The document discusses an upcoming audit of healthcare organizations by the Office of Civil Rights (OCR) to ensure compliance with HIPAA regulations. It notes that enforcement is increasing, with recent settlements ranging from $25,000 to $3.9 million. The audit will have two phases, with the initial phase focusing on document requests and the potential for on-site visits. Organizations are advised to ensure their security risk analysis, policies and procedures are up to date and organized in an "audit binder" to facilitate document production for the audit. Proper preparation is important to avoid noncompliance findings or further enforcement action from OCR.
Get your Ducks in a Row - The OCR Audit Season is About to BeginID Experts
The HHS Office for Civil Rights has unveiled information about Phase 2 of its HIPAA audits. These audits will be conducted by OCR itself and will focus on high-risk areas and enforcement. Organizations may be hearing from OCR over this summer, with audits to begin in the fall. This webinar will overview some lessons learned from the first round of audits and highlight the changes and process for the next round. Phase 2’s additional focus on compliance with breach notification rule will be discussed. We also will provide some tips to prepare for the audits, which also will be helpful to prepare for any OCR investigation or compliance review.
To view the Webinar Recording, click here: https://www2.idexpertscorp.com/resources/single/get-your-ducks-in-a-row-the-ocr-audit-season-is-about-to-begin/r-general
OCR is increasing its audits of the HIPAA compliance of health care providers. An OCR audit that finds noncompliance may lead to a significant fine or financial settlement. Adam Greene, partner at Davis Wright Tremaine and past regulator at OCR, will review the latest information about the OCR audit program, including OCR’s focus on information security risk analysis and ensuring that breach notification policies and procedures are up-to-date consistent with recent regulatory changes. Learn about recent changes to HIPAA rules, the focus of upcoming audits, the importance of a good breach response program to reduce potential liability, and how best to prepare your organization. In addition, you’ll hear how to prepare for and respond to the inevitable data breach.
To View the Webinar Recording, click here: https://www2.idexpertscorp.com/resources/single/ocr-hipaa-audits...will-you-be-prepared/r-general
Get information on the HIPAA Omnibus rule and how the revised regulations will impact not only healthcare organization but also covered entities and other IT providers - OConnor Davies - NYC CPA Firm.
Process Area Site Assessments techniques for the ManagementNimonik
Safety is senior management's responsibility. Irrespective of the internal and external safety audits, they should go on site visits to see for themselves the safety culture at their organization. But some members of management are hesitant to go on site visits as they feel they lack the skills to evaluate risks and hazards.
In this slideshow, John Wolfe, himself part of management at Suncor Energy, shares best practices for site visits to help leaders go well-prepared for the site visits.
Get your Ducks in a Row - The OCR Audit Season is About to BeginID Experts
The HHS Office for Civil Rights has unveiled information about Phase 2 of its HIPAA audits. These audits will be conducted by OCR itself and will focus on high-risk areas and enforcement. Organizations may be hearing from OCR over this summer, with audits to begin in the fall. This webinar will overview some lessons learned from the first round of audits and highlight the changes and process for the next round. Phase 2’s additional focus on compliance with breach notification rule will be discussed. We also will provide some tips to prepare for the audits, which also will be helpful to prepare for any OCR investigation or compliance review.
To view the Webinar Recording, click here: https://www2.idexpertscorp.com/resources/single/get-your-ducks-in-a-row-the-ocr-audit-season-is-about-to-begin/r-general
OCR is increasing its audits of the HIPAA compliance of health care providers. An OCR audit that finds noncompliance may lead to a significant fine or financial settlement. Adam Greene, partner at Davis Wright Tremaine and past regulator at OCR, will review the latest information about the OCR audit program, including OCR’s focus on information security risk analysis and ensuring that breach notification policies and procedures are up-to-date consistent with recent regulatory changes. Learn about recent changes to HIPAA rules, the focus of upcoming audits, the importance of a good breach response program to reduce potential liability, and how best to prepare your organization. In addition, you’ll hear how to prepare for and respond to the inevitable data breach.
To View the Webinar Recording, click here: https://www2.idexpertscorp.com/resources/single/ocr-hipaa-audits...will-you-be-prepared/r-general
Get information on the HIPAA Omnibus rule and how the revised regulations will impact not only healthcare organization but also covered entities and other IT providers - OConnor Davies - NYC CPA Firm.
Process Area Site Assessments techniques for the ManagementNimonik
Safety is senior management's responsibility. Irrespective of the internal and external safety audits, they should go on site visits to see for themselves the safety culture at their organization. But some members of management are hesitant to go on site visits as they feel they lack the skills to evaluate risks and hazards.
In this slideshow, John Wolfe, himself part of management at Suncor Energy, shares best practices for site visits to help leaders go well-prepared for the site visits.
A practical guide to preparing audit universes for CMS program audits where it's 3 strikes and you are out
Recently presented at the CBI Pharmacy Benefit Oversight and Compliance Conference – November 12-13, 2015
Comprehensive Compliance for Environmental, Safety, Quality Requirements in C...Nimonik
Nimonik has 7 step process to ensure thorough and comprehensive regulatory compliance for environmental, occupational health and safety and quality requirements for your organization. By following these steps, you will reduce your operational risk and optimize your processes to become a proactive compliance company. This presentation also covers compliance risks such as accidents and penalties, challenges that organizations face along with a case study of Lac Megantic Oil Train Car disaster in July 2013 that killed 47 people and spilled 6 million litres of oil.
Continous auditing vs traditional slide shareBob Sahm
Advantages of Shifting from a Traditional Problem Based
Audit Approach to a Continuous Audit Approach
Focused on Control Improvement
Provides justification to non-auditor audience why traditional internal audit project based approach needs to have a mix with continuous controls approach.
This was originally prepared for a public sector state agency.
Marketing to Make Managed Services Mainstream Larry Levine
You have launched a managed services business knowing that it will be an important part of your future. But while some of your key clients have signed up for managed services, the majority of your customers and prospects still view you as a copier company. In this workshop-style session, you will learn practical strategies to cross the chasm and position your managed services and document solutions offerings so that the majority of your clients want to sign up. You'll discover ways to get the attention and buy-in of the majority of your current and potential clients so that your managed services business can become a core revenue driver in your dealership.
Net New Business Summit 16 0920 Destin ForidaLarry Levine
How many deals are your sales reps involved in within your marketplace? Companies must look credible online as well as their sales reps. How many deals are going down in your respective territories that you are not involved in?
A practical guide to preparing audit universes for CMS program audits where it's 3 strikes and you are out
Recently presented at the CBI Pharmacy Benefit Oversight and Compliance Conference – November 12-13, 2015
Comprehensive Compliance for Environmental, Safety, Quality Requirements in C...Nimonik
Nimonik has 7 step process to ensure thorough and comprehensive regulatory compliance for environmental, occupational health and safety and quality requirements for your organization. By following these steps, you will reduce your operational risk and optimize your processes to become a proactive compliance company. This presentation also covers compliance risks such as accidents and penalties, challenges that organizations face along with a case study of Lac Megantic Oil Train Car disaster in July 2013 that killed 47 people and spilled 6 million litres of oil.
Continous auditing vs traditional slide shareBob Sahm
Advantages of Shifting from a Traditional Problem Based
Audit Approach to a Continuous Audit Approach
Focused on Control Improvement
Provides justification to non-auditor audience why traditional internal audit project based approach needs to have a mix with continuous controls approach.
This was originally prepared for a public sector state agency.
Marketing to Make Managed Services Mainstream Larry Levine
You have launched a managed services business knowing that it will be an important part of your future. But while some of your key clients have signed up for managed services, the majority of your customers and prospects still view you as a copier company. In this workshop-style session, you will learn practical strategies to cross the chasm and position your managed services and document solutions offerings so that the majority of your clients want to sign up. You'll discover ways to get the attention and buy-in of the majority of your current and potential clients so that your managed services business can become a core revenue driver in your dealership.
Net New Business Summit 16 0920 Destin ForidaLarry Levine
How many deals are your sales reps involved in within your marketplace? Companies must look credible online as well as their sales reps. How many deals are going down in your respective territories that you are not involved in?
How Top M&A Advisors Create Intelligent Target ListsNavatar
Learn how top M&A advisors leverage existing relationships, capture historical deal data and tap external deal networks to build intelligent buyer lists in the cloud quickly and efficiently.
Fujitsu Scanners and Hyland Software Webinar Delivering Automation In The Len...Kevin Neal
This is a presentation on Lending and how document scanning and Enterprise Content Management (ECM) can help improve efficiency and decrease operational costs.
Accenture and Worksoft Explain Why Businesses Need a Digital Testing StrategyWorksoft
Originally presented February 11th by Matthias Rasking, Principal Director and Testing Platform Lead at Accenture, and Shoeb Javed, Chief Technology Officer at Worksoft.
Based on research with Pierre Audoin Consultants (PAC) in Europe
Stop manual testing: Take your weekends back! Worksoft
Manual testing takes time and manually validating data is error prone. It means doing the same repetitive task over and over and for many people it's not their day job. Discover your business processes, find the real end-to-end workflow and ensure that every business process works as planned with Worksoft Automation.
Summary presentation of how AI is changing the face of business and acting as a catalyst for disruption both for interaction with consumers and employees.
Artificial Intelligence and Robotics is one of the exciting new frontiers. 2015 was the year that self-driving cars became a reality, robots gained all sorts of new abilities, and many worried about the threat of super-intelligent future AI.
The ground is shifting quickly in this field, with new AI developments announced on a seemingly weekly basis and commercial applications filter through to market.
Speakers include:
- Dr Chris Brauer, Director of Innovation and Senior Lecturer at Goldsmiths, University of London
- Devika Thapar, AI: Watson Financial Services Leader at IBM
- Jonathan Seal, Strategy Director at Mando
- Lorenzo Wood, Chief Innovation Officer, DigitasLBi
A joint webinar presentation with James Taylor on using BPM and DM as a back-end for mobile applications to make them smarter and more integrated with core business processes.
HIPAA Audits Are Here to Stay – Key Preparation Strategies for Business Assoc...Polsinelli PC
Our panel, which includes two former OCR staffers who played key roles in policy and enforcement activities, will provide status updates and practical tips to help you prepare for business associate and covered entity audits.
Our agenda:
-OCR Audit Status Update
-OCR Document Request List
-How to Document Your Security Rule Compliance
-The Importance of Up-To-Date Security Risk Analysis
-How to Build Your "HIPAA Audit Binder"
-Even if You Are Not Selected: How Audit Preparation Can Assist in Breach/Complaint Investigations
-Key Takeaways/Recommendations
Preparing & Responding to an OCR HIPAA AuditPYA, P.C.
PYA Principal Barry Mathis presented “Preparing and Responding to an OCR HIPAA Audit” at the Association of Healthcare Internal Auditors (AHIA) 36th Annual Conference.
Areas of focus included:
Understanding the steps of an OCR HIPAA audit.
Learning methods for responding accurately and efficiently to audits.
Understanding how to assess ability to respond to, and identify gaps and weaknesses in, processes.
Discussing lessons learned from completed audits.
OCR Enforcement Update: Under 500 Breach Investigations and Inner Workings of...Lauren Williams
Over the past several years the Office for Civil Rights (OCR) has ramped up its enforcement of the HIPAA Privacy and Security Rules. Generally, such enforcement efforts have related to incidents that affected more than 500 individuals. In August of 2016, however, OCR announced that it would begin investigating self-reported HIPAA breaches affecting under 500 individuals. This initiative may lead to increased investigations at both covered entities and business associates.
On the webinar, two former OCR attorneys will discuss this new OCR initiative, as well as provide guidance and advice related to navigating OCR investigations, an explanation as to how the OCR settlement and resolution agreement process works, and tips for steps to take if your organization is presented with a dreaded resolution agreement. Please join us for discussion of recent OCR activity, under 500 breach investigation initiative, anatomy of an OCR investigation and settlement process, quick tips, and lessons learned.
OCR Enforcement Update: Under 500 Breach Investigations and Inner Workings of...Polsinelli PC
Over the past several years the Office for Civil Rights (OCR) has ramped up its enforcement of the HIPAA Privacy and Security Rules. Generally, such enforcement efforts have related to incidents that affected more than 500 individuals. In August of 2016, however, OCR announced that it would begin investigating self-reported HIPAA breaches affecting under 500 individuals. This initiative may lead to increased investigations at both covered entities and business associates.
On the webinar, two former OCR attorneys will discuss this new OCR initiative, as well as provide guidance and advice related to navigating OCR investigations, an explanation as to how the OCR settlement and resolution agreement process works, and tips for steps to take if your organization is presented with a dreaded resolution agreement. Please join us for discussion of recent OCR activity, under 500 breach investigation initiative, anatomy of an OCR investigation and settlement process, quick tips, and lessons learned.
What Covered Entities Need to Know about OCR HIPAA AuditsIatric Systems
Learn how to be better prepared to comply with today's patient privacy rules and regulations.
Hosted by HealthITSecurity.com, you'll get insight directly from HIPAA officer Iliana L. Peters, J.D., LL.M. As senior advisor for HIPAA Compliance and Enforcement, she is today's leading source for understanding HIPAA requirements.
Ms. Peters presents OCR’s 2017 to 2018 goals and objectives and tells you how you can:
-Uncover the patient privacy risks and vulnerabilities in your healthcare organization
-Determine where you can use technology to assist in and encourage consistent compliance
-Manage risk when vendors have access to your patient data
How Best Practices in Triage Protocol Can Boost Compliance and Reduce RiskCase IQ
With recent announcements of increasingly stringent federal policies around record-keeping and due diligence, compliance and investigation professionals are feeling the pressure to demonstrate consistency and rigor in their case management processes.
Planning your investigation, having the right team members involved and reporting on outcomes of an investigation can all be difficult phases of the process.
However, being able to demonstrate that you are quickly, consistently and accurately triaging incidents is even more important now.
The key is to establish decision-making approaches and plan out your entire protocol before the matter comes to your attention through hotline reporting or other mechanism. This ensures structure and success as you triage, investigate, staff the investigation properly and meet the inevitable challenges of reporting and addressing the root causes of incidents.
The Hidden Dangers of Trying to ‘Do the Right Thing:’ A Practical Look at Aud...PYA, P.C.
PYA Principal Denise Hall and Michelle Calloway of Hancock, Daniel, Johnson & Nagle, P.C., copresented at the 2013 American Health Lawyers Association/Health Care Compliance Association Fraud & Compliance Forum in Baltimore. They addressed “The Hidden Dangers of Trying to ‘Do the Right Thing:’ A Practical Look at Auditing, Monitoring and Investigation Pitfalls.” The presentation covered best practices for investigating reported compliance concerns, compliance auditing techniques, repayment practices, and corrective action implementation and monitoring procedures.
Caveon Webinar Series - Exam Integrity Investigations, An Introduction to th...Caveon Test Security
In today’s high-speed, electronically connected society, exam integrity incidents occur more frequently and present greater risks to test sponsors and their examinations. When incidents occur that threaten the integrity of your exam, you must have a comprehensive investigation plan in place that your team members understand and are prepared to execute swiftly and thoroughly.
Thorough investigations of exam integrity violations are needed in response to a wide range of possible exam integrity incidents; from individual cheating, to collusion, to item harvesting. It’s important to have personnel trained and ready to respond with effective strategies to (1) detect and mitigate exam integrity vulnerabilities and (2) conduct internal exam integrity investigations when incidents occur.
Join our hosts, Marc Weinstein and Ben Mannes of Caveon Investigation Services as they discuss why a sound investigation plan is necessary, what to consider when an investigation is conducted, and why having the right resources is so important.
Office of Civil Rights HIPAA Audits--Ready or Not, Here They ComePYA, P.C.
PYA Compliance Consulting Manager Susan Thomas presented “Office of Civil Rights HIPAA Audits--Ready or Not, Here They Come” at the Kansas Association of Local Health Departments Midyear Meeting.
Learning objectives included:
Understanding the Office of Civil Rights Health Information Technology for Economic and Clinical Health audit program.
Reviewing lessons learned from Phase 1 audits.
Discussing the scope and selection for Phase 2 audits.
Determining Health Insurance Portability and Accountability Act audit readiness.
Reviewing a breach investigation case study.
Considering additional resources.
Office of Civil Rights HIPAA Audits Preparing Your Clients and YourselfPYA, P.C.
PYA Consulting Manager Susan Thomas presented “Office of Civil Rights HIPAA Audits – Preparing Your Clients and Yourself” at The Florida Bar’s “Representing the Physician: It Is Harder Than It Looks” conference, February 3, 2017, in Orlando, Florida.
The presentation covered topics that include:
The Health Information Technology for Economic and Clinical Health Act.
Phase 1 audit, privacy, security, and breach notification findings and lessons learned.
Phase 2 audits—scope and recipient selection.
HIPAA audit readiness and steps for preparing.
Personal reflections from an OCR breach investigation.
Audit resources for physician practices.
Internal Investigations
Chapter 11
Learning Objectives
Situations requiring investigation or audit
Steps in conducting an internal investigation
Interviewing employees and third parties
Reviewing documents and records
Contents of a thorough investigation report
Sources of a government investigation
Responses to a government investigation
When to conduct an internal compliance audit
Taking advantage of attorney-client privilege
Introduction
An organization conducts an internal investigation to discover whether a violation of law has occurred or is likely to occur.
Internal sign or report that a violation has occurred
Organization learns that a government agency has launched an investigation
As a preventive measure, the organization conducts periodic audits
Investigations in a Compliance Program
Key component of an effective compliance program
Discover problems before a government agency learns of them
Opportunity to control resolution of the problems
Once government initiates its an inquiry, the organization is compelled to conduct its own parallel investigation
Multi-Step Investigation Procedure
Use trained, trusted employees to carry out the investigation
Consider using an attorney and a consultant
Fit the investigation to the suspected misconduct
Investigative techniques: personnel interviews, records and document reviews
Report based on investigation findings
After the investigation is complete
Use Trained, Trusted Employees
Starts with the Compliance Officer. Other staff should be ….
Trained in investigation techniques
Knowledgeable about area where misconduct suspected, but preferably not working there
People of good judgment and discretion
Willing to make hard decisions
Able to maintain confidentiality
Consider Using an Attorney
For all but trivial incidents, consult an attorney
For serious matters, conduct investigation under the guidance of an attorney
Take advantage of work-client or work-product privileges whenever possible
Attorney will direct the investigation, communicate with top management, and control information flows about the events
7
Consider Using a Consultant
If the organization lacks the time, the experienced personnel, or the expertise to carry out the investigation
Consultant performs work that is channeled through the attorney
Consultant lacks close relationship with the organization
Consultant duties should be carefully defined
Fit the Investigation to the
Suspected Misconduct
As the investigation proceeds and the gravity of the misconduct is revealed, efforts can be scaled up or down.
Investigative techniques should be discussed with management and the attorney.
Anticipate effects of the investigation on workforce morale and productivity.
Focus of the Investigation
Nature and scope of the problem incident
Statutes and regulations related to the incident
Clarity or ambiguity of the relevant st ...
Your project selected_for_audit_sip18_project_auditorsJoy Gumz
Project audit: Presentation about auditing project management with Case study view. Presentation given at PMI EMEA Congress 2006 by Project Auditors LLC.
Audit update
Slides from a webinar to the Federation of Awarding Bodies on Monday 27 April 2015
Webinar hosted by Bryan Horne
Associate Director Standards for Vocational Qualifications and Apprenticeships
Similar to OCR Audits Are Coming – Is Your Organization Prepared? (20)
Tax Cuts & Job Act Implications for Small Business Investments Companies Polsinelli PC
On December 22, 2017, the President signed into law a federal tax reform bill commonly known as the Tax Cuts & Jobs Act (the “Tax Act”). The Tax Act resulted in significant changes to the U.S. tax system on a number of fronts. This webinar will provide an overview the provisions of the Tax Act relevant to SBIC’s. We will also address the impact of the Tax Act upon the choice of entity decisions and a number of ancillary matters.
Preventing Compliance Quagmires in Senior Living Communities: Part 1 - Can So...Polsinelli PC
During this webinar we will explore the regulatory, operational and employment related issues that arise when long term care staff use social media at work in the long term care setting.
Health Care "Prime" - The Future of the Ownership, Organization, Payment, and...Polsinelli PC
The potential for disruption and disaggregation of traditional and incumbent players is occurring across the health care ecosystem and care continuum, and may accelerate through the intended and unintended consequences of this innovative new venture. Is this partnership a seminal event in defining the future of health care? Author William Gibson said, “The future is already here – it’s just not very evenly distributed.” This statement applies as the future of health care fast approaches, but with variability across stakeholders, their businesses, and the communities in which they provide care as part of one of America’s largest industries.
A diverse panelist group will bring a broad range of current perspectives and insights related to this partnership. From the base of the panelists’ unique perspectives, they will discuss their views on the likely near-, mid- and long-term implications of this announced venture on the ownership, organization, payment, and delivery of health care products, supplies and services in America.
The Trump Labor Board Goes Back to the FuturePolsinelli PC
The last weeks of 2017 brought significant changes to the National Labor Relations Board and federal labor law. Polsinelli’s Traditional Labor Practice Group will cover all of these changes, including the short-lived Republican majority, the new Board members and General Counsel, a recap of the major decisions reversing several of President Obama’s pro-employee initiatives over the last eight years, and discuss what is in store for employers in 2018.
Lessons learned from litigating real estate development projectsPolsinelli PC
Real estate development projects are filled with uncertainty. Zoning and permitting denials, disputes with neighboring property owners and citizen groups, and ambiguity in development contracts can cause significant setbacks to even the most well planned developments. This webinar will explore the many pitfalls of the development process and how to navigate them. Four Polsinelli attorneys offer their guidance and insights gained from litigating these very types of issues.
Datascram is being called a massive “Datascam.” Engineers cut corners and, as it turns out, data is not deleted forever. Instead, once deleted, it resides on a Nigerian server where it is sold to the highest bidder. As the company prepares to shut its doors, new questions emerge about Damian Diamond’s role in the fiasco and whether he could be held personally responsible for the company’s potentially criminal activities.
Synopsis On Annual General Meeting/Extra Ordinary General Meeting With Ordinary And Special Businesses And Ordinary And Special Resolutions with Companies (Postal Ballot) Regulations, 2018
NATURE, ORIGIN AND DEVELOPMENT OF INTERNATIONAL LAW.pptxanvithaav
These slides helps the student of international law to understand what is the nature of international law? and how international law was originated and developed?.
The slides was well structured along with the highlighted points for better understanding .
How to Obtain Permanent Residency in the NetherlandsBridgeWest.eu
You can rely on our assistance if you are ready to apply for permanent residency. Find out more at: https://immigration-netherlands.com/obtain-a-permanent-residence-permit-in-the-netherlands/.
Military Commissions details LtCol Thomas Jasper as Detailed Defense CounselThomas (Tom) Jasper
Military Commissions Trial Judiciary, Guantanamo Bay, Cuba. Notice of the Chief Defense Counsel's detailing of LtCol Thomas F. Jasper, Jr. USMC, as Detailed Defense Counsel for Abd Al Hadi Al-Iraqi on 6 August 2014 in the case of United States v. Hadi al Iraqi (10026)
OCR Audits Are Coming – Is Your Organization Prepared?
1. OCR Audits Are Coming—
Is Your Organization Prepared?
Presented by: Jason T. Lundy, Lisa J. Acevedo,
Kathleen D. Kenney
2. Agenda
Current HIPAA Enforcement Landscape
Brief Overview of Phase I Audits
What to Expect in Phase 2
The Importance of Up-To-Date Security Risk
Analysis and Policy/Procedure Documentation
How to Build Your “HIPAA Audit Binder”
Key Recommendations
3. Current Government Enforcement
Landscape
Enforcement is on the rise!!
– In 2015, OCR settled 6 cases ranging from $125,000 to $3.5
million per settlement
– In 2016, OCR has already settled 5 cases and successfully
imposed civil monetary penalties in 1 case ranging from
$25,000 to $3.9 million
OCR has taken heat in the past for its “toothless” enforcement
efforts, but a whole new era has clearly arrived
4. Importance of Enforcement
Actions to Audit Process
There are themes and trends in the
underlying conduct
– OCR will be looking for these vulnerabilities
when reviewing your documents
– Even if you are not selected for a Phase 2 audit,
the lessons learned from these settlements are
invaluable
• For future breach avoidance
• For future audit preparation
5. Recent Settlements/Enforcement
Actions
Feinstein Institute for Medical Research (March 2016)
– Notified OCR of the theft of an unencrypted laptop from an
employee’s car – laptop contained ePHI of approximately
13,000 patients and research participants
– Agreed to pay $3.9 million and adopt a corrective action
plan (CAP)
– Key compliance issues included: insufficient security
management process; insufficient policies and procedures;
and failure to implement safeguards to restrict access to
unauthorized users
6. Recent Settlements/Enforcement
Actions
Lahey Hospital and Medical Center (Nov. 2015)
– Notified OCR of the theft of an unencrypted laptop that was
connected to a portable CT scanner; hard drive contained PHI of
599 individuals
– Lahey agreed to pay $850,000 and adopt a corrective action plan
(CAP) to correct deficiencies in its HIPAA compliance program
– Key compliance issues included: failure to conduct risk analysis;
failure to physically safeguard ePHI; lack of unique user name;
failure to implement policies and procedures
7. Recent Settlements/Enforcement
Actions
Triple-S Management Company
(Nov 2015)
– Insurance holding company
– Agreed to pay $3.5 million and adopt a corrective action plan
(CAP) to correct deficiencies in its HIPAA compliance program
– Deficiencies included failure to conduct risk analysis; failure to
implement sufficient security measures; disclosure of more PHI
than was necessary to carry out mailings
8. Recent Settlements/Enforcement
Actions
Raleigh Orthopedic Clinic, PA (Apr 2016)
– Notified OCR of a breach after releasing x-ray films and
related PHI of 17,300 patients to a vendor to transfer the
images to electronic media in exchange for harvesting the
silver from the x-ray film
– OCR found that Raleigh Orthopedic Clinic failed to execute a
business associate agreement with the vendor prior to
turning over PHI
– agreed to pay $750,000 and adopt a corrective action plan
(CAP) to correct deficiencies in its HIPAA compliance
program
9. Breaches Involving Hacking
Incidents
Anthem
– Almost 80 million individuals affected
– Cyber-attackers accessed social security numbers, medical ID numbers,
names, addresses and birth dates
Premera Blue Cross
– 11 million individuals affected
– Discovered in January 2015 that hackers had been accessing PHI since
May 2014
Community Health Systems
– Estimated 4.5 million individuals affected
– Hacker in China bypassed CHS’ security measures and accessed patient
names, addresses, birthdates, telephone numbers and social security
numbers
10. Overview of Phase 1 Audits
OCR contracted with KPMG to conduct
audits ($9.2 million dollar contract)
OCR stratified CEs into 4 tiers – sought wide
range of types and sizes
Phase 1 audits kitchen sink approach
115 audits conducted (47 health plans; 61
providers; 7 clearinghouses) all audits
included on-site visits
11. Phase 1 Lessons Learned
Improve document collection process (from
notification to document collection
throughout audit)
Address timing and staffing issues (on-site
audits ranged from 3-10 days)
Use representative sampling method
Prioritize focus on high risk areas
identified
12. Phase 1 Audit Results
60%30%
Phase 1 Results:
Areas of Noncompliance
The most common cause of noncompliance =
covered entity was unaware of the requirement.
13. Phase I versus Phase II
Fci Federal contract awarded - $1million
dollars
Verifying contact information and learning
more about the CE on the front end
Desk audits prior to on-site audits
Phase 2 desk audits focus on specific areas
identified as high risk in Phase 1
Likely less leniency with respect to
extensions, etc.
14. Status of HIPAA Audit Program
Phase 2 Audits:
– Notification of potential selection has begun
• Contact verification notification emails have been sent
• Audit pre-screening questionnaire will follow
– Questions intended to identify whether the entity is a
Covered Entity Health Care Provider, Health Plan or
Health Care Clearinghouse or a Business Associate.
• Purpose of these communications is to create a diverse
audit pool
15. Can I Avoid Being Chosen?
Entities that Fail to Respond May Still be
Selected
• Failing to respond could create the opposite effect!
Entities with Open Investigations Should not
be Selected
• Note: we are aware of such entities receiving the initial
notification communications
16. Past Compliance History
Impact of Past Compliance History
– Unclear if/when/how OCR will take this into
account
• Should not impact desk audit selection process
• May impact whether an organization is selected for
an onsite audit
– The under 500 breach report logs can be a source
of systemic compliance issues
17. Audit Structure
Scope of Auditees
• Covered Entities and Business Associates
Type of Audit
• “Desk” audits first
» Conducted via document requests
• Onsite audits to follow
18. Focus of Phase 2 Audits
Areas of focus for desk audits
• Likely to focus on…
1. Security risk analysis and risk management
2. Notice of Privacy Practices
3. Breach Notification letters-content and timeliness
4. Individual’s Right to Access PHI
– OCR Audit Protocol
• Updated protocol published on OCR’s website
Areas of focus for onsite audits
• Intended to be more comprehensive than desk audit
19. Audit Timeline
Phase 2 Audits:
– Timeline
• Desk audits 10 Days to Respond!
– Responsive documents must be submitted
electronically via OCR secure portal
– Auditors will send draft findings and you have 10 days
to provide written comments to the draft report
– Final report due back from auditors within 30 business
days
– All Phase 2 desk audits are scheduled to be concluded
by December 2016
20. Onsite Audit Timeline and Impact
To be Conducted Onsite over 3 to 5
Business Days
– Auditors will send draft findings and you have 10 days to
provide written comments to the draft report
• Final report due back from auditors within 30
business days
Impact
– OCR has reserved the right to initiate a compliance
review against an audited entity if the audit uncovers a
serious compliance issue
21. Key Desk Audit Documents
Up-to-Date Security Risk Analysis
– This is the foundation of your HIPAA Security Rule
program
• Phase 1 identified significant non-compliance
• Failure to do so was key contributing factor to many of
the large breaches and enforcement actions
– Be prepared to demonstrate that risk analysis is
current – also possible that OCR will ask for
documentation from years past
22. Key Desk Audit Documents
Risk Management Plan
– Plan to address vulnerabilities found in risk
analysis
– Review status of commitments made in this
plan
– Ensure all mitigation efforts have been
documented in a form/format that can be easily
produced
23. Risk Analysis Documentation Tool
Critical to Review Your Documentation!
– Ideally, the documentation should be easy for
an auditor to review, understand and map to
the Security Rule requirements
• Examples of less effective documentation
• Double check focus of reports created by third
parties
We can Help!
– Polsinelli’s Risk Analysis tool
24. Key Desk Audit Documents
Policies, Procedures, Compliance Documents
– Patient Right to Access
• Can you demonstrate timeliness?
• Review recent OCR guidance
– If you are using HIPAA authorization forms for access
requests, need to change that process
– Check your NPPs!
25. Key Desk Audit Documents
Breach Notification letters – ensure letters
to affected individuals meet the content and
timeliness requirements
– Be prepared to submit samples
If you have not had an incident rise to the
level of a reportable breach, you may want
to be prepared to produce your 4 factor risk
assessments for such incidents
26. Preparing for an Onsite Audit
More Comprehensive
– Review the OCR Audit Protocol – be prepared to
produce representative samples to demonstrate
compliance
– Prepare as if you will be selected for an onsite audit
• Preparation is time-consuming
• You do not want to have staff running around looking
for documents while the auditors are onsite
• Build your HIPAA Audit Binder!
27. Building Your HIPAA Audit Binder
Organization is key – make it as easy as
possible for OCR/contractor to review your
documentation
Be prepared to produce policies and
procedures but also key forms and possibly
representative samples
Ensure updates to documentation are
apparent (particularly with regard to risk
analysis)
28. Key Takeaways/Recommendations
• Confirm with IT that you have recently performed and
documented an accurate and thorough risk analysis and risk
mitigation plan
• Encrypt!! Especially mobile devices!! If PHI is not encrypted, ensure you
have the appropriate documentation in place specifying equivalent
alternative measures in place.
• Review and organize your policies and procedures, BAAs, and
other key documentation
• Train and re-train your employees Prepare for an onsite audit.
• Valuable even if your organization is never selected. Will help decrease
risk of breaches and complaints
• Learn from mistakes of other organizations and use as teaching
opportunities
29. Key Takeaways/Recommendations
***Keep in mind OCR Audit Program is a Permanent
Program
• If you are not selected for a Phase 2 audit, you should
still be evaluating your organization’s HIPAA compliance
program to prepare for the next round of audits
• Preparation is ultimately worthwhile and cost effective
because it will help improve your compliance program
and decrease risk of costly breaches
30. We Can Help!
Polsinelli’s Audit Preparation Tool and Services
– Phase 1:
• Off-site: Review of your organization’s HIPAA privacy
and security materials (BAAs (for those that are
business associates, your sub-contractor BAAs),
NPPs, privacy and security policies and procedures,
key forms, risk analyses, risk management plan, etc.)
• On-site: Mock OCR audit at your organization;
interview employees and collect representative
samples
31. Polsinelli’s Audit Preparation
Services
Phase 2:
– Analysis and findings from Phase 1
• We will identify any deficiencies, best practices,
areas of risk, and make recommendations for
changes and improvement
– Conference call with your compliance or legal
team to discuss findings, recommendations, and
to prepare for Phase 3
32. Polsinelli’s Audit Preparation
Services
Phase 3:
– Provide a formal report of audit findings and
recommendations.
– Provide an educational in-service to your
compliance team relating to the audit, areas of
risk, recommendations for improvement, etc.
• The educational in-service may be presented in
person or as a webinar.
33. Questions?
Feel free to contact us for more information:
– Jason Lundy jlundy@polsinelli.com
– Lisa Acevedo lacevedo@polsinelli.com
– Katie Kenney: kdkenney@polsinelli.com