Our panel, which includes two former OCR staffers who played key roles in policy and enforcement activities, will provide status updates and practical tips to help you prepare for business associate and covered entity audits.
Our agenda:
-OCR Audit Status Update
-OCR Document Request List
-How to Document Your Security Rule Compliance
-The Importance of Up-To-Date Security Risk Analysis
-How to Build Your "HIPAA Audit Binder"
-Even if You Are Not Selected: How Audit Preparation Can Assist in Breach/Complaint Investigations
-Key Takeaways/Recommendations
What Covered Entities Need to Know about OCR HIPAA AuditsIatric Systems
Learn how to be better prepared to comply with today's patient privacy rules and regulations.
Hosted by HealthITSecurity.com, you'll get insight directly from HIPAA officer Iliana L. Peters, J.D., LL.M. As senior advisor for HIPAA Compliance and Enforcement, she is today's leading source for understanding HIPAA requirements.
Ms. Peters presents OCR’s 2017 to 2018 goals and objectives and tells you how you can:
-Uncover the patient privacy risks and vulnerabilities in your healthcare organization
-Determine where you can use technology to assist in and encourage consistent compliance
-Manage risk when vendors have access to your patient data
OCR is increasing its audits of the HIPAA compliance of health care providers. An OCR audit that finds noncompliance may lead to a significant fine or financial settlement. Adam Greene, partner at Davis Wright Tremaine and past regulator at OCR, will review the latest information about the OCR audit program, including OCR’s focus on information security risk analysis and ensuring that breach notification policies and procedures are up-to-date consistent with recent regulatory changes. Learn about recent changes to HIPAA rules, the focus of upcoming audits, the importance of a good breach response program to reduce potential liability, and how best to prepare your organization. In addition, you’ll hear how to prepare for and respond to the inevitable data breach.
To View the Webinar Recording, click here: https://www2.idexpertscorp.com/resources/single/ocr-hipaa-audits...will-you-be-prepared/r-general
The HIPAA Security Rule establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information. The Security Rule is located at 45 CFR Part 160 and Subparts A and C of Part 164.
HIPAA Security Rule list 28 adminstrative safeguards, 12 Physical safeguards, 12 technical safeguards along with specific organization and policies and procedures requirements. EHR 2.0 HIPAA security assessment services help covered entities to discover the gap areas based on the required and addressable requirements.
There are two main rules for HIPAA. One is a rule on privacy and the other on Security.
The HIPAA Privacy Rule establishes national standards to protect individuals’ medical records and other personal health information and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically. The Rule requires appropriate safeguards to protect the privacy of personal health information, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization. The Rule also gives patients rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections. The Privacy Rule is located at 45 CFR Part 160 and Subparts A and E of Part 164.
How often the security should be reviewed?
Security standard mentioned under HIPAA should be reviewed and modified as needed to continue provision of reasonable and appropriate protection of electronic protected health information.
Confidentiality
Limiting information access and disclosure to authorized users (the right people)
Integrity
Trustworthiness of information resources (no inappropriate changes)
Availability
Availability of information resources (at the right time)
http://ehr20.com/services/hipaa-security-assessment/
There are real life consequences for organizations that do not integrate privacy and security throughout the continuum of HIT adoption, including health information breaches that could result in identity theft, financial loss and even altered records that can impact patient safety. Joy Pritts, Chief Privacy Officer at the Office of the National Coordinator for Health IT, whose office is directly engaged with these issues, will lead an interactive keynote discussion on ways to build a culture of privacy and security in healthcare organizations.
The Department of Health and Human Services (HHS) has launched the second phase of its HIPAA audit program, which focuses on compliance with HIPAA’s Privacy, Security and Breach Notification Rules. HHS’ Office for Civil Rights (OCR) is responsible for conducting these audits.
This second phase of the HIPAA audit program covers both covered entities and business associates. According to OCR, these HIPAA audits are primarily a compliance improvement activity. However, if an audit reveals a serious compliance issue, OCR may initiate a compliance review to investigate.
Presentation designed to explain Business Associates the basics of HIPAA and real-life examples of cases that failed to implement and follow HIPAA requirements on a timely basis.
What Covered Entities Need to Know about OCR HIPAA AuditsIatric Systems
Learn how to be better prepared to comply with today's patient privacy rules and regulations.
Hosted by HealthITSecurity.com, you'll get insight directly from HIPAA officer Iliana L. Peters, J.D., LL.M. As senior advisor for HIPAA Compliance and Enforcement, she is today's leading source for understanding HIPAA requirements.
Ms. Peters presents OCR’s 2017 to 2018 goals and objectives and tells you how you can:
-Uncover the patient privacy risks and vulnerabilities in your healthcare organization
-Determine where you can use technology to assist in and encourage consistent compliance
-Manage risk when vendors have access to your patient data
OCR is increasing its audits of the HIPAA compliance of health care providers. An OCR audit that finds noncompliance may lead to a significant fine or financial settlement. Adam Greene, partner at Davis Wright Tremaine and past regulator at OCR, will review the latest information about the OCR audit program, including OCR’s focus on information security risk analysis and ensuring that breach notification policies and procedures are up-to-date consistent with recent regulatory changes. Learn about recent changes to HIPAA rules, the focus of upcoming audits, the importance of a good breach response program to reduce potential liability, and how best to prepare your organization. In addition, you’ll hear how to prepare for and respond to the inevitable data breach.
To View the Webinar Recording, click here: https://www2.idexpertscorp.com/resources/single/ocr-hipaa-audits...will-you-be-prepared/r-general
The HIPAA Security Rule establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information. The Security Rule is located at 45 CFR Part 160 and Subparts A and C of Part 164.
HIPAA Security Rule list 28 adminstrative safeguards, 12 Physical safeguards, 12 technical safeguards along with specific organization and policies and procedures requirements. EHR 2.0 HIPAA security assessment services help covered entities to discover the gap areas based on the required and addressable requirements.
There are two main rules for HIPAA. One is a rule on privacy and the other on Security.
The HIPAA Privacy Rule establishes national standards to protect individuals’ medical records and other personal health information and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically. The Rule requires appropriate safeguards to protect the privacy of personal health information, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization. The Rule also gives patients rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections. The Privacy Rule is located at 45 CFR Part 160 and Subparts A and E of Part 164.
How often the security should be reviewed?
Security standard mentioned under HIPAA should be reviewed and modified as needed to continue provision of reasonable and appropriate protection of electronic protected health information.
Confidentiality
Limiting information access and disclosure to authorized users (the right people)
Integrity
Trustworthiness of information resources (no inappropriate changes)
Availability
Availability of information resources (at the right time)
http://ehr20.com/services/hipaa-security-assessment/
There are real life consequences for organizations that do not integrate privacy and security throughout the continuum of HIT adoption, including health information breaches that could result in identity theft, financial loss and even altered records that can impact patient safety. Joy Pritts, Chief Privacy Officer at the Office of the National Coordinator for Health IT, whose office is directly engaged with these issues, will lead an interactive keynote discussion on ways to build a culture of privacy and security in healthcare organizations.
The Department of Health and Human Services (HHS) has launched the second phase of its HIPAA audit program, which focuses on compliance with HIPAA’s Privacy, Security and Breach Notification Rules. HHS’ Office for Civil Rights (OCR) is responsible for conducting these audits.
This second phase of the HIPAA audit program covers both covered entities and business associates. According to OCR, these HIPAA audits are primarily a compliance improvement activity. However, if an audit reveals a serious compliance issue, OCR may initiate a compliance review to investigate.
Presentation designed to explain Business Associates the basics of HIPAA and real-life examples of cases that failed to implement and follow HIPAA requirements on a timely basis.
The increase level of awareness and training is also very important as is the culture impact of the CE’s environment. How you proceed to successfully train and change the culture depends on the choice of an external HIPAA-HITECH privacy and security auditor. Simply stated, your external auditor should possess the skills and knowledge to comprehensively evaluate all aspect of the HIPAA-HITECH impact on your practice. Upon completion of an audit each area should address its findings, impact and corrective action plan. The action plan should incorporate the training requirements and a training plan to address the specific requirements of each staff member’s relevance to their job function within the practice.
EHR meaningful use security risk assessment sample documentdata brackets
Under the HIPAA Privacy and Security Rule, business associates are required to perform active risk prevention and safeguarding of patient information that are very important to patient privacy. The HITECH act allows only minimum necessary to be disclosed when handling protected health information (PHI).
This security risk assessment exercise has been performed to support the requirements of the Department of Health and Human Services (HHS), Office for the Civil Rights (OCR) and other applicable state data privacy laws and regulations. Upon completion of this risk assessment, a detail risk management plan need to be developed based on the gaps identified from the risk analysis. The gaps identified and recommendations provided are based on the input provided by the staff, budget, scope and other practical considerations
Lessons from Equifax: Open Source Security & Data Privacy ComplianceBlack Duck by Synopsys
The Equifax breach provided a unique look into “how” many breaches occur. In Equifax’s case, hackers exploited an unpatched Apache Struts component, resulting in the exposure of over 140 million consumer records. The exploit of this vulnerability highlights the need for visibility to open source in custom applications and just how ineffective traditional security solutions are when it comes to open source vulnerabilities. Further, while class action lawsuits have already begun, Equifax faces other regulatory challenges as well. The US Federal Trade Commission started investigations into the company’s security policies and controls that will likely result in financial penalties. Since the exposed data included non-US citizens, foreign data protection and data privacy regulations also come into play. Join Mike Pittenger and Bob Canaway as they discuss how organizations can more effectively manage open source, the strengths and weaknesses of testing methodologies in identifying vulnerable open source components, and how data privacy standards such as PCI, Section 5 of the FTC Act, and GDPR necessitate a change in how organizations address vulnerabilities in their code.
Dental Compliance for Dentists and Business Associatesgppcpa
This presentation will discuss covered entities, protected health information (PHI) as it relates to dental practices and business associates of those practices.It will update you on major legislation relating to patient privacy laws and explain why PHI Information is important and the consequences for non-compliance with state and federal laws.
What do Secure, HIPAA Compliant, Clouds Mean to SOA in Healthcare?Shahid Shah
Technical discussion about service oriented architecture (SOA) and HIPAA compliant clouds. This talk was presented at the Object Management Group's (OMG) SOA in Healthcare working group in the Summer of 2011. It covered the following major topics:
* What does HIPAA mean in the cloud?
* Are cloud providers covered by HIPAA?
* Cloud safeguards that can meet HIPAA requirements
* Healthcare SOA In the cloud
Privacy and Security: Teamwork Required to Tackle Incident ResponseID Experts
Don’t you wish you had the right culture, resources and best practices to protect customer information and effectively respond when incidents occur? Increasing risk of financial and healthcare data breaches and fines, coupled with the complexities of complying with a patchwork of state and federal laws, is fueling the need for strong leadership, collaboration, innovative thinking and tools for incident response management.
In this web conference, CNO Financial Group Chief Privacy Officer Lisa Copp and Henry Ford Health System Chief Information Privacy and Security Officer Meredith Phillips, describe their governance structure as well as insights and risk-based practices that have made them successful in establishing a culture of compliance and strong collaboration among security and privacy teams.
To view the Webinar Recording, click here: https://www2.idexpertscorp.com/resources/single/privacy-and-security-teamwork-required-to-tackle-incident-response/r-general
OCR Audits Are Coming – Is Your Organization Prepared?Polsinelli PC
OCR has finally launched its Phase 2 formal audits of Covered Entities (CEs) and Business Associates (BAs). The first step of an audit will consist of OCR reviewing a CE's policies, procedures, and processes for HIPAA Privacy, Security, and Breach Notification Compliance. If significant noncompliance is uncovered, OCR may probe further with an on-site inspection. Upon notice of an OCR audit, OCR will require CEs and BAs to produce their HIPAA policies, procedures, and other compliance documents within 10 days. If you wait until notice of an audit to shore up your HIPAA policies, procedures and compliance documents, it will be too late. All this occurs under the backdrop of dramatically increased HIPAA enforcement actions by OCR; in the first quarter of 2016 alone, OCR extracted settlements or imposed CMPs in six formal cases ranging from $125,000 to $3.9 million. That is as many settlements as OCR extracted in the entire year of 2015.
How are your HIPAA policies and procedures? Have you ever developed them? Can you find them? Will they pass an OCR review? Has your organization undergone a HIPAA Security Risk Analysis? Has it been updated? An ounce of HIPAA preparation now will save $100,000s in cure later. Polsinelli presents this webinar to explain what to expect from an OCR audit and how to prepare a "HIPAA audit binder" that will put you in a better position to respond to OCR if the agency should come knocking.
Get your Ducks in a Row - The OCR Audit Season is About to BeginID Experts
The HHS Office for Civil Rights has unveiled information about Phase 2 of its HIPAA audits. These audits will be conducted by OCR itself and will focus on high-risk areas and enforcement. Organizations may be hearing from OCR over this summer, with audits to begin in the fall. This webinar will overview some lessons learned from the first round of audits and highlight the changes and process for the next round. Phase 2’s additional focus on compliance with breach notification rule will be discussed. We also will provide some tips to prepare for the audits, which also will be helpful to prepare for any OCR investigation or compliance review.
To view the Webinar Recording, click here: https://www2.idexpertscorp.com/resources/single/get-your-ducks-in-a-row-the-ocr-audit-season-is-about-to-begin/r-general
Preparing & Responding to an OCR HIPAA AuditPYA, P.C.
PYA Principal Barry Mathis presented “Preparing and Responding to an OCR HIPAA Audit” at the Association of Healthcare Internal Auditors (AHIA) 36th Annual Conference.
Areas of focus included:
Understanding the steps of an OCR HIPAA audit.
Learning methods for responding accurately and efficiently to audits.
Understanding how to assess ability to respond to, and identify gaps and weaknesses in, processes.
Discussing lessons learned from completed audits.
OCR Enforcement Update: Under 500 Breach Investigations and Inner Workings of...Lauren Williams
Over the past several years the Office for Civil Rights (OCR) has ramped up its enforcement of the HIPAA Privacy and Security Rules. Generally, such enforcement efforts have related to incidents that affected more than 500 individuals. In August of 2016, however, OCR announced that it would begin investigating self-reported HIPAA breaches affecting under 500 individuals. This initiative may lead to increased investigations at both covered entities and business associates.
On the webinar, two former OCR attorneys will discuss this new OCR initiative, as well as provide guidance and advice related to navigating OCR investigations, an explanation as to how the OCR settlement and resolution agreement process works, and tips for steps to take if your organization is presented with a dreaded resolution agreement. Please join us for discussion of recent OCR activity, under 500 breach investigation initiative, anatomy of an OCR investigation and settlement process, quick tips, and lessons learned.
OCR Enforcement Update: Under 500 Breach Investigations and Inner Workings of...Polsinelli PC
Over the past several years the Office for Civil Rights (OCR) has ramped up its enforcement of the HIPAA Privacy and Security Rules. Generally, such enforcement efforts have related to incidents that affected more than 500 individuals. In August of 2016, however, OCR announced that it would begin investigating self-reported HIPAA breaches affecting under 500 individuals. This initiative may lead to increased investigations at both covered entities and business associates.
On the webinar, two former OCR attorneys will discuss this new OCR initiative, as well as provide guidance and advice related to navigating OCR investigations, an explanation as to how the OCR settlement and resolution agreement process works, and tips for steps to take if your organization is presented with a dreaded resolution agreement. Please join us for discussion of recent OCR activity, under 500 breach investigation initiative, anatomy of an OCR investigation and settlement process, quick tips, and lessons learned.
Get information on the HIPAA Omnibus rule and how the revised regulations will impact not only healthcare organization but also covered entities and other IT providers - OConnor Davies - NYC CPA Firm.
Office of Civil Rights HIPAA Audits--Ready or Not, Here They ComePYA, P.C.
PYA Compliance Consulting Manager Susan Thomas presented “Office of Civil Rights HIPAA Audits--Ready or Not, Here They Come” at the Kansas Association of Local Health Departments Midyear Meeting.
Learning objectives included:
Understanding the Office of Civil Rights Health Information Technology for Economic and Clinical Health audit program.
Reviewing lessons learned from Phase 1 audits.
Discussing the scope and selection for Phase 2 audits.
Determining Health Insurance Portability and Accountability Act audit readiness.
Reviewing a breach investigation case study.
Considering additional resources.
The HIPAA Security Rule - An overview and preview for 2014, from Summit Security Group. Summit Security Group is a business partner to Resource One, managed IT services provider for over 15 years to small and mid-sized businesses in the Portland Metro and Southwest Washington area.
PACT Cybersecurity Series Event, speaker Gregory M. Fliszar, Esq. of Cozen O'...eringold
Gregory Fliszar, J.D., Ph.D., of Cozen O'Connor will make this presentation on Friday, February 26, 2015, at a PhilaPACT (Greater Philadelphia Alliance for Capital Technologies) cybersecurity series event at Philadelphia Marriott West in West Conshohocken.
Greg Fliszar, a member of the Business Law Department and the Health Law Practice Group and the Privacy, Data & Cyber Security Industry Team, will present on the legal issues of cybersecurity and healthcare at this timely discussion. In the wake of the Anthem cyber breach, protecting the security of medical records, and compliance with HIPAA and HITECH, are relevant to a variety of businesses that provide services to the health-care industry. Greg will share his insights on how to protect your organization's data.
Learn more about Greg's expertise and experience at http://www.cozen.com/people/bios/fliszar-gregory.
To register for the event, go to http://www.cozen.com/events/2015/pact-cybersecurity-series-event.
Office of Civil Rights HIPAA Audits Preparing Your Clients and YourselfPYA, P.C.
PYA Consulting Manager Susan Thomas presented “Office of Civil Rights HIPAA Audits – Preparing Your Clients and Yourself” at The Florida Bar’s “Representing the Physician: It Is Harder Than It Looks” conference, February 3, 2017, in Orlando, Florida.
The presentation covered topics that include:
The Health Information Technology for Economic and Clinical Health Act.
Phase 1 audit, privacy, security, and breach notification findings and lessons learned.
Phase 2 audits—scope and recipient selection.
HIPAA audit readiness and steps for preparing.
Personal reflections from an OCR breach investigation.
Audit resources for physician practices.
Leading your HIPAA Compliance Culture in 2016Lance King
http://hcsiinc.com
Breaches happen every day! Why not prevent having a breach turn into a 90 day audit? This presentation helps you develop your HIPAA Privacy and HIPAA Security program.
If interested in help, many companies are a hit and run operation. From day one and every quarter of the year, HCSI guides the compliance representative through the HIPAA process of preparing for an audit. The practice will have everything an auditor would need, resulting in the audit taking minutes instead of days.
Use of the COBIT Security Baseline as a framework for an information
security program at a large state agency. Presented at the 2005 MN Govt IT
Symposium.
Business Associates: How to become HIPAA compliant, increase revenue, and gai...Compliancy Group
Since Omnibus started in 2013 Business Associates (BA) have scrambled to understand and adhere to the Federal Regulation. Though Omnibus alone was a reason for Business Associates to become compliant many realized that compliance could help differentiate their offerings. Helping the company retain and acquire new clients. Compliance is helping many BA’s open new revenue streams while increasing brand stickiness.
With the plethora of non-compliant Business Associates, Covered Entities are realizing that the best option for them is to choose a BA that is compliant to reduce their risk.
The increase level of awareness and training is also very important as is the culture impact of the CE’s environment. How you proceed to successfully train and change the culture depends on the choice of an external HIPAA-HITECH privacy and security auditor. Simply stated, your external auditor should possess the skills and knowledge to comprehensively evaluate all aspect of the HIPAA-HITECH impact on your practice. Upon completion of an audit each area should address its findings, impact and corrective action plan. The action plan should incorporate the training requirements and a training plan to address the specific requirements of each staff member’s relevance to their job function within the practice.
EHR meaningful use security risk assessment sample documentdata brackets
Under the HIPAA Privacy and Security Rule, business associates are required to perform active risk prevention and safeguarding of patient information that are very important to patient privacy. The HITECH act allows only minimum necessary to be disclosed when handling protected health information (PHI).
This security risk assessment exercise has been performed to support the requirements of the Department of Health and Human Services (HHS), Office for the Civil Rights (OCR) and other applicable state data privacy laws and regulations. Upon completion of this risk assessment, a detail risk management plan need to be developed based on the gaps identified from the risk analysis. The gaps identified and recommendations provided are based on the input provided by the staff, budget, scope and other practical considerations
Lessons from Equifax: Open Source Security & Data Privacy ComplianceBlack Duck by Synopsys
The Equifax breach provided a unique look into “how” many breaches occur. In Equifax’s case, hackers exploited an unpatched Apache Struts component, resulting in the exposure of over 140 million consumer records. The exploit of this vulnerability highlights the need for visibility to open source in custom applications and just how ineffective traditional security solutions are when it comes to open source vulnerabilities. Further, while class action lawsuits have already begun, Equifax faces other regulatory challenges as well. The US Federal Trade Commission started investigations into the company’s security policies and controls that will likely result in financial penalties. Since the exposed data included non-US citizens, foreign data protection and data privacy regulations also come into play. Join Mike Pittenger and Bob Canaway as they discuss how organizations can more effectively manage open source, the strengths and weaknesses of testing methodologies in identifying vulnerable open source components, and how data privacy standards such as PCI, Section 5 of the FTC Act, and GDPR necessitate a change in how organizations address vulnerabilities in their code.
Dental Compliance for Dentists and Business Associatesgppcpa
This presentation will discuss covered entities, protected health information (PHI) as it relates to dental practices and business associates of those practices.It will update you on major legislation relating to patient privacy laws and explain why PHI Information is important and the consequences for non-compliance with state and federal laws.
What do Secure, HIPAA Compliant, Clouds Mean to SOA in Healthcare?Shahid Shah
Technical discussion about service oriented architecture (SOA) and HIPAA compliant clouds. This talk was presented at the Object Management Group's (OMG) SOA in Healthcare working group in the Summer of 2011. It covered the following major topics:
* What does HIPAA mean in the cloud?
* Are cloud providers covered by HIPAA?
* Cloud safeguards that can meet HIPAA requirements
* Healthcare SOA In the cloud
Privacy and Security: Teamwork Required to Tackle Incident ResponseID Experts
Don’t you wish you had the right culture, resources and best practices to protect customer information and effectively respond when incidents occur? Increasing risk of financial and healthcare data breaches and fines, coupled with the complexities of complying with a patchwork of state and federal laws, is fueling the need for strong leadership, collaboration, innovative thinking and tools for incident response management.
In this web conference, CNO Financial Group Chief Privacy Officer Lisa Copp and Henry Ford Health System Chief Information Privacy and Security Officer Meredith Phillips, describe their governance structure as well as insights and risk-based practices that have made them successful in establishing a culture of compliance and strong collaboration among security and privacy teams.
To view the Webinar Recording, click here: https://www2.idexpertscorp.com/resources/single/privacy-and-security-teamwork-required-to-tackle-incident-response/r-general
OCR Audits Are Coming – Is Your Organization Prepared?Polsinelli PC
OCR has finally launched its Phase 2 formal audits of Covered Entities (CEs) and Business Associates (BAs). The first step of an audit will consist of OCR reviewing a CE's policies, procedures, and processes for HIPAA Privacy, Security, and Breach Notification Compliance. If significant noncompliance is uncovered, OCR may probe further with an on-site inspection. Upon notice of an OCR audit, OCR will require CEs and BAs to produce their HIPAA policies, procedures, and other compliance documents within 10 days. If you wait until notice of an audit to shore up your HIPAA policies, procedures and compliance documents, it will be too late. All this occurs under the backdrop of dramatically increased HIPAA enforcement actions by OCR; in the first quarter of 2016 alone, OCR extracted settlements or imposed CMPs in six formal cases ranging from $125,000 to $3.9 million. That is as many settlements as OCR extracted in the entire year of 2015.
How are your HIPAA policies and procedures? Have you ever developed them? Can you find them? Will they pass an OCR review? Has your organization undergone a HIPAA Security Risk Analysis? Has it been updated? An ounce of HIPAA preparation now will save $100,000s in cure later. Polsinelli presents this webinar to explain what to expect from an OCR audit and how to prepare a "HIPAA audit binder" that will put you in a better position to respond to OCR if the agency should come knocking.
Get your Ducks in a Row - The OCR Audit Season is About to BeginID Experts
The HHS Office for Civil Rights has unveiled information about Phase 2 of its HIPAA audits. These audits will be conducted by OCR itself and will focus on high-risk areas and enforcement. Organizations may be hearing from OCR over this summer, with audits to begin in the fall. This webinar will overview some lessons learned from the first round of audits and highlight the changes and process for the next round. Phase 2’s additional focus on compliance with breach notification rule will be discussed. We also will provide some tips to prepare for the audits, which also will be helpful to prepare for any OCR investigation or compliance review.
To view the Webinar Recording, click here: https://www2.idexpertscorp.com/resources/single/get-your-ducks-in-a-row-the-ocr-audit-season-is-about-to-begin/r-general
Preparing & Responding to an OCR HIPAA AuditPYA, P.C.
PYA Principal Barry Mathis presented “Preparing and Responding to an OCR HIPAA Audit” at the Association of Healthcare Internal Auditors (AHIA) 36th Annual Conference.
Areas of focus included:
Understanding the steps of an OCR HIPAA audit.
Learning methods for responding accurately and efficiently to audits.
Understanding how to assess ability to respond to, and identify gaps and weaknesses in, processes.
Discussing lessons learned from completed audits.
OCR Enforcement Update: Under 500 Breach Investigations and Inner Workings of...Lauren Williams
Over the past several years the Office for Civil Rights (OCR) has ramped up its enforcement of the HIPAA Privacy and Security Rules. Generally, such enforcement efforts have related to incidents that affected more than 500 individuals. In August of 2016, however, OCR announced that it would begin investigating self-reported HIPAA breaches affecting under 500 individuals. This initiative may lead to increased investigations at both covered entities and business associates.
On the webinar, two former OCR attorneys will discuss this new OCR initiative, as well as provide guidance and advice related to navigating OCR investigations, an explanation as to how the OCR settlement and resolution agreement process works, and tips for steps to take if your organization is presented with a dreaded resolution agreement. Please join us for discussion of recent OCR activity, under 500 breach investigation initiative, anatomy of an OCR investigation and settlement process, quick tips, and lessons learned.
OCR Enforcement Update: Under 500 Breach Investigations and Inner Workings of...Polsinelli PC
Over the past several years the Office for Civil Rights (OCR) has ramped up its enforcement of the HIPAA Privacy and Security Rules. Generally, such enforcement efforts have related to incidents that affected more than 500 individuals. In August of 2016, however, OCR announced that it would begin investigating self-reported HIPAA breaches affecting under 500 individuals. This initiative may lead to increased investigations at both covered entities and business associates.
On the webinar, two former OCR attorneys will discuss this new OCR initiative, as well as provide guidance and advice related to navigating OCR investigations, an explanation as to how the OCR settlement and resolution agreement process works, and tips for steps to take if your organization is presented with a dreaded resolution agreement. Please join us for discussion of recent OCR activity, under 500 breach investigation initiative, anatomy of an OCR investigation and settlement process, quick tips, and lessons learned.
Get information on the HIPAA Omnibus rule and how the revised regulations will impact not only healthcare organization but also covered entities and other IT providers - OConnor Davies - NYC CPA Firm.
Office of Civil Rights HIPAA Audits--Ready or Not, Here They ComePYA, P.C.
PYA Compliance Consulting Manager Susan Thomas presented “Office of Civil Rights HIPAA Audits--Ready or Not, Here They Come” at the Kansas Association of Local Health Departments Midyear Meeting.
Learning objectives included:
Understanding the Office of Civil Rights Health Information Technology for Economic and Clinical Health audit program.
Reviewing lessons learned from Phase 1 audits.
Discussing the scope and selection for Phase 2 audits.
Determining Health Insurance Portability and Accountability Act audit readiness.
Reviewing a breach investigation case study.
Considering additional resources.
The HIPAA Security Rule - An overview and preview for 2014, from Summit Security Group. Summit Security Group is a business partner to Resource One, managed IT services provider for over 15 years to small and mid-sized businesses in the Portland Metro and Southwest Washington area.
PACT Cybersecurity Series Event, speaker Gregory M. Fliszar, Esq. of Cozen O'...eringold
Gregory Fliszar, J.D., Ph.D., of Cozen O'Connor will make this presentation on Friday, February 26, 2015, at a PhilaPACT (Greater Philadelphia Alliance for Capital Technologies) cybersecurity series event at Philadelphia Marriott West in West Conshohocken.
Greg Fliszar, a member of the Business Law Department and the Health Law Practice Group and the Privacy, Data & Cyber Security Industry Team, will present on the legal issues of cybersecurity and healthcare at this timely discussion. In the wake of the Anthem cyber breach, protecting the security of medical records, and compliance with HIPAA and HITECH, are relevant to a variety of businesses that provide services to the health-care industry. Greg will share his insights on how to protect your organization's data.
Learn more about Greg's expertise and experience at http://www.cozen.com/people/bios/fliszar-gregory.
To register for the event, go to http://www.cozen.com/events/2015/pact-cybersecurity-series-event.
Office of Civil Rights HIPAA Audits Preparing Your Clients and YourselfPYA, P.C.
PYA Consulting Manager Susan Thomas presented “Office of Civil Rights HIPAA Audits – Preparing Your Clients and Yourself” at The Florida Bar’s “Representing the Physician: It Is Harder Than It Looks” conference, February 3, 2017, in Orlando, Florida.
The presentation covered topics that include:
The Health Information Technology for Economic and Clinical Health Act.
Phase 1 audit, privacy, security, and breach notification findings and lessons learned.
Phase 2 audits—scope and recipient selection.
HIPAA audit readiness and steps for preparing.
Personal reflections from an OCR breach investigation.
Audit resources for physician practices.
Leading your HIPAA Compliance Culture in 2016Lance King
http://hcsiinc.com
Breaches happen every day! Why not prevent having a breach turn into a 90 day audit? This presentation helps you develop your HIPAA Privacy and HIPAA Security program.
If interested in help, many companies are a hit and run operation. From day one and every quarter of the year, HCSI guides the compliance representative through the HIPAA process of preparing for an audit. The practice will have everything an auditor would need, resulting in the audit taking minutes instead of days.
Use of the COBIT Security Baseline as a framework for an information
security program at a large state agency. Presented at the 2005 MN Govt IT
Symposium.
Business Associates: How to become HIPAA compliant, increase revenue, and gai...Compliancy Group
Since Omnibus started in 2013 Business Associates (BA) have scrambled to understand and adhere to the Federal Regulation. Though Omnibus alone was a reason for Business Associates to become compliant many realized that compliance could help differentiate their offerings. Helping the company retain and acquire new clients. Compliance is helping many BA’s open new revenue streams while increasing brand stickiness.
With the plethora of non-compliant Business Associates, Covered Entities are realizing that the best option for them is to choose a BA that is compliant to reduce their risk.
The Hidden Dangers of Trying to ‘Do the Right Thing:’ A Practical Look at Aud...PYA, P.C.
PYA Principal Denise Hall and Michelle Calloway of Hancock, Daniel, Johnson & Nagle, P.C., copresented at the 2013 American Health Lawyers Association/Health Care Compliance Association Fraud & Compliance Forum in Baltimore. They addressed “The Hidden Dangers of Trying to ‘Do the Right Thing:’ A Practical Look at Auditing, Monitoring and Investigation Pitfalls.” The presentation covered best practices for investigating reported compliance concerns, compliance auditing techniques, repayment practices, and corrective action implementation and monitoring procedures.
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT SecurityRedspin, Inc.
Slides from our 1/20/2011 webinar - HIPAA & HITECH Requirements, Compliance, Meaningful Use, and IT security assessments...we know it’s confusing!
Let’s focus on what you need to know!
Tax Cuts & Job Act Implications for Small Business Investments Companies Polsinelli PC
On December 22, 2017, the President signed into law a federal tax reform bill commonly known as the Tax Cuts & Jobs Act (the “Tax Act”). The Tax Act resulted in significant changes to the U.S. tax system on a number of fronts. This webinar will provide an overview the provisions of the Tax Act relevant to SBIC’s. We will also address the impact of the Tax Act upon the choice of entity decisions and a number of ancillary matters.
Preventing Compliance Quagmires in Senior Living Communities: Part 1 - Can So...Polsinelli PC
During this webinar we will explore the regulatory, operational and employment related issues that arise when long term care staff use social media at work in the long term care setting.
Health Care "Prime" - The Future of the Ownership, Organization, Payment, and...Polsinelli PC
The potential for disruption and disaggregation of traditional and incumbent players is occurring across the health care ecosystem and care continuum, and may accelerate through the intended and unintended consequences of this innovative new venture. Is this partnership a seminal event in defining the future of health care? Author William Gibson said, “The future is already here – it’s just not very evenly distributed.” This statement applies as the future of health care fast approaches, but with variability across stakeholders, their businesses, and the communities in which they provide care as part of one of America’s largest industries.
A diverse panelist group will bring a broad range of current perspectives and insights related to this partnership. From the base of the panelists’ unique perspectives, they will discuss their views on the likely near-, mid- and long-term implications of this announced venture on the ownership, organization, payment, and delivery of health care products, supplies and services in America.
The Trump Labor Board Goes Back to the FuturePolsinelli PC
The last weeks of 2017 brought significant changes to the National Labor Relations Board and federal labor law. Polsinelli’s Traditional Labor Practice Group will cover all of these changes, including the short-lived Republican majority, the new Board members and General Counsel, a recap of the major decisions reversing several of President Obama’s pro-employee initiatives over the last eight years, and discuss what is in store for employers in 2018.
Lessons learned from litigating real estate development projectsPolsinelli PC
Real estate development projects are filled with uncertainty. Zoning and permitting denials, disputes with neighboring property owners and citizen groups, and ambiguity in development contracts can cause significant setbacks to even the most well planned developments. This webinar will explore the many pitfalls of the development process and how to navigate them. Four Polsinelli attorneys offer their guidance and insights gained from litigating these very types of issues.
Datascram is being called a massive “Datascam.” Engineers cut corners and, as it turns out, data is not deleted forever. Instead, once deleted, it resides on a Nigerian server where it is sold to the highest bidder. As the company prepares to shut its doors, new questions emerge about Damian Diamond’s role in the fiasco and whether he could be held personally responsible for the company’s potentially criminal activities.
Military Commissions details LtCol Thomas Jasper as Detailed Defense CounselThomas (Tom) Jasper
Military Commissions Trial Judiciary, Guantanamo Bay, Cuba. Notice of the Chief Defense Counsel's detailing of LtCol Thomas F. Jasper, Jr. USMC, as Detailed Defense Counsel for Abd Al Hadi Al-Iraqi on 6 August 2014 in the case of United States v. Hadi al Iraqi (10026)
A "File Trademark" is a legal term referring to the registration of a unique symbol, logo, or name used to identify and distinguish products or services. This process provides legal protection, granting exclusive rights to the trademark owner, and helps prevent unauthorized use by competitors.
Visit Now: https://www.tumblr.com/trademark-quick/751620857551634432/ensure-legal-protection-file-your-trademark-with?source=share
Responsibilities of the office bearers while registering multi-state cooperat...Finlaw Consultancy Pvt Ltd
Introduction-
The process of register multi-state cooperative society in India is governed by the Multi-State Co-operative Societies Act, 2002. This process requires the office bearers to undertake several crucial responsibilities to ensure compliance with legal and regulatory frameworks. The key office bearers typically include the President, Secretary, and Treasurer, along with other elected members of the managing committee. Their responsibilities encompass administrative, legal, and financial duties essential for the successful registration and operation of the society.
In 2020, the Ministry of Home Affairs established a committee led by Prof. (Dr.) Ranbir Singh, former Vice Chancellor of National Law University (NLU), Delhi. This committee was tasked with reviewing the three codes of criminal law. The primary objective of the committee was to propose comprehensive reforms to the country’s criminal laws in a manner that is both principled and effective.
The committee’s focus was on ensuring the safety and security of individuals, communities, and the nation as a whole. Throughout its deliberations, the committee aimed to uphold constitutional values such as justice, dignity, and the intrinsic value of each individual. Their goal was to recommend amendments to the criminal laws that align with these values and priorities.
Subsequently, in February, the committee successfully submitted its recommendations regarding amendments to the criminal law. These recommendations are intended to serve as a foundation for enhancing the current legal framework, promoting safety and security, and upholding the constitutional principles of justice, dignity, and the inherent worth of every individual.
Car Accident Injury Do I Have a Case....Knowyourright
Every year, thousands of Minnesotans are injured in car accidents. These injuries can be severe – even life-changing. Under Minnesota law, you can pursue compensation through a personal injury lawsuit.
Synopsis On Annual General Meeting/Extra Ordinary General Meeting With Ordinary And Special Businesses And Ordinary And Special Resolutions with Companies (Postal Ballot) Regulations, 2018
NATURE, ORIGIN AND DEVELOPMENT OF INTERNATIONAL LAW.pptxanvithaav
These slides helps the student of international law to understand what is the nature of international law? and how international law was originated and developed?.
The slides was well structured along with the highlighted points for better understanding .
HIPAA Audits Are Here to Stay – Key Preparation Strategies for Business Associates and Covered Entities
1. HIPAA Audits Are Here to Stay – Key Preparation
Strategies for Business Associates and Covered Entities
Lisa Acevedo | Shareholder, Polsinelli PC
Erin Fleming Dunlap | Shareholder, Polsinelli PC
Katie Kenney | Associate, Polsinelli PC
David Holtzman | Vice President, CynergisTek, Inc.
2. Agenda
Current HIPAA Enforcement Landscape
OCR Audit Structure and Status Update
OCR Document Request List: Areas of Focus
The Importance of Up-To-Date Security Risk Analysis
How to Build Your "HIPAA Audit Binder"
Audit Scope for Security Rule Compliance
How to Prepare for Security Rule Component of the OCR Audit
Key Takeaways/Recommendations
3. Current Government Enforcement
Landscape
Enforcement is on the rise!!
– In 2015, OCR settled 6 cases ranging from $125,000 to $3.5
million per settlement
– In 2016, OCR has already settled 9 cases and successfully
imposed civil monetary penalties in 1 case ranging from
$25,000 to $5.55 million
OCR has taken heat in the past for its “toothless” enforcement
efforts, but a whole new era has clearly arrived
4. Importance of Enforcement Actions
to Audit Process
There are themes and trends in the
underlying conduct
– OCR will be looking for these vulnerabilities
when reviewing your documents
– Even if you have not been selected for a Phase 2
audit, the lessons learned from these
settlements are invaluable
• For future breach avoidance
• For future audit preparation
5. Recent Settlements/Enforcement
Actions
Advocate Health Care – August 2016
Largest settlement to date – $5.55 million; involved multiple
violations OCR uncovered while investigating 3 separate breach
incidents Advocate submitted in 2013
The combined breaches affected approximately 4 million
individuals
Key issues included but are not limited to failure to: conduct an
accurate and thorough Risk Analysis; implement policies and
procedures and facility access controls; and obtain satisfactory
assurances through a BAA
6. Recent Settlements/Enforcement
Actions
University of Mississippi Medical Center (UMMC) –
July 2016
Agreed to settle with OCR for $2.75 million; involved multiple
violations of HIPAA that OCR uncovered while investigating a
breach involving a missing, unencrypted laptop
OCR noted that during the investigation the agency
discovered that UMMC was aware of risks and vulnerabilities
to its systems as far back as 2005 but no significant risk
management plan was implemented
7. Recent Settlements/Enforcement
Actions
Oregon Health & Science University (OHSU)
– July 2016
Agreed to settle with OCR for $2.7 million; OHSU submitted
multiple breach reports affecting thousands of individuals,
including two reports involving unencrypted laptops and
another large breach involving a stolen unencrypted thumb
drive
During the investigation, OCR uncovered, among other
issues, that OHSU stored sensitive patient information in
the cloud without a BAA in place
8. Recent Settlements/Enforcement
Actions
Raleigh Orthopedic Clinic, PA (Apr 2016)
– Notified OCR of a breach after releasing x-ray films and
related PHI of 17,300 patients to a vendor to transfer the
images to electronic media in exchange for harvesting the
silver from the x-ray film
– OCR found that Raleigh Orthopedic Clinic failed to execute a
business associate agreement with the vendor prior to
turning over PHI
– agreed to pay $750,000 and adopt a corrective action plan
(CAP) to correct deficiencies in its HIPAA compliance
program
9. Recent Settlements/Enforcement
Actions
Feinstein Institute for Medical Research (March 2016)
– Notified OCR of the theft of an unencrypted laptop from an
employee’s car – laptop contained ePHI of approximately
13,000 patients and research participants
– Agreed to pay $3.9 million and adopt a corrective action
plan (CAP)
– Key compliance issues included: insufficient security
management process; insufficient policies and procedures;
and failure to implement safeguards to restrict access to
unauthorized users
10. Breaches Involving Hacking
Incidents
Anthem
– Almost 80 million individuals affected
– Cyber-attackers accessed social security numbers, medical ID numbers,
names, addresses and birth dates
Premera Blue Cross
– 11 million individuals affected
– Discovered in January 2015 that hackers had been accessing PHI since
May 2014
Community Health Systems
– Estimated 4.5 million individuals affected
– Hacker in China bypassed CHS’ security measures and accessed patient
names, addresses, birthdates, telephone numbers and social security
numbers
11. OCR HIPAA Audit Structure
Scope of Auditees
• Covered Entities and Business Associates
Type of Audit
• “Desk” audits first
» Conducted via document requests
• Onsite audits to follow
12. Status of HIPAA Audit Program
Phase 2 Audits:
– Desk audits of Covered Entities have already begun
– Desk audits of Business Associates will begin in the fall
• OCR has submitted the document request list to Covered
Entity auditees
– http://www.hhs.gov/sites/default/files/2016HIPAADeskAuditAudit
eeGuidance.pdf
13. Focus of Phase 2 Audits
Areas of focus for desk audits
• Covered Entity Document Request List:
1. Security risk analysis and risk management
2. Notice of Privacy Practices
3. Breach Notification letters-content and timeliness
4. Individual’s Right to Access PHI
– OCR Audit Protocol
• Updated protocol published on OCR’s website
Areas of focus for onsite audits
• Intended to be more comprehensive than desk audit
14. Audit Timeline
Phase 2 Audits:
– Timeline
• Desk audits 10 Days to Respond!
– Responsive documents must be submitted electronically
via OCR secure portal
– Auditors will send draft findings and you have 10 days to
provide written comments to the draft report
– Final report due back from auditors within 30 business
days
– All Phase 2 desk audits are scheduled to be concluded
by December 2016
15. Onsite Audit Timeline and Impact
To be Conducted Onsite over 3 to 5 Business Days
– Auditors will send draft findings and you have 10 days to
provide written comments to the draft report
• Final report due back from auditors within 30
business days
Impact
– OCR has reserved the right to initiate a compliance
review against an audited entity if the audit uncovers a
serious compliance issue
16. Key Desk Audit Documents
Up-to-Date Security Risk Analysis
– This is the foundation of your HIPAA Security Rule
program
• Phase 1 identified significant non-compliance
• Failure to do so was key contributing factor to many of
the large breaches and enforcement actions
– OCR is requesting specific documents, not just
policies and procedures
• Key FAQs
17. Key Desk Audit Documents
Risk Management Plan
– This is your plan to address vulnerabilities found
in risk analysis
• OCR is requesting specific documents, not just
policies and procedures
– Key FAQs
18. Risk Analysis Documentation Tool
Critical to Review Your Documentation!
– Ideally, the documentation should be easy for
an auditor to review, understand and map to
the Security Rule requirements
• Examples of less effective documentation
• Double check focus of reports created by third
parties
We can help!
19. Key Desk Audit Documents
Patient Right to Access
• OCR is requesting policies and procedures, PLUS:
– Documentation related to 5 access requests and
documentation related to 5 access requests
where the time to respond was extended
– Template access request form
» If you are using HIPAA authorization forms for access
requests, need to change that process
» Key FAQs
20. Key Desk Audit Documents
Notice of Privacy Practices
– Check NPPs to verify that they contain all
required elements
– Make sure that your website prominently posts
the NPP
– Documentation requested related to electronic
provision of the NPP
• Key FAQs
21. Key Desk Audit Documents
Breach Notification
– Ensure letters to affected individuals meet the
content and timeliness requirements
– Must produce documentation related to
notification of 5 breaches involving under 500
and 5 breaches involving 500 or more affected
patients
• Key FAQs
22. Preparing for an Onsite Audit
More Comprehensive
– Review the OCR Audit Protocol – be prepared to
produce representative samples to demonstrate
compliance
– Prepare as if you will be selected for an onsite audit
• Preparation is time-consuming
• You do not want to have staff running around looking
for documents while the auditors are onsite
• Build your HIPAA Audit Binder!
23. Building Your HIPAA Audit Binder
Organization is key – make it as easy as possible for
OCR/contractor to review your documentation
Be prepared to produce policies and procedures
but also key forms and representative samples
Ensure updates to documentation are apparent
(particularly with regard to risk analysis)
24. Key Takeaways/Recommendations
• Confirm with IT that you have recently performed and
documented an accurate and thorough risk analysis and risk
mitigation plan
• Encrypt!! Especially mobile devices!! If PHI is not encrypted, ensure you
have the appropriate documentation in place specifying equivalent
alternative measures in place.
• Review and organize your policies and procedures, BAAs, and
other key documentation
• Train and re-train your employees Prepare for an onsite audit.
• Valuable even if your organization is never selected. Will help decrease
risk of breaches and complaints
• Learn from mistakes of other organizations and use as teaching
opportunities
25. Key Takeaways/Recommendations
***Keep in mind OCR Audit Program is a Permanent
Program
• Not being selected this year, allows you some time to
conduct a comprehensive evaluation of your
organization’s HIPAA compliance program to prepare for
the next round of audits
• Preparation is ultimately worthwhile and cost effective
because it will help improve your compliance program
and decrease risk of costly breaches
26. Questions?
Feel free to contact us for more information:
– Lisa Acevedo lacevedo@polsinelli.com
– Erin Fleming Dunlap edunlap@polsinelli.com
– Katie Kenney: kdkenney@polsinelli.com
28. CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 info@cynergistek.com cynergistek.com @CynergisTek
OCR HIPAA Audit Program:
What You Need to Know Now
Presented by:
David Holtzman
VP, Compliance Strategies
29. CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 info@cynergistek.com cynergistek.com @CynergisTek
Synergistic
The name “CynergisTek” came from the
synergy realized by combining the
expertise of the two co-founders –
building scalable, mature information
security programs and architecting
enterprise technical solutions.
Founded in 2004
CynergisTek has been providing services
to our clients since 2004, but many
of our clients have been with one or
both of the founders since well before
the company was founded.
29
Securing the Mission of Care
CynergisTek Services are specifically
geared to address the needs of the
healthcare community including
providers, payers, and their business
associates who provide services into
those entities.
Consulting Services
CynergisTek provides consulting services
and solutions around information
security, privacy, IT architecture, and
audit with specific focus on regulatory
compliance in healthcare.
CynergisTek, Inc.
30. CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 info@cynergistek.com cynergistek.com @CynergisTek 30
Today’s Presenter
• Vice President of Compliance Strategies,
CynergisTek, Inc.
• Subject matter expert in health information
privacy policy and compliance issues involving
the HIPAA Privacy, Security and Breach
Notification Rules
• Experienced in developing, implementing and
evaluating health information privacy and
security compliance programs
• Former senior advisor for health information
technology and the HIPAA Security Rule,
Office for Civil Rights
David Holtzman
CynergisTek, Inc.
31. CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 info@cynergistek.com cynergistek.com @CynergisTek
Audit Scope for Security
Rule Compliance
31
32. CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 info@cynergistek.com cynergistek.com @CynergisTek 32
What Are OCR Audits Reviewing?
•Security Management Process Standard
•Policies and performance of Information Security Risk Analysis
•Policies and performance of Information Security Risk Management Plan
Desk Audits
•Device and media controls
•Transmission security
•Encryption of data at rest
•Facility access controls
Onsite Audits
•Administrative and physical safeguards
•Workforce training to HIPAA policies & procedures
•High risk areas identified through:
•Pilot Audit Program performed in 2012
•Breach reports submitted to OCR
Other Areas
33. CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 info@cynergistek.com cynergistek.com @CynergisTek 33
• Copy of current information security risk analysis and a prior risk analysis.
• Documentation related to the implementation of the risk analysis and security
review process; how it is available to the workforce members who are
responsible for carrying out the risk analysis; and, that the procedures are
periodically reviewed and updated when needed.
• Documentation demonstrating that policies and procedures related to
implementation of risk analysis for the prior 6 years.
• Documentation demonstrating the security measures implemented to reduce
the risks as a result of the current risk analysis or assessment ; and the prior
calendar year
• Documentation from 2015 demonstrating the implementation of the risk
management process; how it is available to the workforce members who are
responsible for carrying out the risk management process; and, that the
procedures are periodically reviewed and updated when needed.
OCR Desk Audit Document Request
34. CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 info@cynergistek.com cynergistek.com @CynergisTek 34
Documentation Requested What Should be Submitted
Upload documentation of current risk analysis
results.
Provide the report of the most recent Risk Analysis
performed by the organization.
Upload documentation demonstrating that policies
and procedures related to implementation of risk
analysis are in place and any revisions for the prior 6
years.
Provide copies of current and prior versions of risk
analysis policies and procedures from 2010 to 2016.
Ensure that the policies and procedures support an
accurate and thorough assessment of the potential
risks and vulnerabilities to the confidentiality,
integrity and availability of e-PHI the organization
creates, receives, maintains or transmits.
Upload policies and procedures regarding the
entity’s risk analysis process.
Provide the current policy and procedure on how
the risk analysis is performed.
Upload documentation of the risk analysis and the
most recently conducted prior risk analysis.
Provide the risk analysis completed prior to the
2015 Risk Analysis as well as accompanying
documentation of an accurate and thorough
assessment of the potential risks and vulnerabilities
to the confidentiality, integrity and availability of e-
PHI the organization. creates, receives, maintains or
transmits.
Desk Audit Protocol Risk Analysis
35. CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 info@cynergistek.com cynergistek.com @CynergisTek 35
Documentation Requested What Should be Submitted
Upload documentation
demonstrating the security
measures implemented to reduce
the risks as a result of the current
risk analysis or assessment
Provide documentation that the organization has
implemented or has plans to implement administrative,
physical or technical controls to reduce risks and
vulnerabilities identified in the current risk analysis.
Upload documentation
demonstrating that policies and
procedures related to
implementing risk management
processes have been in place and in
force for the prior 6 years.
Provide documentation of current and prior versions of
risk management policies and procedures from 2010 to
2016. These policies and procedures should identify how
risk is managed, what the organization considers an
acceptable level of risk in its management program, the
frequency of reviewing ongoing risks, and identify the
workforce members who are assigned a role in the risk
management process.
Upload documentation
demonstrating the efforts used to
manage risks from the previous
calendar year.
Provide documentation for the 2015 calendar year of the
actions the organization took, or had plans to take, to
implement administrative, physical or technical controls
to reduce risks and vulnerabilities identified in its risk
analysis.
Desk Audit Protocol Risk Management
36. CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 info@cynergistek.com cynergistek.com @CynergisTek
Preparing for an OCR
Audit
36
37. CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 info@cynergistek.com cynergistek.com @CynergisTek 37
Where Do We Start? Risk Assessment…
Credit: http://dilbert.com/strips/comic/1997-11-08/
38. CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 info@cynergistek.com cynergistek.com @CynergisTek 38
• An assessment of threats and vulnerabilities to
information systems that handle e-PHI.
• This provides the starting point for determining what is
‘appropriate’and ‘reasonable’.
• Organizations determine their own technology and
administrative choices to mitigate their risks.
• The risk analysis process should be ongoing and
repeated as needed when the organization experiences
changes in technology or operating environment.
Information Security Risk Assessment
39. CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 info@cynergistek.com cynergistek.com @CynergisTek 39
Performing a Risk Analysis
Gather
Information
Analyze
Information
Develop
Remedial
Plans
• Prepare inventory lists of information assets-data, hardware and software.
• Determine potential threats to information assets.
• Identify organizational and information system vulnerabilities.
• Document existing security controls and processes.
• Evaluate and measure risks associated with information assets.
• Rank information assets based on asset criticality and business value.
• Develop and analyze multiple potential threat scenarios.
• Prioritize potential threats based on importance and criticality.
• Develop remedial plans to combat potential threat scenarios.
• Repeat risk analysis to evaluate success of remediation and when there are
changes in technology or operating environment.
40. CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 info@cynergistek.com cynergistek.com @CynergisTek 40
• Prepare a plan to perform mock audits
• Use OCR’s 2016 Phase 2 HIPAA Audit Protocol
• Replicate what documentation would be required
under audit conditions and the timelines for
production
• Use the results from your audit to develop a work
plan for policies and processes that should be
reviewed or updated
Build an Audit Tool Kit
41. CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 info@cynergistek.com cynergistek.com @CynergisTek
• Requirements for listing
business associates
– http://www.hhs.gov/hipa
a/for-
professionals/compliance
-
enforcement/audit/bate
mplate/index.html
• OCR’s 2016 Audit
Protocol
– http://www.hhs.gov/hipa
a/for-
professionals/compliance
-
enforcement/audit/proto
col-current/index.html
Prepare for OCR Audit
12
42. CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 info@cynergistek.com cynergistek.com @CynergisTek
• Desk Audit Protocol &
Document Request List
http://www.hhs.gov/sit
es/default/files/2016HI
PAADeskAuditAuditeeG
uidance.pdf
• OCR Desk Audit
Introduction Webinar
http://www.hhs.gov/sit
es/default/files/OCRDes
kAuditOpeningMeeting
Webinar.pdf
Use OCR Desk Audit Protocol As Guide
13
43. CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 info@cynergistek.com cynergistek.com @CynergisTek 43
Section/Key Activity
Established Performance
Criteria
Audit Inquiry
§164.308(a)(1)(ii)(A)
Security Management
Process-Risk Analysis
A covered entity or
business associate must
in accordance with
164.306:
(1)(i) Implement
policies and procedures
to prevent, detect,
contain, and correct
security violations
Does the entity have written policies and procedures in place to
prevent, detect, contain and correct security violations?
Does the entity prevent, detect, contain and correction security
violations?
Obtain and review policies and procedures related to security
violations. Evaluate the content relative to the specified
performance criteria for countermeasures or safeguards
implemented to prevent, detect, contain and correct security
violations.
Obtain and review documentation demonstrating that policies and
procedures have been implemented to prevent, detect, contain,
correct security violations. Evaluate and determine if the process
used is in accordance with related policies and procedures.
Obtain and review documentation of security violations and
remediation actions. Evaluate and determine if security violations
where handled in accordance with the related policies and
procedures; safeguards or countermeasures to prevent violations
from occurring; identify and characterize violations as they
happen; limit the extent of any damages caused by violations;
have corrective action plan in place to manage risk.
Example: Security Management Process
44. CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 info@cynergistek.com cynergistek.com @CynergisTek 44
Key Activity
Established
Performance Criteria
Audit Inquiry
§164.312(a)(2)(iv)
Access Control --
Encryption and
Decryption(A)
Implement a
mechanism to encrypt
and decrypt electronic
protected health
information
Does the entity have policies and procedures in place to encrypt and
decrypt ePHI including processes regarding the use and management of
the confidential process or key used to encrypt and decrypt ePHI?
Does the entity encrypt and decrypt ePHI including processes regarding
the use and management of the confidential process or key used to
encrypt and decrypt ePHI?
Obtain and review the policies and procedures regarding the encryption
and decryption of ePHI. Evaluate the content relative to the specified
criteria to determine that the implementation and use of encryption
appropriately protects ePHI.
Obtain and review documentation demonstrating ePHI being encrypted
and decrypted. Evaluate and determine if ePHI is encrypted and
decrypted in accordance with related policies and procedures.
Has the entity chosen to implement an alternative measure?
If yes, obtain and review entity documentation of why it has determined
that the implementation specification is not a reasonable and
appropriate safeguard and what equivalent alternative measure has been
implemented instead.
Evaluate documentation and assess whether the alternative measure
implemented is equivalent to the protections afforded by the
implementation specification.
Example: Encryption and Decryption
45. CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 info@cynergistek.com cynergistek.com @CynergisTek 45
Questions?
David Holtzman
david.holtzman@cynergistek.com
512.405.8550 x7020
@HITPrivacy
Questions?
?