The OCR Audits Season is About to Begin discusses the upcoming Phase 2 of HIPAA audits by the Office of Civil Rights (OCR). Key points:
- OCR will audit 350 covered entities in 2014-2015, focusing on security risk analysis, breach notifications, and privacy practices.
- Entities should review Phase 1 audit findings, perform self-audits, and ensure policies and documentation are updated to address audit focus areas and reflect HIPAA rules.
- Thorough risk analysis and risk management programs are especially important given their prominence in Phase 1 findings. Entities must identify risks, vulnerabilities, and implement security measures to address them.
1. The OCR Audits Season is About to Begin
June 10, 2014
Get Your Ducks in a Row
ID Experts www2.idexpertscorp.com
2. 1
Presenters
Rebecca Williams, RN, JD
Co-Chair, Health Information
Practice Davis Wright Tremaine
Mahmood Sher-Jan, CHPC
VP and GM, RADAR Product Unit
ID Experts
3. 2
Agenda
• OCR Phase 2 Audit scope, process and timeline
• Changes you can expect in Phase 2 audit and how they
could impact you
• How to prepare for them based on a risk based approach
• Breach notification rule
– Stages of the rule’s evolution
– Regulatory Obligation for CEs & BAs
– Audit readiness
• Questions
4. 3
Audit Program Mandate
• Reasonably new enforcement approach under HIPAA
• HITECH Act, part of the American Recovery and Reinvestment
Act of 2009
– Requires HHS to provide for periodic audits to ensure
covered entities and business associates are complying with
the
HIPAA Privacy,
Breach Notification and
Security Rules
– Section 13411 – Audits
5. 4
Multi-year Phase 1 − How Did We Get Here?
Description Vendor Status/Timeframe
Audit program development study Booz Allen Hamilton Closed 2010
Covered entity identification
and cataloguing
Booz Allen Hamilton Closed 2011
Develop audit protocol
and conduct audits
KPMG Closed 2011-2012
Evaluation of audit program PwC Closed 2013
6. 5
Phase 1: Pilot 2011 – 2012
• Phase 1 of the HIPAA Audits
• Conducted 115 performance audits through 12/2012
• Two parts:
– Initial 20 audits to test original audit protocol
– Final 95 audits using modified audit protocol
• Covered broad range of topics regarding
adherence with HIPAA standards
7. 6
Overall Findings & Observations
No findings or
observations for
11% of the
entities
2 Providers
9 Health Plans
2 Clearinghouses
Security
accounted
for 60%
of findings and
observations –
although only 28%
of potential total
Providers
had a greater
proportion
of findings and
observations (65%)
than reflected by
their proportion of
the total set (53%)
Smaller,
Level 4
entities
struggle
with all
three
areas
8. 7
Privacy Findings & Observations
20%
2%
16%
18%
44%
Notice of Privacy Practices for PHI
Right to Request Privacy Protection for
PHI
Access of Individuals to PHI
Administrative Requirements
Uses and Disclosures of PHI
Percentage of Findings and Observations by Area of Focus
9. 8
Security Results
58 of 59
providers
had at least one
Security finding
or observation
2/3 of entities had
no complete,
accurate risk
analysis
47 of 59 providers
20 of 35 plans
2 of 7 clearinghouses
Addressable
implementation
specifications: most
entities without a finding
or observation met the
standard by fully
implementing
the addressable
specification
10. 9
Security Elements
12%
14%
7%
18%
4%
14%
8%
14%
9%
Risk Analysis
Access Management
Security Incident Procedures
Contingency Planning and
Backups
Workstation Security
Media Movement and
Destruction
Encryption
Audit Controls and Monitoring
Percentage of Audit Findings and Observations by Area of Focus
12. 11
Overall Cause Analysis
• For every finding and observation cited, audit identified a“Cause.”
• Most common across all entities: entity unaware of the
requirement
– In 30% (289 of 980 findings and observations)
• 39% (115 of 293) of Privacy
• 27% (163 of 593) of Security
• 12% (11) of Breach Notification
– Most related to explicit requirements
• Other causes noted included:
– Lack of application of sufficient resources
– Incomplete implementation
– Complete disregard
13. 12
Cause Analysis – Top Elements
Unaware of the Requirement
Privacy Security
• Notice of Privacy Practices
• Access of Individuals
• Minimum Necessary
• Authorizations
• Risk Analysis
• Media Movement and
Disposal
• Audit Controls and
Monitoring
14. 13
Phase 2: Who Can Be Audited?
Any Covered
Entity
Health plans of
all types
Health care
clearinghouses
Individual and
organizational
providers
Any Business
Associate
Selection
through
covered entities
15. 14
Phase 2 Covered Entity Pool
• Have a pool of covered entities eligible for audit
– Health care providers selected through NPI database
– Clearinghouses & Health Plans from external databases (e.g., AHIP)
• Random selection used when possible within types
• Wide range (e.g., group health plans, physicians and group
practices, dental, hospitals, laboratories)
16. 15
Pre-audit – Timing of Audit
Spring
• Address verification
Summer
• “Pre-survey”for on-line screening
– Questions address size measures, location, services, best contacts
– Expect to contact 550-800 entities
Fall
• Notification and data request letters to selected entities –
Anticipate 350 covered entities
• Two weeks for entity response
17. 16
Audit 2015: Business Associates
• Covered entities will be asked to identify their business
associates and provide their current contact information
• Will select business associate audit subjects for 2015 first
wave from among those identified by covered entities
19. 18
Phase 2 Protocol Criteria
• Updated protocols
– Reflect Omnibus Rule changes
– More specific test procedures
• Sampling methodology
• Target provisions that were
the source of a high number
of compliance failures in the pilot audits
• Updated protocol to be available on web site
20. 19
Phase 2 Audit Focus
2014 – Covered Entities
• Security—Risk analysis and risk management
• Breach—Content and timeliness of notifications
• Privacy—Notice and access
2015
Round 1 Business Associates
• Security—Risk analysis and risk management
• Breach—Breach reporting to covered entity
Round 2 Covered Entities (Projected)
• Security—Device and media controls, transmission security
• Privacy—Safeguards, training to policies and procedures
2016 (Projected)
• Security—Encryption and decryption, facility access control (physical);
other areas of high risk as identified by 2014 audits, breach reports,
and complaints
21. 20
Audit Phase 2 Approach
• Primarily OCR internally staffed
• Desk audits of selected provisions
• Comprehensive on-site audits, as resources allow
• Data request will specify content and file
organization, file names, and any other document
submission requirements
22. 21
Desk Audit Expectations
• Only requested data submitted on time
will be assessed
• All documentation must be current
as of the date of the request
• Likely will not consider documentation
developed after data request
• Likely will not ask for clarification
• Don’t submit extraneous information
• Respond! Otherwise may result in
compliance review
23. 22
How to Help Yourself
• Review Audit Protocols
(Phase I and Phase II)
– Likened to an“open book test”
• Perform own assessment/audit
– Internal or external
– Use audit protocol
– Identify other toolkits
– Consider use of attorney-directed
investigation
Begin corrective action for gaps
On-going monitoring
24. 23
How to Help Yourself
• Document, Document, Document
• Verify policies and procedures are updated
• Critical that the documents accurately reflect
the program
• Have supplemental documentation ready
– Limited time period to provide documents
– To prove compliance
– Make it relatively self-explanatory (e.g., clearly
labeled)
– Focus on targeted areas, but that could be
extended
25. 24
How to Help Yourself
• Maintain a current list of business
associates and their contact information
• Covered entities: remind your business
associates audits are coming
• Concern that not all Business Associates
know:
– They are business associates
– What they need to do
• Goal: Develop and maintain a culture of
compliance
26. 25
How to Help Yourself – Privacy
• Access
• Policies and procedures
– Update to reflect Omnibus Rule
• Additional documentation
• How to prove
– Access was provided?
– Timely compliance?
27. 26
How to Help Yourself - Privacy
• Notice of Privacy Practices
– Update to reflect Omnibus Rule
– Verify NPP reflects actual practices
• Post NPP
– Remember website
• Policies and procedures
• Additional documentation
• How to prove
– NPPs were provided
– Acknowledgements were obtained
28. 27
How to Help Yourself − Security Rule Risk
Analysis
Risk analysis (Required). Conduct
an accurate and thorough
assessment of the potential risks
and vulnerabilities to the
confidentiality, integrity, and
availability of electronic protected
health information held by the
covered entity or business
associate.
45 C.F.R. § 164.308(a)(1)(ii)(A)
29. 28
How to Help Yourself − Security Rule Risk
Management
Risk management (Required). Implement security
measures sufficient to reduce risks and vulnerabilities to a
reasonable and appropriate level to:
• ensure the confidentiality, integrity, and availability
of electronic protected health information
• protect against reasonably anticipated threats or
hazard
• protect against reasonably anticipated impermissible
uses and disclosures and
• ensure workforce compliance.
45 C.F.R. § 164.308(a)(1)(ii)(A)
30. 29
How to Help Yourself − Risk Analysis/Risk
Management
• Identify locations of PHI
• Identify reasonable vulnerabilities and anticipated
threats (e.g., human, natural, and environmental)
• Assign risk levels (e.g., low, medium, high)
based on likelihood and impact
• Make sure it is a HIPAA risk analysis
– Not a list of controls
– Not an“evaluation”or“gap analysis”
• Verify appropriate policies, procedures, and safeguards are
in place
• Revisit regularly and when changes occur
• See OCR Guidance on Risk Analysis and HHS Risk
Assessment tool
31. 30
Agenda
• OCR Phase 2 Audit scope, process and timeline
• Changes you can expect in Phase 2 audit and how they
could impact you
• How to prepare for them based on a risk based approach
• Breach notification rule
– Stages of the rule’s evolution
– Regulatory Obligation for CEs & BAs
– Audit readiness
• Questions
32. 31
4 Stages of Flirting with “Breach Notification”
Acceptance
2013: Final Breach Notification Rule
Bargaining
Harm Test Advocates vs. Opponents
Denial
The Interim Final Rule Era Risk of Harm Revisited
ANGER
2009: “Risk of Harm” Backlash & Fury
34. 33
Foundation of Breach Rule Compliance
Risk Factors &
Mitigation Factors
Low Probability of
Compromise
(LoProCo?)
If Wrong:
Low
Probability
of
Compliance!
Your Incident Risk Assessment Consistency & Outcome
35. 34
Incident Risk Assessment Challenges
4th Annual Benchmark Study on Patient Privacy &
Data Security
0% 10% 20% 30% 40% 50% 60% 70% 80%
Lack of consistency
Inability to scale
Difficult to use
36. 35
Addressing Risk Assessment Challenges by Using
the Right Tools
Requires more than issue tracking & ad-hoc
risk assessment
Solution Scope & Automation
EaseofUse&Affordability
37. 36
Multi-Factor & Multi-Jurisdictions Risk Scoring
•Relevance
•Risk Score
•Weight
•Relevance
•Risk Score
•Weight
•Relevance
•Risk Score
•Weight
•Relevance
•Risk Score
•Weight
Disclosed
Data Type
& Scope
Recipient
& Intent
Risk
Mitigation
Access /
Viewing/
Re-
disclosing
Breach
Not Breach
Voluntary
FACTORS
• 47 States & DC
• +3 Territories
• Most have“harm”test
• Different notification
timelines, obligations,
thresholds
38. 37
Breach Notification Rule: Audit Preparedness
• Multi-Factor Risk Assessment
• Multi-Jurisdiction Risk Assessment
• Always Up to Date
• Easy to Use
• Purpose-Built Work-flow
• Collaboration Platform
• Reports & Audit Logs
• Central Repository
Moving Beyond Compliance & Audits
Know the
rules
Follow
the rules
Prove it!
39. 38
Where to learn more
• www2.idexpertscorp.com/resources
• www2.idexpertscorp.com/radar
• www2.idexpertscorp.com/ponemon
40. 39
Questions & Answers
If you are having a breach now, call 866-726-4271
Becky Williams, RN, JD
Co-Chair, Health Information Practice
Davis Wright Tremaine LLP
206.757.8171
beckywilliams@dwt.com
Mahmood Sher-Jan, CHPC
VP and GM, RADAR Product Unit
ID Experts
800-298-7558
mahmood.sher-jan@idexpertscorp.com
41. 40
ID Experts Webinar Series
ID Experts provides software and services for managing the disclosure and breaches of regulated data. Leading
organizations in healthcare, insurance, financial services, universities, higher education, and government rely on
ID Experts’patented RADAR™ data incident management software and data breach response services for
managing risks. Exclusively endorsed by the American Hospital Association. ID Experts is an advocate for privacy
and a leading contributor to legislation and industry organizations that focus on the protection of PHI and PII. On
the web: http://www2.idexpertscorp.com/.
For more information visit:
• www2.idexpertscorp.com
• Complete Data Breach Care
• Cyber Liability Insurance
• RADAR