SlideShare a Scribd company logo

HIPAA Audits Are Here to Stay – Key Preparation Strategies for Business Associates and Covered Entities

Polsinelli PC
Polsinelli PC

Our panel, which includes two former OCR staffers who played key roles in policy and enforcement activities, will provide status updates and practical tips to help you prepare for business associate and covered entity audits. Our agenda: -OCR Audit Status Update -OCR Document Request List -How to Document Your Security Rule Compliance -The Importance of Up-To-Date Security Risk Analysis -How to Build Your "HIPAA Audit Binder" -Even if You Are Not Selected: How Audit Preparation Can Assist in Breach/Complaint Investigations -Key Takeaways/Recommendations

Law
1 of 45
Download to read offline
HIPAA Audits Are Here to Stay – Key Preparation Strategies for Business Associates and Covered Entities Lisa Acevedo | Shareholder, Polsinelli PC Erin Fleming Dunlap | Shareholder, Polsinelli PC Katie Kenney | Associate, Polsinelli PC David Holtzman | Vice President, CynergisTek, Inc.
Agenda  Current HIPAA Enforcement Landscape  OCR Audit Structure and Status Update  OCR Document Request List: Areas of Focus  The Importance of Up-To-Date Security Risk Analysis  How to Build Your "HIPAA Audit Binder"  Audit Scope for Security Rule Compliance  How to Prepare for Security Rule Component of the OCR Audit  Key Takeaways/Recommendations
Current Government Enforcement Landscape  Enforcement is on the rise!! – In 2015, OCR settled 6 cases ranging from $125,000 to $3.5 million per settlement – In 2016, OCR has already settled 9 cases and successfully imposed civil monetary penalties in 1 case ranging from $25,000 to $5.55 million  OCR has taken heat in the past for its “toothless” enforcement efforts, but a whole new era has clearly arrived
Importance of Enforcement Actions to Audit Process  There are themes and trends in the underlying conduct – OCR will be looking for these vulnerabilities when reviewing your documents – Even if you have not been selected for a Phase 2 audit, the lessons learned from these settlements are invaluable • For future breach avoidance • For future audit preparation
Recent Settlements/Enforcement Actions  Advocate Health Care – August 2016  Largest settlement to date – $5.55 million; involved multiple violations OCR uncovered while investigating 3 separate breach incidents Advocate submitted in 2013  The combined breaches affected approximately 4 million individuals  Key issues included but are not limited to failure to: conduct an accurate and thorough Risk Analysis; implement policies and procedures and facility access controls; and obtain satisfactory assurances through a BAA
Recent Settlements/Enforcement Actions  University of Mississippi Medical Center (UMMC) – July 2016  Agreed to settle with OCR for $2.75 million; involved multiple violations of HIPAA that OCR uncovered while investigating a breach involving a missing, unencrypted laptop  OCR noted that during the investigation the agency discovered that UMMC was aware of risks and vulnerabilities to its systems as far back as 2005 but no significant risk management plan was implemented
Recent Settlements/Enforcement Actions  Oregon Health & Science University (OHSU) – July 2016  Agreed to settle with OCR for $2.7 million; OHSU submitted multiple breach reports affecting thousands of individuals, including two reports involving unencrypted laptops and another large breach involving a stolen unencrypted thumb drive  During the investigation, OCR uncovered, among other issues, that OHSU stored sensitive patient information in the cloud without a BAA in place
Recent Settlements/Enforcement Actions  Raleigh Orthopedic Clinic, PA (Apr 2016) – Notified OCR of a breach after releasing x-ray films and related PHI of 17,300 patients to a vendor to transfer the images to electronic media in exchange for harvesting the silver from the x-ray film – OCR found that Raleigh Orthopedic Clinic failed to execute a business associate agreement with the vendor prior to turning over PHI – agreed to pay $750,000 and adopt a corrective action plan (CAP) to correct deficiencies in its HIPAA compliance program
Recent Settlements/Enforcement Actions  Feinstein Institute for Medical Research (March 2016) – Notified OCR of the theft of an unencrypted laptop from an employee’s car – laptop contained ePHI of approximately 13,000 patients and research participants – Agreed to pay $3.9 million and adopt a corrective action plan (CAP) – Key compliance issues included: insufficient security management process; insufficient policies and procedures; and failure to implement safeguards to restrict access to unauthorized users
Breaches Involving Hacking Incidents  Anthem – Almost 80 million individuals affected – Cyber-attackers accessed social security numbers, medical ID numbers, names, addresses and birth dates  Premera Blue Cross – 11 million individuals affected – Discovered in January 2015 that hackers had been accessing PHI since May 2014  Community Health Systems – Estimated 4.5 million individuals affected – Hacker in China bypassed CHS’ security measures and accessed patient names, addresses, birthdates, telephone numbers and social security numbers
OCR HIPAA Audit Structure  Scope of Auditees • Covered Entities and Business Associates  Type of Audit • “Desk” audits first » Conducted via document requests • Onsite audits to follow
Status of HIPAA Audit Program  Phase 2 Audits: – Desk audits of Covered Entities have already begun – Desk audits of Business Associates will begin in the fall • OCR has submitted the document request list to Covered Entity auditees – http://www.hhs.gov/sites/default/files/2016HIPAADeskAuditAudit eeGuidance.pdf
Focus of Phase 2 Audits  Areas of focus for desk audits • Covered Entity Document Request List: 1. Security risk analysis and risk management 2. Notice of Privacy Practices 3. Breach Notification letters-content and timeliness 4. Individual’s Right to Access PHI – OCR Audit Protocol • Updated protocol published on OCR’s website  Areas of focus for onsite audits • Intended to be more comprehensive than desk audit
Audit Timeline  Phase 2 Audits: – Timeline • Desk audits  10 Days to Respond! – Responsive documents must be submitted electronically via OCR secure portal – Auditors will send draft findings and you have 10 days to provide written comments to the draft report – Final report due back from auditors within 30 business days – All Phase 2 desk audits are scheduled to be concluded by December 2016
Onsite Audit Timeline and Impact  To be Conducted Onsite over 3 to 5 Business Days – Auditors will send draft findings and you have 10 days to provide written comments to the draft report • Final report due back from auditors within 30 business days  Impact – OCR has reserved the right to initiate a compliance review against an audited entity if the audit uncovers a serious compliance issue
Key Desk Audit Documents  Up-to-Date Security Risk Analysis – This is the foundation of your HIPAA Security Rule program • Phase 1 identified significant non-compliance • Failure to do so was key contributing factor to many of the large breaches and enforcement actions – OCR is requesting specific documents, not just policies and procedures • Key FAQs
Key Desk Audit Documents  Risk Management Plan – This is your plan to address vulnerabilities found in risk analysis • OCR is requesting specific documents, not just policies and procedures – Key FAQs
Risk Analysis Documentation Tool  Critical to Review Your Documentation! – Ideally, the documentation should be easy for an auditor to review, understand and map to the Security Rule requirements • Examples of less effective documentation • Double check focus of reports created by third parties  We can help!
Key Desk Audit Documents  Patient Right to Access • OCR is requesting policies and procedures, PLUS: – Documentation related to 5 access requests and documentation related to 5 access requests where the time to respond was extended – Template access request form » If you are using HIPAA authorization forms for access requests, need to change that process » Key FAQs
Key Desk Audit Documents  Notice of Privacy Practices – Check NPPs to verify that they contain all required elements – Make sure that your website prominently posts the NPP – Documentation requested related to electronic provision of the NPP • Key FAQs
Key Desk Audit Documents  Breach Notification – Ensure letters to affected individuals meet the content and timeliness requirements – Must produce documentation related to notification of 5 breaches involving under 500 and 5 breaches involving 500 or more affected patients • Key FAQs
Preparing for an Onsite Audit  More Comprehensive – Review the OCR Audit Protocol – be prepared to produce representative samples to demonstrate compliance – Prepare as if you will be selected for an onsite audit • Preparation is time-consuming • You do not want to have staff running around looking for documents while the auditors are onsite • Build your HIPAA Audit Binder!
Building Your HIPAA Audit Binder  Organization is key – make it as easy as possible for OCR/contractor to review your documentation  Be prepared to produce policies and procedures but also key forms and representative samples  Ensure updates to documentation are apparent (particularly with regard to risk analysis)
Key Takeaways/Recommendations • Confirm with IT that you have recently performed and documented an accurate and thorough risk analysis and risk mitigation plan • Encrypt!! Especially mobile devices!! If PHI is not encrypted, ensure you have the appropriate documentation in place specifying equivalent alternative measures in place. • Review and organize your policies and procedures, BAAs, and other key documentation • Train and re-train your employees  Prepare for an onsite audit. • Valuable even if your organization is never selected. Will help decrease risk of breaches and complaints • Learn from mistakes of other organizations and use as teaching opportunities
Key Takeaways/Recommendations  ***Keep in mind OCR Audit Program is a Permanent Program • Not being selected this year, allows you some time to conduct a comprehensive evaluation of your organization’s HIPAA compliance program to prepare for the next round of audits • Preparation is ultimately worthwhile and cost effective because it will help improve your compliance program and decrease risk of costly breaches
Questions?  Feel free to contact us for more information: – Lisa Acevedo lacevedo@polsinelli.com – Erin Fleming Dunlap edunlap@polsinelli.com – Katie Kenney: kdkenney@polsinelli.com
real challenges. real answers. sm Polsinelli provides this material for informational purposes only. The material provided herein is general and is not intended to be legal advice. Nothing herein should be relied upon or used without consulting a lawyer to consider your specific circumstances, possible changes to applicable laws, rules and regulations and other legal issues. Receipt of this material does not establish an attorney-client relationship. Polsinelli is very proud of the results we obtain for our clients, but you should know that past results do not guarantee future results; that every case is different and must be judged on its own merits; and that the choice of a lawyer is an important decision and should not be based solely upon advertisements. © 2016 Polsinelli PC. In California, Polsinelli LLP. Polsinelli is a registered mark of Polsinelli PC
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 info@cynergistek.com cynergistek.com @CynergisTek OCR HIPAA Audit Program: What You Need to Know Now Presented by: David Holtzman VP, Compliance Strategies
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 info@cynergistek.com cynergistek.com @CynergisTek Synergistic The name “CynergisTek” came from the synergy realized by combining the expertise of the two co-founders – building scalable, mature information security programs and architecting enterprise technical solutions. Founded in 2004 CynergisTek has been providing services to our clients since 2004, but many of our clients have been with one or both of the founders since well before the company was founded. 29 Securing the Mission of Care CynergisTek Services are specifically geared to address the needs of the healthcare community including providers, payers, and their business associates who provide services into those entities. Consulting Services CynergisTek provides consulting services and solutions around information security, privacy, IT architecture, and audit with specific focus on regulatory compliance in healthcare. CynergisTek, Inc.
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 info@cynergistek.com cynergistek.com @CynergisTek 30 Today’s Presenter • Vice President of Compliance Strategies, CynergisTek, Inc. • Subject matter expert in health information privacy policy and compliance issues involving the HIPAA Privacy, Security and Breach Notification Rules • Experienced in developing, implementing and evaluating health information privacy and security compliance programs • Former senior advisor for health information technology and the HIPAA Security Rule, Office for Civil Rights David Holtzman CynergisTek, Inc.
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 info@cynergistek.com cynergistek.com @CynergisTek Audit Scope for Security Rule Compliance 31
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 info@cynergistek.com cynergistek.com @CynergisTek 32 What Are OCR Audits Reviewing? •Security Management Process Standard •Policies and performance of Information Security Risk Analysis •Policies and performance of Information Security Risk Management Plan Desk Audits •Device and media controls •Transmission security •Encryption of data at rest •Facility access controls Onsite Audits •Administrative and physical safeguards •Workforce training to HIPAA policies & procedures •High risk areas identified through: •Pilot Audit Program performed in 2012 •Breach reports submitted to OCR Other Areas
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 info@cynergistek.com cynergistek.com @CynergisTek 33 • Copy of current information security risk analysis and a prior risk analysis. • Documentation related to the implementation of the risk analysis and security review process; how it is available to the workforce members who are responsible for carrying out the risk analysis; and, that the procedures are periodically reviewed and updated when needed. • Documentation demonstrating that policies and procedures related to implementation of risk analysis for the prior 6 years. • Documentation demonstrating the security measures implemented to reduce the risks as a result of the current risk analysis or assessment ; and the prior calendar year • Documentation from 2015 demonstrating the implementation of the risk management process; how it is available to the workforce members who are responsible for carrying out the risk management process; and, that the procedures are periodically reviewed and updated when needed. OCR Desk Audit Document Request
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 info@cynergistek.com cynergistek.com @CynergisTek 34 Documentation Requested What Should be Submitted Upload documentation of current risk analysis results. Provide the report of the most recent Risk Analysis performed by the organization. Upload documentation demonstrating that policies and procedures related to implementation of risk analysis are in place and any revisions for the prior 6 years. Provide copies of current and prior versions of risk analysis policies and procedures from 2010 to 2016. Ensure that the policies and procedures support an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of e-PHI the organization creates, receives, maintains or transmits. Upload policies and procedures regarding the entity’s risk analysis process. Provide the current policy and procedure on how the risk analysis is performed. Upload documentation of the risk analysis and the most recently conducted prior risk analysis. Provide the risk analysis completed prior to the 2015 Risk Analysis as well as accompanying documentation of an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of e- PHI the organization. creates, receives, maintains or transmits. Desk Audit Protocol Risk Analysis
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 info@cynergistek.com cynergistek.com @CynergisTek 35 Documentation Requested What Should be Submitted Upload documentation demonstrating the security measures implemented to reduce the risks as a result of the current risk analysis or assessment Provide documentation that the organization has implemented or has plans to implement administrative, physical or technical controls to reduce risks and vulnerabilities identified in the current risk analysis. Upload documentation demonstrating that policies and procedures related to implementing risk management processes have been in place and in force for the prior 6 years. Provide documentation of current and prior versions of risk management policies and procedures from 2010 to 2016. These policies and procedures should identify how risk is managed, what the organization considers an acceptable level of risk in its management program, the frequency of reviewing ongoing risks, and identify the workforce members who are assigned a role in the risk management process. Upload documentation demonstrating the efforts used to manage risks from the previous calendar year. Provide documentation for the 2015 calendar year of the actions the organization took, or had plans to take, to implement administrative, physical or technical controls to reduce risks and vulnerabilities identified in its risk analysis. Desk Audit Protocol Risk Management
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 info@cynergistek.com cynergistek.com @CynergisTek Preparing for an OCR Audit 36
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 info@cynergistek.com cynergistek.com @CynergisTek 37 Where Do We Start? Risk Assessment… Credit: http://dilbert.com/strips/comic/1997-11-08/
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 info@cynergistek.com cynergistek.com @CynergisTek 38 • An assessment of threats and vulnerabilities to information systems that handle e-PHI. • This provides the starting point for determining what is ‘appropriate’and ‘reasonable’. • Organizations determine their own technology and administrative choices to mitigate their risks. • The risk analysis process should be ongoing and repeated as needed when the organization experiences changes in technology or operating environment. Information Security Risk Assessment
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 info@cynergistek.com cynergistek.com @CynergisTek 39 Performing a Risk Analysis Gather Information Analyze Information Develop Remedial Plans • Prepare inventory lists of information assets-data, hardware and software. • Determine potential threats to information assets. • Identify organizational and information system vulnerabilities. • Document existing security controls and processes. • Evaluate and measure risks associated with information assets. • Rank information assets based on asset criticality and business value. • Develop and analyze multiple potential threat scenarios. • Prioritize potential threats based on importance and criticality. • Develop remedial plans to combat potential threat scenarios. • Repeat risk analysis to evaluate success of remediation and when there are changes in technology or operating environment.
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 info@cynergistek.com cynergistek.com @CynergisTek 40 • Prepare a plan to perform mock audits • Use OCR’s 2016 Phase 2 HIPAA Audit Protocol • Replicate what documentation would be required under audit conditions and the timelines for production • Use the results from your audit to develop a work plan for policies and processes that should be reviewed or updated Build an Audit Tool Kit
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 info@cynergistek.com cynergistek.com @CynergisTek • Requirements for listing business associates – http://www.hhs.gov/hipa a/for- professionals/compliance - enforcement/audit/bate mplate/index.html • OCR’s 2016 Audit Protocol – http://www.hhs.gov/hipa a/for- professionals/compliance - enforcement/audit/proto col-current/index.html Prepare for OCR Audit 12
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 info@cynergistek.com cynergistek.com @CynergisTek • Desk Audit Protocol & Document Request List http://www.hhs.gov/sit es/default/files/2016HI PAADeskAuditAuditeeG uidance.pdf • OCR Desk Audit Introduction Webinar http://www.hhs.gov/sit es/default/files/OCRDes kAuditOpeningMeeting Webinar.pdf Use OCR Desk Audit Protocol As Guide 13
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 info@cynergistek.com cynergistek.com @CynergisTek 43 Section/Key Activity Established Performance Criteria Audit Inquiry §164.308(a)(1)(ii)(A) Security Management Process-Risk Analysis A covered entity or business associate must in accordance with 164.306: (1)(i) Implement policies and procedures to prevent, detect, contain, and correct security violations Does the entity have written policies and procedures in place to prevent, detect, contain and correct security violations? Does the entity prevent, detect, contain and correction security violations? Obtain and review policies and procedures related to security violations. Evaluate the content relative to the specified performance criteria for countermeasures or safeguards implemented to prevent, detect, contain and correct security violations. Obtain and review documentation demonstrating that policies and procedures have been implemented to prevent, detect, contain, correct security violations. Evaluate and determine if the process used is in accordance with related policies and procedures. Obtain and review documentation of security violations and remediation actions. Evaluate and determine if security violations where handled in accordance with the related policies and procedures; safeguards or countermeasures to prevent violations from occurring; identify and characterize violations as they happen; limit the extent of any damages caused by violations; have corrective action plan in place to manage risk. Example: Security Management Process
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 info@cynergistek.com cynergistek.com @CynergisTek 44 Key Activity Established Performance Criteria Audit Inquiry §164.312(a)(2)(iv) Access Control -- Encryption and Decryption(A) Implement a mechanism to encrypt and decrypt electronic protected health information Does the entity have policies and procedures in place to encrypt and decrypt ePHI including processes regarding the use and management of the confidential process or key used to encrypt and decrypt ePHI? Does the entity encrypt and decrypt ePHI including processes regarding the use and management of the confidential process or key used to encrypt and decrypt ePHI? Obtain and review the policies and procedures regarding the encryption and decryption of ePHI. Evaluate the content relative to the specified criteria to determine that the implementation and use of encryption appropriately protects ePHI. Obtain and review documentation demonstrating ePHI being encrypted and decrypted. Evaluate and determine if ePHI is encrypted and decrypted in accordance with related policies and procedures. Has the entity chosen to implement an alternative measure? If yes, obtain and review entity documentation of why it has determined that the implementation specification is not a reasonable and appropriate safeguard and what equivalent alternative measure has been implemented instead. Evaluate documentation and assess whether the alternative measure implemented is equivalent to the protections afforded by the implementation specification. Example: Encryption and Decryption
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 info@cynergistek.com cynergistek.com @CynergisTek 45 Questions? David Holtzman david.holtzman@cynergistek.com 512.405.8550 x7020 @HITPrivacy Questions? ?

Recommended

Insight into DHHS OCR Audit Protocols
Insight into DHHS OCR Audit ProtocolsInsight into DHHS OCR Audit Protocols
Insight into DHHS OCR Audit Protocols
David Sweigert
 
What Covered Entities Need to Know about OCR HIPAA Audit​s
What Covered Entities Need to Know about OCR HIPAA Audit​sWhat Covered Entities Need to Know about OCR HIPAA Audit​s
What Covered Entities Need to Know about OCR HIPAA Audit​s
Iatric Systems
 
OCR HIPAA Audits…Will You Be Prepared?
OCR HIPAA Audits…Will You Be Prepared?OCR HIPAA Audits…Will You Be Prepared?
OCR HIPAA Audits…Will You Be Prepared?
ID Experts
 
HIPAA HiTech Security Assessment
HIPAA HiTech Security AssessmentHIPAA HiTech Security Assessment
HIPAA HiTech Security Assessment
data brackets
 
Keynote Presentation "Building a Culture of Privacy and Security into Your Or...
Keynote Presentation "Building a Culture of Privacy and Security into Your Or...Keynote Presentation "Building a Culture of Privacy and Security into Your Or...
Keynote Presentation "Building a Culture of Privacy and Security into Your Or...
Health IT Conference – iHT2
 
Compliance Overview - HIPAA Compliance Reviews - Audit Protocol
Compliance Overview - HIPAA Compliance Reviews - Audit ProtocolCompliance Overview - HIPAA Compliance Reviews - Audit Protocol
Compliance Overview - HIPAA Compliance Reviews - Audit Protocol
ntoscano50
 
Hipaa Gap Assessment.Sanitized Report
Hipaa Gap Assessment.Sanitized ReportHipaa Gap Assessment.Sanitized Report
Hipaa Gap Assessment.Sanitized Report
tbeckwith
 
Hipaa for business associates simple
Hipaa for business associates simpleHipaa for business associates simple
Hipaa for business associates simple
Jose Ivan Delgado, Ph.D.
 

Recommended

Insight into DHHS OCR Audit Protocols
Insight into DHHS OCR Audit ProtocolsInsight into DHHS OCR Audit Protocols
Insight into DHHS OCR Audit Protocols
David Sweigert
 
What Covered Entities Need to Know about OCR HIPAA Audit​s
What Covered Entities Need to Know about OCR HIPAA Audit​sWhat Covered Entities Need to Know about OCR HIPAA Audit​s
What Covered Entities Need to Know about OCR HIPAA Audit​s
Iatric Systems
 
OCR HIPAA Audits…Will You Be Prepared?
OCR HIPAA Audits…Will You Be Prepared?OCR HIPAA Audits…Will You Be Prepared?
OCR HIPAA Audits…Will You Be Prepared?
ID Experts
 
HIPAA HiTech Security Assessment
HIPAA HiTech Security AssessmentHIPAA HiTech Security Assessment
HIPAA HiTech Security Assessment
data brackets
 
Keynote Presentation "Building a Culture of Privacy and Security into Your Or...
Keynote Presentation "Building a Culture of Privacy and Security into Your Or...Keynote Presentation "Building a Culture of Privacy and Security into Your Or...
Keynote Presentation "Building a Culture of Privacy and Security into Your Or...
Health IT Conference – iHT2
 
Compliance Overview - HIPAA Compliance Reviews - Audit Protocol
Compliance Overview - HIPAA Compliance Reviews - Audit ProtocolCompliance Overview - HIPAA Compliance Reviews - Audit Protocol
Compliance Overview - HIPAA Compliance Reviews - Audit Protocol
ntoscano50
 
Hipaa Gap Assessment.Sanitized Report
Hipaa Gap Assessment.Sanitized ReportHipaa Gap Assessment.Sanitized Report
Hipaa Gap Assessment.Sanitized Report
tbeckwith
 
Hipaa for business associates simple
Hipaa for business associates simpleHipaa for business associates simple
Hipaa for business associates simple
Jose Ivan Delgado, Ph.D.
 
Mbm Hipaa Hitech Ss Compliance Risk Assessment
Mbm Hipaa Hitech Ss Compliance Risk AssessmentMbm Hipaa Hitech Ss Compliance Risk Assessment
Mbm Hipaa Hitech Ss Compliance Risk Assessment
MBMeHealthCareSolutions
 
EHR meaningful use security risk assessment sample document
EHR meaningful use security risk assessment sample documentEHR meaningful use security risk assessment sample document
EHR meaningful use security risk assessment sample document
data brackets
 
Lessons from Equifax: Open Source Security & Data Privacy Compliance
Lessons from Equifax: Open Source Security & Data Privacy ComplianceLessons from Equifax: Open Source Security & Data Privacy Compliance
Lessons from Equifax: Open Source Security & Data Privacy Compliance
Black Duck by Synopsys
 
Dental Compliance for Dentists and Business Associates
Dental Compliance for Dentists and Business AssociatesDental Compliance for Dentists and Business Associates
Dental Compliance for Dentists and Business Associates
gppcpa
 
What do Secure, HIPAA Compliant, Clouds Mean to SOA in Healthcare?
What do Secure, HIPAA Compliant, Clouds Mean to SOA in Healthcare?What do Secure, HIPAA Compliant, Clouds Mean to SOA in Healthcare?
What do Secure, HIPAA Compliant, Clouds Mean to SOA in Healthcare?
Shahid Shah
 
Privacy and Security: Teamwork Required to Tackle Incident Response
Privacy and Security: Teamwork Required to Tackle Incident ResponsePrivacy and Security: Teamwork Required to Tackle Incident Response
Privacy and Security: Teamwork Required to Tackle Incident Response
ID Experts
 
OCR Audits Are Coming – Is Your Organization Prepared?
OCR Audits Are Coming – Is Your Organization Prepared?OCR Audits Are Coming – Is Your Organization Prepared?
OCR Audits Are Coming – Is Your Organization Prepared?
Polsinelli PC
 
Get your Ducks in a Row - The OCR Audit Season is About to Begin
Get your Ducks in a Row - The OCR Audit Season is About to BeginGet your Ducks in a Row - The OCR Audit Season is About to Begin
Get your Ducks in a Row - The OCR Audit Season is About to Begin
ID Experts
 
Preparing & Responding to an OCR HIPAA Audit
Preparing & Responding to an OCR HIPAA AuditPreparing & Responding to an OCR HIPAA Audit
Preparing & Responding to an OCR HIPAA Audit
PYA, P.C.
 
OCR Enforcement Update: Under 500 Breach Investigations and Inner Workings of...
OCR Enforcement Update: Under 500 Breach Investigations and Inner Workings of...OCR Enforcement Update: Under 500 Breach Investigations and Inner Workings of...
OCR Enforcement Update: Under 500 Breach Investigations and Inner Workings of...
Lauren Williams
 
OCR Enforcement Update: Under 500 Breach Investigations and Inner Workings of...
OCR Enforcement Update: Under 500 Breach Investigations and Inner Workings of...OCR Enforcement Update: Under 500 Breach Investigations and Inner Workings of...
OCR Enforcement Update: Under 500 Breach Investigations and Inner Workings of...
Polsinelli PC
 
HIPAA omnibus rule update
HIPAA omnibus rule updateHIPAA omnibus rule update
HIPAA omnibus rule update
O'Connor Davies CPAs
 
Modern Healthcare Information Technology
Modern Healthcare Information TechnologyModern Healthcare Information Technology
Modern Healthcare Information Technology
Jeffrey Paulette
 
Office of Civil Rights HIPAA Audits--Ready or Not, Here They Come
Office of Civil Rights HIPAA Audits--Ready or Not, Here They ComeOffice of Civil Rights HIPAA Audits--Ready or Not, Here They Come
Office of Civil Rights HIPAA Audits--Ready or Not, Here They Come
PYA, P.C.
 
You and HIPAA - Get the Facts
You and HIPAA - Get the FactsYou and HIPAA - Get the Facts
You and HIPAA - Get the Facts
resourceone
 
PACT Cybersecurity Series Event, speaker Gregory M. Fliszar, Esq. of Cozen O'...
PACT Cybersecurity Series Event, speaker Gregory M. Fliszar, Esq. of Cozen O'...PACT Cybersecurity Series Event, speaker Gregory M. Fliszar, Esq. of Cozen O'...
PACT Cybersecurity Series Event, speaker Gregory M. Fliszar, Esq. of Cozen O'...
eringold
 
Office of Civil Rights HIPAA Audits Preparing Your Clients and Yourself
Office of Civil Rights HIPAA Audits Preparing Your Clients and YourselfOffice of Civil Rights HIPAA Audits Preparing Your Clients and Yourself
Office of Civil Rights HIPAA Audits Preparing Your Clients and Yourself
PYA, P.C.
 
Leading your HIPAA Compliance Culture in 2016
Leading your HIPAA Compliance Culture in 2016Leading your HIPAA Compliance Culture in 2016
Leading your HIPAA Compliance Culture in 2016
Lance King
 
Use of the COBIT Security Baseline
Use of the COBIT Security BaselineUse of the COBIT Security Baseline
Use of the COBIT Security Baseline
Barry Caplin
 
Healthcare and Cyber security
Healthcare and Cyber securityHealthcare and Cyber security
Healthcare and Cyber security
Brian Matteson, CISSP CISA
 
IND and CTA Webinar slides.pptx
IND and CTA Webinar slides.pptxIND and CTA Webinar slides.pptx
IND and CTA Webinar slides.pptx
MMS Holdings
 
Business Associates: How to become HIPAA compliant, increase revenue, and gai...
Business Associates: How to become HIPAA compliant, increase revenue, and gai...Business Associates: How to become HIPAA compliant, increase revenue, and gai...
Business Associates: How to become HIPAA compliant, increase revenue, and gai...
Compliancy Group
 

More Related Content

What's hot

Mbm Hipaa Hitech Ss Compliance Risk Assessment
Mbm Hipaa Hitech Ss Compliance Risk AssessmentMbm Hipaa Hitech Ss Compliance Risk Assessment
Mbm Hipaa Hitech Ss Compliance Risk Assessment
MBMeHealthCareSolutions
 
EHR meaningful use security risk assessment sample document
EHR meaningful use security risk assessment sample documentEHR meaningful use security risk assessment sample document
EHR meaningful use security risk assessment sample document
data brackets
 
Lessons from Equifax: Open Source Security & Data Privacy Compliance
Lessons from Equifax: Open Source Security & Data Privacy ComplianceLessons from Equifax: Open Source Security & Data Privacy Compliance
Lessons from Equifax: Open Source Security & Data Privacy Compliance
Black Duck by Synopsys
 
Dental Compliance for Dentists and Business Associates
Dental Compliance for Dentists and Business AssociatesDental Compliance for Dentists and Business Associates
Dental Compliance for Dentists and Business Associates
gppcpa
 
What do Secure, HIPAA Compliant, Clouds Mean to SOA in Healthcare?
What do Secure, HIPAA Compliant, Clouds Mean to SOA in Healthcare?What do Secure, HIPAA Compliant, Clouds Mean to SOA in Healthcare?
What do Secure, HIPAA Compliant, Clouds Mean to SOA in Healthcare?
Shahid Shah
 
Privacy and Security: Teamwork Required to Tackle Incident Response
Privacy and Security: Teamwork Required to Tackle Incident ResponsePrivacy and Security: Teamwork Required to Tackle Incident Response
Privacy and Security: Teamwork Required to Tackle Incident Response
ID Experts
 

What's hot (6)

Mbm Hipaa Hitech Ss Compliance Risk Assessment
Mbm Hipaa Hitech Ss Compliance Risk AssessmentMbm Hipaa Hitech Ss Compliance Risk Assessment
Mbm Hipaa Hitech Ss Compliance Risk Assessment
 
EHR meaningful use security risk assessment sample document
EHR meaningful use security risk assessment sample documentEHR meaningful use security risk assessment sample document
EHR meaningful use security risk assessment sample document
 
Lessons from Equifax: Open Source Security & Data Privacy Compliance
Lessons from Equifax: Open Source Security & Data Privacy ComplianceLessons from Equifax: Open Source Security & Data Privacy Compliance
Lessons from Equifax: Open Source Security & Data Privacy Compliance
 
Dental Compliance for Dentists and Business Associates
Dental Compliance for Dentists and Business AssociatesDental Compliance for Dentists and Business Associates
Dental Compliance for Dentists and Business Associates
 
What do Secure, HIPAA Compliant, Clouds Mean to SOA in Healthcare?
What do Secure, HIPAA Compliant, Clouds Mean to SOA in Healthcare?What do Secure, HIPAA Compliant, Clouds Mean to SOA in Healthcare?
What do Secure, HIPAA Compliant, Clouds Mean to SOA in Healthcare?
 
Privacy and Security: Teamwork Required to Tackle Incident Response
Privacy and Security: Teamwork Required to Tackle Incident ResponsePrivacy and Security: Teamwork Required to Tackle Incident Response
Privacy and Security: Teamwork Required to Tackle Incident Response
 

Similar to HIPAA Audits Are Here to Stay – Key Preparation Strategies for Business Associates and Covered Entities

OCR Audits Are Coming – Is Your Organization Prepared?
OCR Audits Are Coming – Is Your Organization Prepared?OCR Audits Are Coming – Is Your Organization Prepared?
OCR Audits Are Coming – Is Your Organization Prepared?
Polsinelli PC
 
Get your Ducks in a Row - The OCR Audit Season is About to Begin
Get your Ducks in a Row - The OCR Audit Season is About to BeginGet your Ducks in a Row - The OCR Audit Season is About to Begin
Get your Ducks in a Row - The OCR Audit Season is About to Begin
ID Experts
 
Preparing & Responding to an OCR HIPAA Audit
Preparing & Responding to an OCR HIPAA AuditPreparing & Responding to an OCR HIPAA Audit
Preparing & Responding to an OCR HIPAA Audit
PYA, P.C.
 
OCR Enforcement Update: Under 500 Breach Investigations and Inner Workings of...
OCR Enforcement Update: Under 500 Breach Investigations and Inner Workings of...OCR Enforcement Update: Under 500 Breach Investigations and Inner Workings of...
OCR Enforcement Update: Under 500 Breach Investigations and Inner Workings of...
Lauren Williams
 
OCR Enforcement Update: Under 500 Breach Investigations and Inner Workings of...
OCR Enforcement Update: Under 500 Breach Investigations and Inner Workings of...OCR Enforcement Update: Under 500 Breach Investigations and Inner Workings of...
OCR Enforcement Update: Under 500 Breach Investigations and Inner Workings of...
Polsinelli PC
 
HIPAA omnibus rule update
HIPAA omnibus rule updateHIPAA omnibus rule update
HIPAA omnibus rule update
O'Connor Davies CPAs
 
Modern Healthcare Information Technology
Modern Healthcare Information TechnologyModern Healthcare Information Technology
Modern Healthcare Information Technology
Jeffrey Paulette
 
Office of Civil Rights HIPAA Audits--Ready or Not, Here They Come
Office of Civil Rights HIPAA Audits--Ready or Not, Here They ComeOffice of Civil Rights HIPAA Audits--Ready or Not, Here They Come
Office of Civil Rights HIPAA Audits--Ready or Not, Here They Come
PYA, P.C.
 
You and HIPAA - Get the Facts
You and HIPAA - Get the FactsYou and HIPAA - Get the Facts
You and HIPAA - Get the Facts
resourceone
 
PACT Cybersecurity Series Event, speaker Gregory M. Fliszar, Esq. of Cozen O'...
PACT Cybersecurity Series Event, speaker Gregory M. Fliszar, Esq. of Cozen O'...PACT Cybersecurity Series Event, speaker Gregory M. Fliszar, Esq. of Cozen O'...
PACT Cybersecurity Series Event, speaker Gregory M. Fliszar, Esq. of Cozen O'...
eringold
 
Office of Civil Rights HIPAA Audits Preparing Your Clients and Yourself
Office of Civil Rights HIPAA Audits Preparing Your Clients and YourselfOffice of Civil Rights HIPAA Audits Preparing Your Clients and Yourself
Office of Civil Rights HIPAA Audits Preparing Your Clients and Yourself
PYA, P.C.
 
Leading your HIPAA Compliance Culture in 2016
Leading your HIPAA Compliance Culture in 2016Leading your HIPAA Compliance Culture in 2016
Leading your HIPAA Compliance Culture in 2016
Lance King
 
Use of the COBIT Security Baseline
Use of the COBIT Security BaselineUse of the COBIT Security Baseline
Use of the COBIT Security Baseline
Barry Caplin
 
Healthcare and Cyber security
Healthcare and Cyber securityHealthcare and Cyber security
Healthcare and Cyber security
Brian Matteson, CISSP CISA
 
IND and CTA Webinar slides.pptx
IND and CTA Webinar slides.pptxIND and CTA Webinar slides.pptx
IND and CTA Webinar slides.pptx
MMS Holdings
 
Business Associates: How to become HIPAA compliant, increase revenue, and gai...
Business Associates: How to become HIPAA compliant, increase revenue, and gai...Business Associates: How to become HIPAA compliant, increase revenue, and gai...
Business Associates: How to become HIPAA compliant, increase revenue, and gai...
Compliancy Group
 
The Hidden Dangers of Trying to ‘Do the Right Thing:’ A Practical Look at Aud...
The Hidden Dangers of Trying to ‘Do the Right Thing:’ A Practical Look at Aud...The Hidden Dangers of Trying to ‘Do the Right Thing:’ A Practical Look at Aud...
The Hidden Dangers of Trying to ‘Do the Right Thing:’ A Practical Look at Aud...
PYA, P.C.
 
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT Security
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT SecurityRedspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT Security
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT Security
Redspin, Inc.
 
Safeguarding Health Information through HIPA.pptx
Safeguarding Health Information through HIPA.pptxSafeguarding Health Information through HIPA.pptx
Safeguarding Health Information through HIPA.pptx
ibrahimsukari2
 
Maninging Risk Exposure in Meaningful Use Stage 2
Maninging Risk Exposure in Meaningful Use Stage 2Maninging Risk Exposure in Meaningful Use Stage 2
Maninging Risk Exposure in Meaningful Use Stage 2
Compliancy Group
 

Similar to HIPAA Audits Are Here to Stay – Key Preparation Strategies for Business Associates and Covered Entities (20)

OCR Audits Are Coming – Is Your Organization Prepared?
OCR Audits Are Coming – Is Your Organization Prepared?OCR Audits Are Coming – Is Your Organization Prepared?
OCR Audits Are Coming – Is Your Organization Prepared?
 
Get your Ducks in a Row - The OCR Audit Season is About to Begin
Get your Ducks in a Row - The OCR Audit Season is About to BeginGet your Ducks in a Row - The OCR Audit Season is About to Begin
Get your Ducks in a Row - The OCR Audit Season is About to Begin
 
Preparing & Responding to an OCR HIPAA Audit
Preparing & Responding to an OCR HIPAA AuditPreparing & Responding to an OCR HIPAA Audit
Preparing & Responding to an OCR HIPAA Audit
 
OCR Enforcement Update: Under 500 Breach Investigations and Inner Workings of...
OCR Enforcement Update: Under 500 Breach Investigations and Inner Workings of...OCR Enforcement Update: Under 500 Breach Investigations and Inner Workings of...
OCR Enforcement Update: Under 500 Breach Investigations and Inner Workings of...
 
OCR Enforcement Update: Under 500 Breach Investigations and Inner Workings of...
OCR Enforcement Update: Under 500 Breach Investigations and Inner Workings of...OCR Enforcement Update: Under 500 Breach Investigations and Inner Workings of...
OCR Enforcement Update: Under 500 Breach Investigations and Inner Workings of...
 
HIPAA omnibus rule update
HIPAA omnibus rule updateHIPAA omnibus rule update
HIPAA omnibus rule update
 
Modern Healthcare Information Technology
Modern Healthcare Information TechnologyModern Healthcare Information Technology
Modern Healthcare Information Technology
 
Office of Civil Rights HIPAA Audits--Ready or Not, Here They Come
Office of Civil Rights HIPAA Audits--Ready or Not, Here They ComeOffice of Civil Rights HIPAA Audits--Ready or Not, Here They Come
Office of Civil Rights HIPAA Audits--Ready or Not, Here They Come
 
You and HIPAA - Get the Facts
You and HIPAA - Get the FactsYou and HIPAA - Get the Facts
You and HIPAA - Get the Facts
 
PACT Cybersecurity Series Event, speaker Gregory M. Fliszar, Esq. of Cozen O'...
PACT Cybersecurity Series Event, speaker Gregory M. Fliszar, Esq. of Cozen O'...PACT Cybersecurity Series Event, speaker Gregory M. Fliszar, Esq. of Cozen O'...
PACT Cybersecurity Series Event, speaker Gregory M. Fliszar, Esq. of Cozen O'...
 
Office of Civil Rights HIPAA Audits Preparing Your Clients and Yourself
Office of Civil Rights HIPAA Audits Preparing Your Clients and YourselfOffice of Civil Rights HIPAA Audits Preparing Your Clients and Yourself
Office of Civil Rights HIPAA Audits Preparing Your Clients and Yourself
 
Leading your HIPAA Compliance Culture in 2016
Leading your HIPAA Compliance Culture in 2016Leading your HIPAA Compliance Culture in 2016
Leading your HIPAA Compliance Culture in 2016
 
Use of the COBIT Security Baseline
Use of the COBIT Security BaselineUse of the COBIT Security Baseline
Use of the COBIT Security Baseline
 
Healthcare and Cyber security
Healthcare and Cyber securityHealthcare and Cyber security
Healthcare and Cyber security
 
IND and CTA Webinar slides.pptx
IND and CTA Webinar slides.pptxIND and CTA Webinar slides.pptx
IND and CTA Webinar slides.pptx
 
Business Associates: How to become HIPAA compliant, increase revenue, and gai...
Business Associates: How to become HIPAA compliant, increase revenue, and gai...Business Associates: How to become HIPAA compliant, increase revenue, and gai...
Business Associates: How to become HIPAA compliant, increase revenue, and gai...
 
The Hidden Dangers of Trying to ‘Do the Right Thing:’ A Practical Look at Aud...
The Hidden Dangers of Trying to ‘Do the Right Thing:’ A Practical Look at Aud...The Hidden Dangers of Trying to ‘Do the Right Thing:’ A Practical Look at Aud...
The Hidden Dangers of Trying to ‘Do the Right Thing:’ A Practical Look at Aud...
 
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT Security
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT SecurityRedspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT Security
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT Security
 
Safeguarding Health Information through HIPA.pptx
Safeguarding Health Information through HIPA.pptxSafeguarding Health Information through HIPA.pptx
Safeguarding Health Information through HIPA.pptx
 
Maninging Risk Exposure in Meaningful Use Stage 2
Maninging Risk Exposure in Meaningful Use Stage 2Maninging Risk Exposure in Meaningful Use Stage 2
Maninging Risk Exposure in Meaningful Use Stage 2
 

More from Polsinelli PC

Tax Cuts & Job Act Implications for Small Business Investments Companies
Tax Cuts & Job Act Implications for Small Business Investments Companies Tax Cuts & Job Act Implications for Small Business Investments Companies
Tax Cuts & Job Act Implications for Small Business Investments Companies
Polsinelli PC
 
Preventing Compliance Quagmires in Senior Living Communities: Part 1 - Can So...
Preventing Compliance Quagmires in Senior Living Communities: Part 1 - Can So...Preventing Compliance Quagmires in Senior Living Communities: Part 1 - Can So...
Preventing Compliance Quagmires in Senior Living Communities: Part 1 - Can So...
Polsinelli PC
 
Life After Escobar – Recent Developments In False Claims Act Litigation
Life After Escobar – Recent Developments In False Claims Act LitigationLife After Escobar – Recent Developments In False Claims Act Litigation
Life After Escobar – Recent Developments In False Claims Act Litigation
Polsinelli PC
 
The Emerald Series: Emily's Road to the Ideal Workplace Get to Work (Off the ...
The Emerald Series: Emily's Road to the Ideal Workplace Get to Work (Off the ...The Emerald Series: Emily's Road to the Ideal Workplace Get to Work (Off the ...
The Emerald Series: Emily's Road to the Ideal Workplace Get to Work (Off the ...
Polsinelli PC
 
Big Decisions: ACO Participation Reforming and Unwinding in 2019
Big Decisions: ACO Participation Reforming and Unwinding in 2019Big Decisions: ACO Participation Reforming and Unwinding in 2019
Big Decisions: ACO Participation Reforming and Unwinding in 2019
Polsinelli PC
 
Tax Cuts & Jobs Act Implications for Banking Institutions
Tax Cuts & Jobs Act Implications for Banking Institutions Tax Cuts & Jobs Act Implications for Banking Institutions
Tax Cuts & Jobs Act Implications for Banking Institutions
Polsinelli PC
 
340B Drug Pricing Under the Microscope
340B Drug Pricing Under the Microscope340B Drug Pricing Under the Microscope
340B Drug Pricing Under the Microscope
Polsinelli PC
 
The Intersection of OCR Enforcement and Health Care Data Privacy & Security
The Intersection of OCR Enforcement and Health Care Data Privacy & SecurityThe Intersection of OCR Enforcement and Health Care Data Privacy & Security
The Intersection of OCR Enforcement and Health Care Data Privacy & Security
Polsinelli PC
 
The Emerald Series: It's (not) in the Handbook
The Emerald Series: It's (not) in the HandbookThe Emerald Series: It's (not) in the Handbook
The Emerald Series: It's (not) in the Handbook
Polsinelli PC
 
Health Care "Prime" - The Future of the Ownership, Organization, Payment, and...
Health Care "Prime" - The Future of the Ownership, Organization, Payment, and...Health Care "Prime" - The Future of the Ownership, Organization, Payment, and...
Health Care "Prime" - The Future of the Ownership, Organization, Payment, and...
Polsinelli PC
 
The Trump Labor Board Goes Back to the Future
The Trump Labor Board Goes Back to the FutureThe Trump Labor Board Goes Back to the Future
The Trump Labor Board Goes Back to the Future
Polsinelli PC
 
Fraud and Abuse - 2017 Year in Review
Fraud and Abuse - 2017 Year in ReviewFraud and Abuse - 2017 Year in Review
Fraud and Abuse - 2017 Year in Review
Polsinelli PC
 
Health Care Policy Forecast: What to Expect in 2018
Health Care Policy Forecast: What to Expect in 2018Health Care Policy Forecast: What to Expect in 2018
Health Care Policy Forecast: What to Expect in 2018
Polsinelli PC
 
Lessons learned from litigating real estate development projects
Lessons learned from litigating real estate development projectsLessons learned from litigating real estate development projects
Lessons learned from litigating real estate development projects
Polsinelli PC
 
Blockchain in Health Care
Blockchain in Health CareBlockchain in Health Care
Blockchain in Health Care
Polsinelli PC
 
Mitigating Risk When Managing High Dose, Chronic Pain Patients
Mitigating Risk When Managing High Dose, Chronic Pain Patients Mitigating Risk When Managing High Dose, Chronic Pain Patients
Mitigating Risk When Managing High Dose, Chronic Pain Patients
Polsinelli PC
 
The Feds Are Coming! Session One: The Rules Have Changed
The Feds Are Coming! Session One: The Rules Have ChangedThe Feds Are Coming! Session One: The Rules Have Changed
The Feds Are Coming! Session One: The Rules Have Changed
Polsinelli PC
 
Diamond Datascram Decimated
Diamond Datascram DecimatedDiamond Datascram Decimated
Diamond Datascram Decimated
Polsinelli PC
 
Artificial Intelligence and Machine Learning
Artificial Intelligence and Machine LearningArtificial Intelligence and Machine Learning
Artificial Intelligence and Machine Learning
Polsinelli PC
 
Class Actions Close-Up
Class Actions Close-UpClass Actions Close-Up
Class Actions Close-Up
Polsinelli PC
 

More from Polsinelli PC (20)

Tax Cuts & Job Act Implications for Small Business Investments Companies
Tax Cuts & Job Act Implications for Small Business Investments Companies Tax Cuts & Job Act Implications for Small Business Investments Companies
Tax Cuts & Job Act Implications for Small Business Investments Companies
 
Preventing Compliance Quagmires in Senior Living Communities: Part 1 - Can So...
Preventing Compliance Quagmires in Senior Living Communities: Part 1 - Can So...Preventing Compliance Quagmires in Senior Living Communities: Part 1 - Can So...
Preventing Compliance Quagmires in Senior Living Communities: Part 1 - Can So...
 
Life After Escobar – Recent Developments In False Claims Act Litigation
Life After Escobar – Recent Developments In False Claims Act LitigationLife After Escobar – Recent Developments In False Claims Act Litigation
Life After Escobar – Recent Developments In False Claims Act Litigation
 
The Emerald Series: Emily's Road to the Ideal Workplace Get to Work (Off the ...
The Emerald Series: Emily's Road to the Ideal Workplace Get to Work (Off the ...The Emerald Series: Emily's Road to the Ideal Workplace Get to Work (Off the ...
The Emerald Series: Emily's Road to the Ideal Workplace Get to Work (Off the ...
 
Big Decisions: ACO Participation Reforming and Unwinding in 2019
Big Decisions: ACO Participation Reforming and Unwinding in 2019Big Decisions: ACO Participation Reforming and Unwinding in 2019
Big Decisions: ACO Participation Reforming and Unwinding in 2019
 
Tax Cuts & Jobs Act Implications for Banking Institutions
Tax Cuts & Jobs Act Implications for Banking Institutions Tax Cuts & Jobs Act Implications for Banking Institutions
Tax Cuts & Jobs Act Implications for Banking Institutions
 
340B Drug Pricing Under the Microscope
340B Drug Pricing Under the Microscope340B Drug Pricing Under the Microscope
340B Drug Pricing Under the Microscope
 
The Intersection of OCR Enforcement and Health Care Data Privacy & Security
The Intersection of OCR Enforcement and Health Care Data Privacy & SecurityThe Intersection of OCR Enforcement and Health Care Data Privacy & Security
The Intersection of OCR Enforcement and Health Care Data Privacy & Security
 
The Emerald Series: It's (not) in the Handbook
The Emerald Series: It's (not) in the HandbookThe Emerald Series: It's (not) in the Handbook
The Emerald Series: It's (not) in the Handbook
 
Health Care "Prime" - The Future of the Ownership, Organization, Payment, and...
Health Care "Prime" - The Future of the Ownership, Organization, Payment, and...Health Care "Prime" - The Future of the Ownership, Organization, Payment, and...
Health Care "Prime" - The Future of the Ownership, Organization, Payment, and...
 
The Trump Labor Board Goes Back to the Future
The Trump Labor Board Goes Back to the FutureThe Trump Labor Board Goes Back to the Future
The Trump Labor Board Goes Back to the Future
 
Fraud and Abuse - 2017 Year in Review
Fraud and Abuse - 2017 Year in ReviewFraud and Abuse - 2017 Year in Review
Fraud and Abuse - 2017 Year in Review
 
Health Care Policy Forecast: What to Expect in 2018
Health Care Policy Forecast: What to Expect in 2018Health Care Policy Forecast: What to Expect in 2018
Health Care Policy Forecast: What to Expect in 2018
 
Lessons learned from litigating real estate development projects
Lessons learned from litigating real estate development projectsLessons learned from litigating real estate development projects
Lessons learned from litigating real estate development projects
 
Blockchain in Health Care
Blockchain in Health CareBlockchain in Health Care
Blockchain in Health Care
 
Mitigating Risk When Managing High Dose, Chronic Pain Patients
Mitigating Risk When Managing High Dose, Chronic Pain Patients Mitigating Risk When Managing High Dose, Chronic Pain Patients
Mitigating Risk When Managing High Dose, Chronic Pain Patients
 
The Feds Are Coming! Session One: The Rules Have Changed
The Feds Are Coming! Session One: The Rules Have ChangedThe Feds Are Coming! Session One: The Rules Have Changed
The Feds Are Coming! Session One: The Rules Have Changed
 
Diamond Datascram Decimated
Diamond Datascram DecimatedDiamond Datascram Decimated
Diamond Datascram Decimated
 
Artificial Intelligence and Machine Learning
Artificial Intelligence and Machine LearningArtificial Intelligence and Machine Learning
Artificial Intelligence and Machine Learning
 
Class Actions Close-Up
Class Actions Close-UpClass Actions Close-Up
Class Actions Close-Up
 

Recently uploaded

Business and Corporate Case Update (2024)
Business and Corporate Case Update (2024)Business and Corporate Case Update (2024)
Business and Corporate Case Update (2024)
Wendy Couture
 
Military Commissions details LtCol Thomas Jasper as Detailed Defense Counsel
Military Commissions details LtCol Thomas Jasper as Detailed Defense CounselMilitary Commissions details LtCol Thomas Jasper as Detailed Defense Counsel
Military Commissions details LtCol Thomas Jasper as Detailed Defense Counsel
Thomas (Tom) Jasper
 
Secure Your Brand: File a Trademark Today
Secure Your Brand: File a Trademark TodaySecure Your Brand: File a Trademark Today
Secure Your Brand: File a Trademark Today
Trademark Quick
 
Responsibilities of the office bearers while registering multi-state cooperat...
Responsibilities of the office bearers while registering multi-state cooperat...Responsibilities of the office bearers while registering multi-state cooperat...
Responsibilities of the office bearers while registering multi-state cooperat...
Finlaw Consultancy Pvt Ltd
 
Highlights_of_Bhartiya_Nyaya_Sanhita.pptx
Highlights_of_Bhartiya_Nyaya_Sanhita.pptxHighlights_of_Bhartiya_Nyaya_Sanhita.pptx
Highlights_of_Bhartiya_Nyaya_Sanhita.pptx
anjalidixit21
 
Car Accident Injury Do I Have a Case....
Car Accident Injury Do I Have a Case....Car Accident Injury Do I Have a Case....
Car Accident Injury Do I Have a Case....
Knowyourright
 
Roles of a Bankruptcy Lawyer John Cavitt
Roles of a Bankruptcy Lawyer John CavittRoles of a Bankruptcy Lawyer John Cavitt
Roles of a Bankruptcy Lawyer John Cavitt
johncavitthouston
 
Bharatiya Nagarik Suraksha Sanhita power.pptx
Bharatiya Nagarik Suraksha Sanhita power.pptxBharatiya Nagarik Suraksha Sanhita power.pptx
Bharatiya Nagarik Suraksha Sanhita power.pptx
ShivkumarIyer18
 
怎么购买(massey毕业证书)新西兰梅西大学毕业证学位证书注册证明信原版一模一样
怎么购买(massey毕业证书)新西兰梅西大学毕业证学位证书注册证明信原版一模一样怎么购买(massey毕业证书)新西兰梅西大学毕业证学位证书注册证明信原版一模一样
怎么购买(massey毕业证书)新西兰梅西大学毕业证学位证书注册证明信原版一模一样
9ib5wiwt
 
Debt Mapping Camp bebas riba to know how much our debt
Debt Mapping Camp bebas riba to know how much our debtDebt Mapping Camp bebas riba to know how much our debt
Debt Mapping Camp bebas riba to know how much our debt
ssuser0576e4
 
The Main Procedures for Obtaining Cypriot Citizenship
The Main Procedures for Obtaining Cypriot CitizenshipThe Main Procedures for Obtaining Cypriot Citizenship
The Main Procedures for Obtaining Cypriot Citizenship
BridgeWest.eu
 
定制(nus毕业证书)新加坡国立大学毕业证学位证书实拍图原版一模一样
定制(nus毕业证书)新加坡国立大学毕业证学位证书实拍图原版一模一样定制(nus毕业证书)新加坡国立大学毕业证学位证书实拍图原版一模一样
定制(nus毕业证书)新加坡国立大学毕业证学位证书实拍图原版一模一样
9ib5wiwt
 
The Reserve Bank of India Act, 1934.pptx
The Reserve Bank of India Act, 1934.pptxThe Reserve Bank of India Act, 1934.pptx
The Reserve Bank of India Act, 1934.pptx
nehatalele22st
 
Synopsis On Annual General Meeting/Extra Ordinary General Meeting With Ordina...
Synopsis On Annual General Meeting/Extra Ordinary General Meeting With Ordina...Synopsis On Annual General Meeting/Extra Ordinary General Meeting With Ordina...
Synopsis On Annual General Meeting/Extra Ordinary General Meeting With Ordina...
Syed Muhammad Humza Hussain
 
办理(waikato毕业证书)新西兰怀卡托大学毕业证双学位证书原版一模一样
办理(waikato毕业证书)新西兰怀卡托大学毕业证双学位证书原版一模一样办理(waikato毕业证书)新西兰怀卡托大学毕业证双学位证书原版一模一样
办理(waikato毕业证书)新西兰怀卡托大学毕业证双学位证书原版一模一样
9ib5wiwt
 
1比1制作(swansea毕业证书)英国斯旺西大学毕业证学位证书托业成绩单原版一模一样
1比1制作(swansea毕业证书)英国斯旺西大学毕业证学位证书托业成绩单原版一模一样1比1制作(swansea毕业证书)英国斯旺西大学毕业证学位证书托业成绩单原版一模一样
1比1制作(swansea毕业证书)英国斯旺西大学毕业证学位证书托业成绩单原版一模一样
9ib5wiwt
 
NATURE, ORIGIN AND DEVELOPMENT OF INTERNATIONAL LAW.pptx
NATURE, ORIGIN AND DEVELOPMENT OF INTERNATIONAL LAW.pptxNATURE, ORIGIN AND DEVELOPMENT OF INTERNATIONAL LAW.pptx
NATURE, ORIGIN AND DEVELOPMENT OF INTERNATIONAL LAW.pptx
anvithaav
 
Ease of Paying Tax Law Republic Act 11976
Ease of Paying Tax Law Republic Act 11976Ease of Paying Tax Law Republic Act 11976
Ease of Paying Tax Law Republic Act 11976
PelayoGilbert
 
new victimology of indonesian law. Pptx.
new victimology of indonesian law. Pptx.new victimology of indonesian law. Pptx.
new victimology of indonesian law. Pptx.
niputusriwidiasih
 
Understanding about ITR-1 and Documentation
Understanding about ITR-1 and DocumentationUnderstanding about ITR-1 and Documentation
Understanding about ITR-1 and Documentation
CAAJAYKUMAR4
 

Recently uploaded (20)

Business and Corporate Case Update (2024)
Business and Corporate Case Update (2024)Business and Corporate Case Update (2024)
Business and Corporate Case Update (2024)
 
Military Commissions details LtCol Thomas Jasper as Detailed Defense Counsel
Military Commissions details LtCol Thomas Jasper as Detailed Defense CounselMilitary Commissions details LtCol Thomas Jasper as Detailed Defense Counsel
Military Commissions details LtCol Thomas Jasper as Detailed Defense Counsel
 
Secure Your Brand: File a Trademark Today
Secure Your Brand: File a Trademark TodaySecure Your Brand: File a Trademark Today
Secure Your Brand: File a Trademark Today
 
Responsibilities of the office bearers while registering multi-state cooperat...
Responsibilities of the office bearers while registering multi-state cooperat...Responsibilities of the office bearers while registering multi-state cooperat...
Responsibilities of the office bearers while registering multi-state cooperat...
 
Highlights_of_Bhartiya_Nyaya_Sanhita.pptx
Highlights_of_Bhartiya_Nyaya_Sanhita.pptxHighlights_of_Bhartiya_Nyaya_Sanhita.pptx
Highlights_of_Bhartiya_Nyaya_Sanhita.pptx
 
Car Accident Injury Do I Have a Case....
Car Accident Injury Do I Have a Case....Car Accident Injury Do I Have a Case....
Car Accident Injury Do I Have a Case....
 
Roles of a Bankruptcy Lawyer John Cavitt
Roles of a Bankruptcy Lawyer John CavittRoles of a Bankruptcy Lawyer John Cavitt
Roles of a Bankruptcy Lawyer John Cavitt
 
Bharatiya Nagarik Suraksha Sanhita power.pptx
Bharatiya Nagarik Suraksha Sanhita power.pptxBharatiya Nagarik Suraksha Sanhita power.pptx
Bharatiya Nagarik Suraksha Sanhita power.pptx
 
怎么购买(massey毕业证书)新西兰梅西大学毕业证学位证书注册证明信原版一模一样
怎么购买(massey毕业证书)新西兰梅西大学毕业证学位证书注册证明信原版一模一样怎么购买(massey毕业证书)新西兰梅西大学毕业证学位证书注册证明信原版一模一样
怎么购买(massey毕业证书)新西兰梅西大学毕业证学位证书注册证明信原版一模一样
 
Debt Mapping Camp bebas riba to know how much our debt
Debt Mapping Camp bebas riba to know how much our debtDebt Mapping Camp bebas riba to know how much our debt
Debt Mapping Camp bebas riba to know how much our debt
 
The Main Procedures for Obtaining Cypriot Citizenship
The Main Procedures for Obtaining Cypriot CitizenshipThe Main Procedures for Obtaining Cypriot Citizenship
The Main Procedures for Obtaining Cypriot Citizenship
 
定制(nus毕业证书)新加坡国立大学毕业证学位证书实拍图原版一模一样
定制(nus毕业证书)新加坡国立大学毕业证学位证书实拍图原版一模一样定制(nus毕业证书)新加坡国立大学毕业证学位证书实拍图原版一模一样
定制(nus毕业证书)新加坡国立大学毕业证学位证书实拍图原版一模一样
 
The Reserve Bank of India Act, 1934.pptx
The Reserve Bank of India Act, 1934.pptxThe Reserve Bank of India Act, 1934.pptx
The Reserve Bank of India Act, 1934.pptx
 
Synopsis On Annual General Meeting/Extra Ordinary General Meeting With Ordina...
Synopsis On Annual General Meeting/Extra Ordinary General Meeting With Ordina...Synopsis On Annual General Meeting/Extra Ordinary General Meeting With Ordina...
Synopsis On Annual General Meeting/Extra Ordinary General Meeting With Ordina...
 
办理(waikato毕业证书)新西兰怀卡托大学毕业证双学位证书原版一模一样
办理(waikato毕业证书)新西兰怀卡托大学毕业证双学位证书原版一模一样办理(waikato毕业证书)新西兰怀卡托大学毕业证双学位证书原版一模一样
办理(waikato毕业证书)新西兰怀卡托大学毕业证双学位证书原版一模一样
 
1比1制作(swansea毕业证书)英国斯旺西大学毕业证学位证书托业成绩单原版一模一样
1比1制作(swansea毕业证书)英国斯旺西大学毕业证学位证书托业成绩单原版一模一样1比1制作(swansea毕业证书)英国斯旺西大学毕业证学位证书托业成绩单原版一模一样
1比1制作(swansea毕业证书)英国斯旺西大学毕业证学位证书托业成绩单原版一模一样
 
NATURE, ORIGIN AND DEVELOPMENT OF INTERNATIONAL LAW.pptx
NATURE, ORIGIN AND DEVELOPMENT OF INTERNATIONAL LAW.pptxNATURE, ORIGIN AND DEVELOPMENT OF INTERNATIONAL LAW.pptx
NATURE, ORIGIN AND DEVELOPMENT OF INTERNATIONAL LAW.pptx
 
Ease of Paying Tax Law Republic Act 11976
Ease of Paying Tax Law Republic Act 11976Ease of Paying Tax Law Republic Act 11976
Ease of Paying Tax Law Republic Act 11976
 
new victimology of indonesian law. Pptx.
new victimology of indonesian law. Pptx.new victimology of indonesian law. Pptx.
new victimology of indonesian law. Pptx.
 
Understanding about ITR-1 and Documentation
Understanding about ITR-1 and DocumentationUnderstanding about ITR-1 and Documentation
Understanding about ITR-1 and Documentation
 

HIPAA Audits Are Here to Stay – Key Preparation Strategies for Business Associates and Covered Entities

  • 1. HIPAA Audits Are Here to Stay – Key Preparation Strategies for Business Associates and Covered Entities Lisa Acevedo | Shareholder, Polsinelli PC Erin Fleming Dunlap | Shareholder, Polsinelli PC Katie Kenney | Associate, Polsinelli PC David Holtzman | Vice President, CynergisTek, Inc.
  • 2. Agenda  Current HIPAA Enforcement Landscape  OCR Audit Structure and Status Update  OCR Document Request List: Areas of Focus  The Importance of Up-To-Date Security Risk Analysis  How to Build Your "HIPAA Audit Binder"  Audit Scope for Security Rule Compliance  How to Prepare for Security Rule Component of the OCR Audit  Key Takeaways/Recommendations
  • 3. Current Government Enforcement Landscape  Enforcement is on the rise!! – In 2015, OCR settled 6 cases ranging from $125,000 to $3.5 million per settlement – In 2016, OCR has already settled 9 cases and successfully imposed civil monetary penalties in 1 case ranging from $25,000 to $5.55 million  OCR has taken heat in the past for its “toothless” enforcement efforts, but a whole new era has clearly arrived
  • 4. Importance of Enforcement Actions to Audit Process  There are themes and trends in the underlying conduct – OCR will be looking for these vulnerabilities when reviewing your documents – Even if you have not been selected for a Phase 2 audit, the lessons learned from these settlements are invaluable • For future breach avoidance • For future audit preparation
  • 5. Recent Settlements/Enforcement Actions  Advocate Health Care – August 2016  Largest settlement to date – $5.55 million; involved multiple violations OCR uncovered while investigating 3 separate breach incidents Advocate submitted in 2013  The combined breaches affected approximately 4 million individuals  Key issues included but are not limited to failure to: conduct an accurate and thorough Risk Analysis; implement policies and procedures and facility access controls; and obtain satisfactory assurances through a BAA
  • 6. Recent Settlements/Enforcement Actions  University of Mississippi Medical Center (UMMC) – July 2016  Agreed to settle with OCR for $2.75 million; involved multiple violations of HIPAA that OCR uncovered while investigating a breach involving a missing, unencrypted laptop  OCR noted that during the investigation the agency discovered that UMMC was aware of risks and vulnerabilities to its systems as far back as 2005 but no significant risk management plan was implemented
  • 7. Recent Settlements/Enforcement Actions  Oregon Health & Science University (OHSU) – July 2016  Agreed to settle with OCR for $2.7 million; OHSU submitted multiple breach reports affecting thousands of individuals, including two reports involving unencrypted laptops and another large breach involving a stolen unencrypted thumb drive  During the investigation, OCR uncovered, among other issues, that OHSU stored sensitive patient information in the cloud without a BAA in place
  • 8. Recent Settlements/Enforcement Actions  Raleigh Orthopedic Clinic, PA (Apr 2016) – Notified OCR of a breach after releasing x-ray films and related PHI of 17,300 patients to a vendor to transfer the images to electronic media in exchange for harvesting the silver from the x-ray film – OCR found that Raleigh Orthopedic Clinic failed to execute a business associate agreement with the vendor prior to turning over PHI – agreed to pay $750,000 and adopt a corrective action plan (CAP) to correct deficiencies in its HIPAA compliance program
  • 9. Recent Settlements/Enforcement Actions  Feinstein Institute for Medical Research (March 2016) – Notified OCR of the theft of an unencrypted laptop from an employee’s car – laptop contained ePHI of approximately 13,000 patients and research participants – Agreed to pay $3.9 million and adopt a corrective action plan (CAP) – Key compliance issues included: insufficient security management process; insufficient policies and procedures; and failure to implement safeguards to restrict access to unauthorized users
  • 10. Breaches Involving Hacking Incidents  Anthem – Almost 80 million individuals affected – Cyber-attackers accessed social security numbers, medical ID numbers, names, addresses and birth dates  Premera Blue Cross – 11 million individuals affected – Discovered in January 2015 that hackers had been accessing PHI since May 2014  Community Health Systems – Estimated 4.5 million individuals affected – Hacker in China bypassed CHS’ security measures and accessed patient names, addresses, birthdates, telephone numbers and social security numbers
  • 11. OCR HIPAA Audit Structure  Scope of Auditees • Covered Entities and Business Associates  Type of Audit • “Desk” audits first » Conducted via document requests • Onsite audits to follow
  • 12. Status of HIPAA Audit Program  Phase 2 Audits: – Desk audits of Covered Entities have already begun – Desk audits of Business Associates will begin in the fall • OCR has submitted the document request list to Covered Entity auditees – http://www.hhs.gov/sites/default/files/2016HIPAADeskAuditAudit eeGuidance.pdf
  • 13. Focus of Phase 2 Audits  Areas of focus for desk audits • Covered Entity Document Request List: 1. Security risk analysis and risk management 2. Notice of Privacy Practices 3. Breach Notification letters-content and timeliness 4. Individual’s Right to Access PHI – OCR Audit Protocol • Updated protocol published on OCR’s website  Areas of focus for onsite audits • Intended to be more comprehensive than desk audit
  • 14. Audit Timeline  Phase 2 Audits: – Timeline • Desk audits  10 Days to Respond! – Responsive documents must be submitted electronically via OCR secure portal – Auditors will send draft findings and you have 10 days to provide written comments to the draft report – Final report due back from auditors within 30 business days – All Phase 2 desk audits are scheduled to be concluded by December 2016
  • 15. Onsite Audit Timeline and Impact  To be Conducted Onsite over 3 to 5 Business Days – Auditors will send draft findings and you have 10 days to provide written comments to the draft report • Final report due back from auditors within 30 business days  Impact – OCR has reserved the right to initiate a compliance review against an audited entity if the audit uncovers a serious compliance issue
  • 16. Key Desk Audit Documents  Up-to-Date Security Risk Analysis – This is the foundation of your HIPAA Security Rule program • Phase 1 identified significant non-compliance • Failure to do so was key contributing factor to many of the large breaches and enforcement actions – OCR is requesting specific documents, not just policies and procedures • Key FAQs
  • 17. Key Desk Audit Documents  Risk Management Plan – This is your plan to address vulnerabilities found in risk analysis • OCR is requesting specific documents, not just policies and procedures – Key FAQs
  • 18. Risk Analysis Documentation Tool  Critical to Review Your Documentation! – Ideally, the documentation should be easy for an auditor to review, understand and map to the Security Rule requirements • Examples of less effective documentation • Double check focus of reports created by third parties  We can help!
  • 19. Key Desk Audit Documents  Patient Right to Access • OCR is requesting policies and procedures, PLUS: – Documentation related to 5 access requests and documentation related to 5 access requests where the time to respond was extended – Template access request form » If you are using HIPAA authorization forms for access requests, need to change that process » Key FAQs
  • 20. Key Desk Audit Documents  Notice of Privacy Practices – Check NPPs to verify that they contain all required elements – Make sure that your website prominently posts the NPP – Documentation requested related to electronic provision of the NPP • Key FAQs
  • 21. Key Desk Audit Documents  Breach Notification – Ensure letters to affected individuals meet the content and timeliness requirements – Must produce documentation related to notification of 5 breaches involving under 500 and 5 breaches involving 500 or more affected patients • Key FAQs
  • 22. Preparing for an Onsite Audit  More Comprehensive – Review the OCR Audit Protocol – be prepared to produce representative samples to demonstrate compliance – Prepare as if you will be selected for an onsite audit • Preparation is time-consuming • You do not want to have staff running around looking for documents while the auditors are onsite • Build your HIPAA Audit Binder!
  • 23. Building Your HIPAA Audit Binder  Organization is key – make it as easy as possible for OCR/contractor to review your documentation  Be prepared to produce policies and procedures but also key forms and representative samples  Ensure updates to documentation are apparent (particularly with regard to risk analysis)
  • 24. Key Takeaways/Recommendations • Confirm with IT that you have recently performed and documented an accurate and thorough risk analysis and risk mitigation plan • Encrypt!! Especially mobile devices!! If PHI is not encrypted, ensure you have the appropriate documentation in place specifying equivalent alternative measures in place. • Review and organize your policies and procedures, BAAs, and other key documentation • Train and re-train your employees  Prepare for an onsite audit. • Valuable even if your organization is never selected. Will help decrease risk of breaches and complaints • Learn from mistakes of other organizations and use as teaching opportunities
  • 25. Key Takeaways/Recommendations  ***Keep in mind OCR Audit Program is a Permanent Program • Not being selected this year, allows you some time to conduct a comprehensive evaluation of your organization’s HIPAA compliance program to prepare for the next round of audits • Preparation is ultimately worthwhile and cost effective because it will help improve your compliance program and decrease risk of costly breaches
  • 26. Questions?  Feel free to contact us for more information: – Lisa Acevedo lacevedo@polsinelli.com – Erin Fleming Dunlap edunlap@polsinelli.com – Katie Kenney: kdkenney@polsinelli.com
  • 27. real challenges. real answers. sm Polsinelli provides this material for informational purposes only. The material provided herein is general and is not intended to be legal advice. Nothing herein should be relied upon or used without consulting a lawyer to consider your specific circumstances, possible changes to applicable laws, rules and regulations and other legal issues. Receipt of this material does not establish an attorney-client relationship. Polsinelli is very proud of the results we obtain for our clients, but you should know that past results do not guarantee future results; that every case is different and must be judged on its own merits; and that the choice of a lawyer is an important decision and should not be based solely upon advertisements. © 2016 Polsinelli PC. In California, Polsinelli LLP. Polsinelli is a registered mark of Polsinelli PC
  • 28. CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 info@cynergistek.com cynergistek.com @CynergisTek OCR HIPAA Audit Program: What You Need to Know Now Presented by: David Holtzman VP, Compliance Strategies
  • 29. CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 info@cynergistek.com cynergistek.com @CynergisTek Synergistic The name “CynergisTek” came from the synergy realized by combining the expertise of the two co-founders – building scalable, mature information security programs and architecting enterprise technical solutions. Founded in 2004 CynergisTek has been providing services to our clients since 2004, but many of our clients have been with one or both of the founders since well before the company was founded. 29 Securing the Mission of Care CynergisTek Services are specifically geared to address the needs of the healthcare community including providers, payers, and their business associates who provide services into those entities. Consulting Services CynergisTek provides consulting services and solutions around information security, privacy, IT architecture, and audit with specific focus on regulatory compliance in healthcare. CynergisTek, Inc.
  • 30. CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 info@cynergistek.com cynergistek.com @CynergisTek 30 Today’s Presenter • Vice President of Compliance Strategies, CynergisTek, Inc. • Subject matter expert in health information privacy policy and compliance issues involving the HIPAA Privacy, Security and Breach Notification Rules • Experienced in developing, implementing and evaluating health information privacy and security compliance programs • Former senior advisor for health information technology and the HIPAA Security Rule, Office for Civil Rights David Holtzman CynergisTek, Inc.
  • 31. CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 info@cynergistek.com cynergistek.com @CynergisTek Audit Scope for Security Rule Compliance 31
  • 32. CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 info@cynergistek.com cynergistek.com @CynergisTek 32 What Are OCR Audits Reviewing? •Security Management Process Standard •Policies and performance of Information Security Risk Analysis •Policies and performance of Information Security Risk Management Plan Desk Audits •Device and media controls •Transmission security •Encryption of data at rest •Facility access controls Onsite Audits •Administrative and physical safeguards •Workforce training to HIPAA policies & procedures •High risk areas identified through: •Pilot Audit Program performed in 2012 •Breach reports submitted to OCR Other Areas
  • 33. CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 info@cynergistek.com cynergistek.com @CynergisTek 33 • Copy of current information security risk analysis and a prior risk analysis. • Documentation related to the implementation of the risk analysis and security review process; how it is available to the workforce members who are responsible for carrying out the risk analysis; and, that the procedures are periodically reviewed and updated when needed. • Documentation demonstrating that policies and procedures related to implementation of risk analysis for the prior 6 years. • Documentation demonstrating the security measures implemented to reduce the risks as a result of the current risk analysis or assessment ; and the prior calendar year • Documentation from 2015 demonstrating the implementation of the risk management process; how it is available to the workforce members who are responsible for carrying out the risk management process; and, that the procedures are periodically reviewed and updated when needed. OCR Desk Audit Document Request
  • 34. CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 info@cynergistek.com cynergistek.com @CynergisTek 34 Documentation Requested What Should be Submitted Upload documentation of current risk analysis results. Provide the report of the most recent Risk Analysis performed by the organization. Upload documentation demonstrating that policies and procedures related to implementation of risk analysis are in place and any revisions for the prior 6 years. Provide copies of current and prior versions of risk analysis policies and procedures from 2010 to 2016. Ensure that the policies and procedures support an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of e-PHI the organization creates, receives, maintains or transmits. Upload policies and procedures regarding the entity’s risk analysis process. Provide the current policy and procedure on how the risk analysis is performed. Upload documentation of the risk analysis and the most recently conducted prior risk analysis. Provide the risk analysis completed prior to the 2015 Risk Analysis as well as accompanying documentation of an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of e- PHI the organization. creates, receives, maintains or transmits. Desk Audit Protocol Risk Analysis
  • 35. CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 info@cynergistek.com cynergistek.com @CynergisTek 35 Documentation Requested What Should be Submitted Upload documentation demonstrating the security measures implemented to reduce the risks as a result of the current risk analysis or assessment Provide documentation that the organization has implemented or has plans to implement administrative, physical or technical controls to reduce risks and vulnerabilities identified in the current risk analysis. Upload documentation demonstrating that policies and procedures related to implementing risk management processes have been in place and in force for the prior 6 years. Provide documentation of current and prior versions of risk management policies and procedures from 2010 to 2016. These policies and procedures should identify how risk is managed, what the organization considers an acceptable level of risk in its management program, the frequency of reviewing ongoing risks, and identify the workforce members who are assigned a role in the risk management process. Upload documentation demonstrating the efforts used to manage risks from the previous calendar year. Provide documentation for the 2015 calendar year of the actions the organization took, or had plans to take, to implement administrative, physical or technical controls to reduce risks and vulnerabilities identified in its risk analysis. Desk Audit Protocol Risk Management
  • 36. CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 info@cynergistek.com cynergistek.com @CynergisTek Preparing for an OCR Audit 36
  • 37. CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 info@cynergistek.com cynergistek.com @CynergisTek 37 Where Do We Start? Risk Assessment… Credit: http://dilbert.com/strips/comic/1997-11-08/
  • 38. CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 info@cynergistek.com cynergistek.com @CynergisTek 38 • An assessment of threats and vulnerabilities to information systems that handle e-PHI. • This provides the starting point for determining what is ‘appropriate’and ‘reasonable’. • Organizations determine their own technology and administrative choices to mitigate their risks. • The risk analysis process should be ongoing and repeated as needed when the organization experiences changes in technology or operating environment. Information Security Risk Assessment
  • 39. CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 info@cynergistek.com cynergistek.com @CynergisTek 39 Performing a Risk Analysis Gather Information Analyze Information Develop Remedial Plans • Prepare inventory lists of information assets-data, hardware and software. • Determine potential threats to information assets. • Identify organizational and information system vulnerabilities. • Document existing security controls and processes. • Evaluate and measure risks associated with information assets. • Rank information assets based on asset criticality and business value. • Develop and analyze multiple potential threat scenarios. • Prioritize potential threats based on importance and criticality. • Develop remedial plans to combat potential threat scenarios. • Repeat risk analysis to evaluate success of remediation and when there are changes in technology or operating environment.
  • 40. CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 info@cynergistek.com cynergistek.com @CynergisTek 40 • Prepare a plan to perform mock audits • Use OCR’s 2016 Phase 2 HIPAA Audit Protocol • Replicate what documentation would be required under audit conditions and the timelines for production • Use the results from your audit to develop a work plan for policies and processes that should be reviewed or updated Build an Audit Tool Kit
  • 41. CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 info@cynergistek.com cynergistek.com @CynergisTek • Requirements for listing business associates – http://www.hhs.gov/hipa a/for- professionals/compliance - enforcement/audit/bate mplate/index.html • OCR’s 2016 Audit Protocol – http://www.hhs.gov/hipa a/for- professionals/compliance - enforcement/audit/proto col-current/index.html Prepare for OCR Audit 12
  • 42. CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 info@cynergistek.com cynergistek.com @CynergisTek • Desk Audit Protocol & Document Request List http://www.hhs.gov/sit es/default/files/2016HI PAADeskAuditAuditeeG uidance.pdf • OCR Desk Audit Introduction Webinar http://www.hhs.gov/sit es/default/files/OCRDes kAuditOpeningMeeting Webinar.pdf Use OCR Desk Audit Protocol As Guide 13
  • 43. CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 info@cynergistek.com cynergistek.com @CynergisTek 43 Section/Key Activity Established Performance Criteria Audit Inquiry §164.308(a)(1)(ii)(A) Security Management Process-Risk Analysis A covered entity or business associate must in accordance with 164.306: (1)(i) Implement policies and procedures to prevent, detect, contain, and correct security violations Does the entity have written policies and procedures in place to prevent, detect, contain and correct security violations? Does the entity prevent, detect, contain and correction security violations? Obtain and review policies and procedures related to security violations. Evaluate the content relative to the specified performance criteria for countermeasures or safeguards implemented to prevent, detect, contain and correct security violations. Obtain and review documentation demonstrating that policies and procedures have been implemented to prevent, detect, contain, correct security violations. Evaluate and determine if the process used is in accordance with related policies and procedures. Obtain and review documentation of security violations and remediation actions. Evaluate and determine if security violations where handled in accordance with the related policies and procedures; safeguards or countermeasures to prevent violations from occurring; identify and characterize violations as they happen; limit the extent of any damages caused by violations; have corrective action plan in place to manage risk. Example: Security Management Process
  • 44. CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 info@cynergistek.com cynergistek.com @CynergisTek 44 Key Activity Established Performance Criteria Audit Inquiry §164.312(a)(2)(iv) Access Control -- Encryption and Decryption(A) Implement a mechanism to encrypt and decrypt electronic protected health information Does the entity have policies and procedures in place to encrypt and decrypt ePHI including processes regarding the use and management of the confidential process or key used to encrypt and decrypt ePHI? Does the entity encrypt and decrypt ePHI including processes regarding the use and management of the confidential process or key used to encrypt and decrypt ePHI? Obtain and review the policies and procedures regarding the encryption and decryption of ePHI. Evaluate the content relative to the specified criteria to determine that the implementation and use of encryption appropriately protects ePHI. Obtain and review documentation demonstrating ePHI being encrypted and decrypted. Evaluate and determine if ePHI is encrypted and decrypted in accordance with related policies and procedures. Has the entity chosen to implement an alternative measure? If yes, obtain and review entity documentation of why it has determined that the implementation specification is not a reasonable and appropriate safeguard and what equivalent alternative measure has been implemented instead. Evaluate documentation and assess whether the alternative measure implemented is equivalent to the protections afforded by the implementation specification. Example: Encryption and Decryption
  • 45. CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 info@cynergistek.com cynergistek.com @CynergisTek 45 Questions? David Holtzman david.holtzman@cynergistek.com 512.405.8550 x7020 @HITPrivacy Questions? ?