Objectives, Management of audit, Responsibilities, Planni...Kunal10679
 
Increasing Challenges in Healthcare Privacy and Security
Increasing Challenges in Healthcare Privacy and SecurityIncreasing Challenges in Healthcare Privacy and Security
Increasing Challenges in Healthcare Privacy and SecurityCynergisTek, Inc.
 
Privacy & Security Controls In Vendor Management Al Raymond
Privacy & Security Controls In Vendor Management Al RaymondPrivacy & Security Controls In Vendor Management Al Raymond
Privacy & Security Controls In Vendor Management Al Raymondspencerharry
 

Similar to OCR Audits Season is About to Begin (20)

HIPAA omnibus rule update
HIPAA omnibus rule updateHIPAA omnibus rule update
HIPAA omnibus rule update
 
Insight into DHHS OCR Audit Protocols
Insight into DHHS OCR Audit ProtocolsInsight into DHHS OCR Audit Protocols
Insight into DHHS OCR Audit Protocols
 
OCR Audits Are Coming – Is Your Organization Prepared?
OCR Audits Are Coming – Is Your Organization Prepared?OCR Audits Are Coming – Is Your Organization Prepared?
OCR Audits Are Coming – Is Your Organization Prepared?
 
HIPAA Audits Are Here to Stay – Key Preparation Strategies for Business Assoc...
HIPAA Audits Are Here to Stay – Key Preparation Strategies for Business Assoc...HIPAA Audits Are Here to Stay – Key Preparation Strategies for Business Assoc...
HIPAA Audits Are Here to Stay – Key Preparation Strategies for Business Assoc...
 
IND and CTA Webinar slides.pptx
IND and CTA Webinar slides.pptxIND and CTA Webinar slides.pptx
IND and CTA Webinar slides.pptx
 
All Elements Lead an EHS Audit.pptx
All Elements Lead an EHS Audit.pptxAll Elements Lead an EHS Audit.pptx
All Elements Lead an EHS Audit.pptx
 
Monitoring and auditing in clinical trials
Monitoring and auditing in clinical trialsMonitoring and auditing in clinical trials
Monitoring and auditing in clinical trials
 
Preparing & Responding to an OCR HIPAA Audit
Preparing & Responding to an OCR HIPAA AuditPreparing & Responding to an OCR HIPAA Audit
Preparing & Responding to an OCR HIPAA Audit
 
OCR HIPAA Audits…Will You Be Prepared?
OCR HIPAA Audits…Will You Be Prepared?OCR HIPAA Audits…Will You Be Prepared?
OCR HIPAA Audits…Will You Be Prepared?
 
Elements of security risk assessment and risk management
Elements of security risk assessment and risk managementElements of security risk assessment and risk management
Elements of security risk assessment and risk management
 
2 tools to identify and control patient safety risks
2 tools to identify and control patient safety risks2 tools to identify and control patient safety risks
2 tools to identify and control patient safety risks
 
ch14.ppt
ch14.pptch14.ppt
ch14.ppt
 
Office of Civil Rights HIPAA Audits--Ready or Not, Here They Come
Office of Civil Rights HIPAA Audits--Ready or Not, Here They ComeOffice of Civil Rights HIPAA Audits--Ready or Not, Here They Come
Office of Civil Rights HIPAA Audits--Ready or Not, Here They Come
 
What Covered Entities Need to Know about OCR HIPAA Audit​s
What Covered Entities Need to Know about OCR HIPAA Audit​sWhat Covered Entities Need to Know about OCR HIPAA Audit​s
What Covered Entities Need to Know about OCR HIPAA Audit​s
 
Safety Audit as per IS 14489.ppt
Safety Audit as per IS 14489.pptSafety Audit as per IS 14489.ppt
Safety Audit as per IS 14489.ppt
 
Audits
AuditsAudits
Audits
 
BSBWHS414 Contribute to WHS Risk Management
BSBWHS414 Contribute to WHS Risk ManagementBSBWHS414 Contribute to WHS Risk Management
BSBWHS414 Contribute to WHS Risk Management
 
Introduction types, Objectives, Management of audit, Responsibilities, Planni...
Introduction types, Objectives, Management of audit, Responsibilities, Planni...Introduction types, Objectives, Management of audit, Responsibilities, Planni...
Introduction types, Objectives, Management of audit, Responsibilities, Planni...
 
Increasing Challenges in Healthcare Privacy and Security
Increasing Challenges in Healthcare Privacy and SecurityIncreasing Challenges in Healthcare Privacy and Security
Increasing Challenges in Healthcare Privacy and Security
 
Privacy & Security Controls In Vendor Management Al Raymond
Privacy & Security Controls In Vendor Management Al RaymondPrivacy & Security Controls In Vendor Management Al Raymond
Privacy & Security Controls In Vendor Management Al Raymond
 

Recently uploaded

How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxnull - The Open Security Community
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGMarianaLemus7
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 

Recently uploaded (20)

How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 

OCR Audits Season is About to Begin

  • 1. The OCR Audits Season is About to Begin June 10, 2014 Get Your Ducks in a Row ID Experts www2.idexpertscorp.com
  • 2. 1 Presenters Rebecca Williams, RN, JD Co-Chair, Health Information Practice Davis Wright Tremaine Mahmood Sher-Jan, CHPC VP and GM, RADAR Product Unit ID Experts
  • 3. 2 Agenda • OCR Phase 2 Audit scope, process and timeline • Changes you can expect in Phase 2 audit and how they could impact you • How to prepare for them based on a risk based approach • Breach notification rule – Stages of the rule’s evolution – Regulatory Obligation for CEs & BAs – Audit readiness • Questions
  • 4. 3 Audit Program Mandate • Reasonably new enforcement approach under HIPAA • HITECH Act, part of the American Recovery and Reinvestment Act of 2009 – Requires HHS to provide for periodic audits to ensure covered entities and business associates are complying with the HIPAA Privacy, Breach Notification and Security Rules – Section 13411 – Audits
  • 5. 4 Multi-year Phase 1 − How Did We Get Here? Description Vendor Status/Timeframe Audit program development study Booz Allen Hamilton Closed 2010 Covered entity identification and cataloguing Booz Allen Hamilton Closed 2011 Develop audit protocol and conduct audits KPMG Closed 2011-2012 Evaluation of audit program PwC Closed 2013
  • 6. 5 Phase 1: Pilot 2011 – 2012 • Phase 1 of the HIPAA Audits • Conducted 115 performance audits through 12/2012 • Two parts: – Initial 20 audits to test original audit protocol – Final 95 audits using modified audit protocol • Covered broad range of topics regarding adherence with HIPAA standards
  • 7. 6 Overall Findings & Observations No findings or observations for 11% of the entities 2 Providers 9 Health Plans 2 Clearinghouses Security accounted for 60% of findings and observations – although only 28% of potential total Providers had a greater proportion of findings and observations (65%) than reflected by their proportion of the total set (53%) Smaller, Level 4 entities struggle with all three areas
  • 8. 7 Privacy Findings & Observations 20% 2% 16% 18% 44% Notice of Privacy Practices for PHI Right to Request Privacy Protection for PHI Access of Individuals to PHI Administrative Requirements Uses and Disclosures of PHI Percentage of Findings and Observations by Area of Focus
  • 9. 8 Security Results 58 of 59 providers had at least one Security finding or observation 2/3 of entities had no complete, accurate risk analysis 47 of 59 providers 20 of 35 plans 2 of 7 clearinghouses Addressable implementation specifications: most entities without a finding or observation met the standard by fully implementing the addressable specification
  • 10. 9 Security Elements 12% 14% 7% 18% 4% 14% 8% 14% 9% Risk Analysis Access Management Security Incident Procedures Contingency Planning and Backups Workstation Security Media Movement and Destruction Encryption Audit Controls and Monitoring Percentage of Audit Findings and Observations by Area of Focus
  • 11. 10 Breach Notification Findings Notification to individuals Timeliness of notice Method of notification to individuals Burden of proof
  • 12. 11 Overall Cause Analysis • For every finding and observation cited, audit identified a“Cause.” • Most common across all entities: entity unaware of the requirement – In 30% (289 of 980 findings and observations) • 39% (115 of 293) of Privacy • 27% (163 of 593) of Security • 12% (11) of Breach Notification – Most related to explicit requirements • Other causes noted included: – Lack of application of sufficient resources – Incomplete implementation – Complete disregard
  • 13. 12 Cause Analysis – Top Elements Unaware of the Requirement Privacy Security • Notice of Privacy Practices • Access of Individuals • Minimum Necessary • Authorizations • Risk Analysis • Media Movement and Disposal • Audit Controls and Monitoring
  • 14. 13 Phase 2: Who Can Be Audited? Any Covered Entity Health plans of all types Health care clearinghouses Individual and organizational providers Any Business Associate Selection through covered entities
  • 15. 14 Phase 2 Covered Entity Pool • Have a pool of covered entities eligible for audit – Health care providers selected through NPI database – Clearinghouses & Health Plans from external databases (e.g., AHIP) • Random selection used when possible within types • Wide range (e.g., group health plans, physicians and group practices, dental, hospitals, laboratories)
  • 16. 15 Pre-audit – Timing of Audit Spring • Address verification Summer • “Pre-survey”for on-line screening – Questions address size measures, location, services, best contacts – Expect to contact 550-800 entities Fall • Notification and data request letters to selected entities – Anticipate 350 covered entities • Two weeks for entity response
  • 17. 16 Audit 2015: Business Associates • Covered entities will be asked to identify their business associates and provide their current contact information • Will select business associate audit subjects for 2015 first wave from among those identified by covered entities
  • 18. 17 Phase 2 Audit Distribution Projections Entity Type Privacy Breach Security Covered Entities 100 100 150 • Health Plans 33 31 45 • Providers 67 65 100 • Clearinghouses - 4 5
  • 19. 18 Phase 2 Protocol Criteria • Updated protocols – Reflect Omnibus Rule changes – More specific test procedures • Sampling methodology • Target provisions that were the source of a high number of compliance failures in the pilot audits • Updated protocol to be available on web site
  • 20. 19 Phase 2 Audit Focus 2014 – Covered Entities • Security—Risk analysis and risk management • Breach—Content and timeliness of notifications • Privacy—Notice and access 2015 Round 1 Business Associates • Security—Risk analysis and risk management • Breach—Breach reporting to covered entity Round 2 Covered Entities (Projected) • Security—Device and media controls, transmission security • Privacy—Safeguards, training to policies and procedures 2016 (Projected) • Security—Encryption and decryption, facility access control (physical); other areas of high risk as identified by 2014 audits, breach reports, and complaints
  • 21. 20 Audit Phase 2 Approach • Primarily OCR internally staffed • Desk audits of selected provisions • Comprehensive on-site audits, as resources allow • Data request will specify content and file organization, file names, and any other document submission requirements
  • 22. 21 Desk Audit Expectations • Only requested data submitted on time will be assessed • All documentation must be current as of the date of the request • Likely will not consider documentation developed after data request • Likely will not ask for clarification • Don’t submit extraneous information • Respond! Otherwise may result in compliance review
  • 23. 22 How to Help Yourself • Review Audit Protocols (Phase I and Phase II) – Likened to an“open book test” • Perform own assessment/audit – Internal or external – Use audit protocol – Identify other toolkits – Consider use of attorney-directed investigation  Begin corrective action for gaps  On-going monitoring
  • 24. 23 How to Help Yourself • Document, Document, Document • Verify policies and procedures are updated • Critical that the documents accurately reflect the program • Have supplemental documentation ready – Limited time period to provide documents – To prove compliance – Make it relatively self-explanatory (e.g., clearly labeled) – Focus on targeted areas, but that could be extended
  • 25. 24 How to Help Yourself • Maintain a current list of business associates and their contact information • Covered entities: remind your business associates audits are coming • Concern that not all Business Associates know: – They are business associates – What they need to do • Goal: Develop and maintain a culture of compliance
  • 26. 25 How to Help Yourself – Privacy • Access • Policies and procedures – Update to reflect Omnibus Rule • Additional documentation • How to prove – Access was provided? – Timely compliance?
  • 27. 26 How to Help Yourself - Privacy • Notice of Privacy Practices – Update to reflect Omnibus Rule – Verify NPP reflects actual practices • Post NPP – Remember website • Policies and procedures • Additional documentation • How to prove – NPPs were provided – Acknowledgements were obtained
  • 28. 27 How to Help Yourself − Security Rule Risk Analysis Risk analysis (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate. 45 C.F.R. § 164.308(a)(1)(ii)(A)
  • 29. 28 How to Help Yourself − Security Rule Risk Management Risk management (Required). Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to: • ensure the confidentiality, integrity, and availability of electronic protected health information • protect against reasonably anticipated threats or hazard • protect against reasonably anticipated impermissible uses and disclosures and • ensure workforce compliance. 45 C.F.R. § 164.308(a)(1)(ii)(A)
  • 30. 29 How to Help Yourself − Risk Analysis/Risk Management • Identify locations of PHI • Identify reasonable vulnerabilities and anticipated threats (e.g., human, natural, and environmental) • Assign risk levels (e.g., low, medium, high) based on likelihood and impact • Make sure it is a HIPAA risk analysis – Not a list of controls – Not an“evaluation”or“gap analysis” • Verify appropriate policies, procedures, and safeguards are in place • Revisit regularly and when changes occur • See OCR Guidance on Risk Analysis and HHS Risk Assessment tool
  • 31. 30 Agenda • OCR Phase 2 Audit scope, process and timeline • Changes you can expect in Phase 2 audit and how they could impact you • How to prepare for them based on a risk based approach • Breach notification rule – Stages of the rule’s evolution – Regulatory Obligation for CEs & BAs – Audit readiness • Questions
  • 32. 31 4 Stages of Flirting with “Breach Notification” Acceptance 2013: Final Breach Notification Rule Bargaining Harm Test Advocates vs. Opponents Denial The Interim Final Rule Era Risk of Harm Revisited ANGER 2009: “Risk of Harm” Backlash & Fury
  • 33. 32 Breach Compliance Obligations Obligations Covered Entity Business Associate Incident Management Policies & Procedures Yes & Business Associate(s) Yes & Downstream sub-contractor(s) Incident Risk Assessment & Outcome Retention Yes Yes Breach Notification Individuals; Regulator(s); CRAs Covered Entity Accounting of Disclosures Yes (including PHI incidents) Yes (including PHI incidents) HIPAA Investigations HHS/OCR HHS/OCR Covered Entities & Business Associates
  • 34. 33 Foundation of Breach Rule Compliance Risk Factors & Mitigation Factors Low Probability of Compromise (LoProCo?) If Wrong: Low Probability of Compliance! Your Incident Risk Assessment Consistency & Outcome
  • 35. 34 Incident Risk Assessment Challenges 4th Annual Benchmark Study on Patient Privacy & Data Security 0% 10% 20% 30% 40% 50% 60% 70% 80% Lack of consistency Inability to scale Difficult to use
  • 36. 35 Addressing Risk Assessment Challenges by Using the Right Tools Requires more than issue tracking & ad-hoc risk assessment Solution Scope & Automation EaseofUse&Affordability
  • 37. 36 Multi-Factor & Multi-Jurisdictions Risk Scoring •Relevance •Risk Score •Weight •Relevance •Risk Score •Weight •Relevance •Risk Score •Weight •Relevance •Risk Score •Weight Disclosed Data Type & Scope Recipient & Intent Risk Mitigation Access / Viewing/ Re- disclosing Breach Not Breach Voluntary FACTORS • 47 States & DC • +3 Territories • Most have“harm”test • Different notification timelines, obligations, thresholds
  • 38. 37 Breach Notification Rule: Audit Preparedness • Multi-Factor Risk Assessment • Multi-Jurisdiction Risk Assessment • Always Up to Date • Easy to Use • Purpose-Built Work-flow • Collaboration Platform • Reports & Audit Logs • Central Repository Moving Beyond Compliance & Audits Know the rules Follow the rules Prove it!
  • 39. 38 Where to learn more • www2.idexpertscorp.com/resources • www2.idexpertscorp.com/radar • www2.idexpertscorp.com/ponemon
  • 40. 39 Questions & Answers If you are having a breach now, call 866-726-4271 Becky Williams, RN, JD Co-Chair, Health Information Practice Davis Wright Tremaine LLP 206.757.8171 beckywilliams@dwt.com Mahmood Sher-Jan, CHPC VP and GM, RADAR Product Unit ID Experts 800-298-7558 mahmood.sher-jan@idexpertscorp.com
  • 41. 40 ID Experts Webinar Series ID Experts provides software and services for managing the disclosure and breaches of regulated data. Leading organizations in healthcare, insurance, financial services, universities, higher education, and government rely on ID Experts’patented RADAR™ data incident management software and data breach response services for managing risks. Exclusively endorsed by the American Hospital Association. ID Experts is an advocate for privacy and a leading contributor to legislation and industry organizations that focus on the protection of PHI and PII. On the web: http://www2.idexpertscorp.com/. For more information visit: • www2.idexpertscorp.com • Complete Data Breach Care • Cyber Liability Insurance • RADAR