4/15/2016

1

If You Think Your HIPAA Program’s Rockin’, Wait Until OCR Comes a Knockin’:A Preview of the OCR’s HIPAA Audit Plan

What we strive for…

Reality…

4/15/2016

2

Background

The HITECH Act requires the DHHS to conduct audits of covered entities and business associates to determine compliance with HIPAA. The OCR developed protocols for how they would audit an initial target of 115 entities.

Development and Purpose of the Audit

For the OCR to develop better audit tools to assess whether entities are complying with HIPAA

For the OCR to better understand what types of PHI are out there, in what form, where and how it is stored, and what are the security measures the industry is implementing.

From each audit, the audit tool is refined to better assess compliance.Not meant to be a punitive process. Meant to be educational for both government and covered entities and business associates.

BOTTOM LINE: Due to a rush of new technologies and reliance by CEs and BAs on technology to create, store, transmit and secure PHI, the OCR wants to learn more about how these technologies work in the industry and get a better idea of what CEs and BAs are doing to comply with HIPAA.

The Good News• The initial Pilot Program has been completed. 115 entities were

identified and participated.

6

Type of Entity Entity Location OCR Region

Medicaid Plan - Region I

Allopathic & Osteopathic Physicians NY Region II

Hospital NJ Region II

Group Health Plan PA Region III

Group Health Plan DC Region III

Healthcare Clearinghouse - Region III

Nursing & Custodial Care Facilities MD Region III

Pharmacy PA Region III

SCHIP - Region III

Allopathic & Osteopathic Physicians NC Region IV

Allopathic & Osteopathic Physicians AL Region IV

Hospital KY Region IV

Group Health Plan TN Region IV

Healthcare Clearinghouse OK Region VI

Health Insurance Issuer NM Region VI

Hospital TX Region VI

Health Insurance Issuer MO Region VII

Dentist CO Region VIII

Health Insurance Issuer ND Region VIII

Laboratory SD Region VIII

4/15/2016

3

The Bad News

The current Audit tool is complex and very detailed, and the lessons learned from the OCR’s experience with the CEs and BAs:

OCR expects full cooperation from the entities. Lack of cooperation in audits and investigations give the OCR authority to impose Civil Monetary Penalties, on top of the fines described in the HIPAA rules.

OCR expects CEs and BAs to have conducted good faith, reasonable risk assessments to determine: (1) where PHI is located in the business; (2) what types of PHI; (3) who has access to PHI; (4) whether entities have updated policies and procedures; (5) whether employees and applicable contractors have been trained; (6) what security measures have been implemented.

Failure to minimally do the above gives cause for OCR to take a harder stance on HIPAA non-compliance.

More Bad News…

On March 21, 2016, Round 2 of the OCR HIPAA Audits began

A new round of federal privacy and security audits will target the business associates of healthcare providers, insurers and other HIPAA-covered entities along with the entities themselves, according to the Office for Civil Rights at HHS.

This includes about 200 desk audits and 24 more comprehensive on-site visits.

HHS' Office for Civil Rights has started sending out e-mails to obtain and verify contact information for covered entities and business associates of various types for possible inclusion in the pool of potential audit subjects.

Insights from OCR

Top three industries with most identity theft, personal information breaches (in order of highest to lowest): (1) retail; (2) finance; (3) health care.

Reports to OCR from Sept. 2009 through August 2015:

1,310 reports involving breach of PHI affecting 500 or more individuals

Theft and loss - 57%

Laptops and other portable storage device - 30%

Paper records - 22%

179,000 reports of breaches of PHI affecting fewer than 500 individuals

While theft is still the most significant issue, the OCR is finding a rise in the following:

Type of breaches - hacking/IT and improper disposal

Type of records - email, EMR and portable devices

4/15/2016

4

Insights from OCR (con’t)

OCR will immediately open up any breach reports involving > 500 individuals

CE or BA should be prepared to respond with:Determination of the root cause of the disclosure

Identification of gaps in compliance that resulted in breach

Evidence that the root cause has been addressed to insure that further breaches do not occur

Recent Enforcement Actions

Cancer Care Group (electronic)St. Elizabeth’s Medical Center (electronic)Cornell Prescription Pharmacy (paper)Anchorage (electronic)Parkview (paper)NYP/Columbia (electronic)Concentra (electronic)QCA (electronic)Aetna (electronic)

OCR Enforcement ActionsBy State

STATE NO VIOLATION RESOLVED AFTER INTAKE AND REVIEW CORRECTIVE ACTION

Alaska 11% 57% 32%

Alabama 16% 59% 25%

Arkansas 18% 58% 24%

Arizona 13% 59% 28%

California 13% 64% 23%

Colorado 12% 60% 28%

Connecticut 15% 56% 29%

District of Columbia 11% 60% 29%

Delaware 13% 61% 26%

Florida 15% 59% 25%

Georgia 15% 61% 24%

Hawaii 9% 62% 29%

Iowa 8% 75% 18%

Idaho 10% 57% 33%

Illinois 14% 60% 27%

Indiana 14% 62% 24%

Kansas 9% 73% 18%

Kentucky 15% 61% 25%

Louisiana 12% 66% 21%

Massachusetts 17% 53% 30%

Maryland 12% 63% 26%

Maine 22% 51% 27%

Michigan 12% 64% 24%

Minnesota 12% 60% 28%

Missouri 9% 71% 20%

Mississippi 21% 51% 28%

Montana 17% 58% 25%12

4/15/2016

5

OCR Enforcement Actions By State

North Carolina 16% 56% 28%

North Dakota 20% 51% 29%

Nebraska 7% 74% 18%

New Hampshire 16% 53% 31%

New Jersey 13% 63% 25%

New Mexico 13% 61% 26%

Nevada 10% 64% 26%

New York 11% 65% 24%

Ohio 12% 64% 24%

Oklahoma 16% 62% 22%

Oregon 12% 58% 31%

Pennsylvania 14% 59% 26%

Rhode Island 19% 37% 44%

South Carolina 15% 56% 28%

South Dakota 17% 56% 27%

Tennessee 15% 57% 28%

Texas 14% 62% 24%

Utah 15% 58% 27%

Virginia 14% 60% 27%

Vermont 19% 56% 26%

Washington 10% 57% 33%

Wisconsin 14% 61% 25%

West Virginia 14% 64% 22%

Wyoming 12% 59% 30%13

The OCR Audit ToolAs We Understand it at This Time

The OCR Audit Tool –Risk Assessment

CE must conduct an accurate and thorough risk assessment

Elements of Compliance:• Policy stating that risk assessment will be performed• Audit tool used by CE (including evidence that audit tool has

been revised to meet changes in CE’s business environment)• Documentation of risk assessment performed periodically

(yearly recommended)• Documentation evidencing that CE has identified all areas and

systems that contain PHI

4/15/2016

6

OCR Audit Tool -Recommended Technology

CE should consider (but not required) to implement technology, hardware, software and services to protect PHI.

Elements of Compliance:• Any technology used should consider sensitivity of the type

of data and applicable of the IT solution to the intended environment

• Written policies regarding IT system to secure PHI

OCR Audit Tool - CE Audits

CE must regularly review PHI access activity

Elements of Compliance:• Policy on audit log, access reports and security incident

tracking reports

• Evidence of audit activities

OCR Audit Tool - Security

CE must implement security measures to reduce risks and vulnerabilities to breaches

Elements of Compliance:• Policy on security measures used

• Measures should address data moved within the organization and data sent out of the organization

4/15/2016

7

OCR Audit Tool - Privacy & Security Officer

CE must designate a HIPAA Privacy and Security Officer responsible for security measures

Elements of Compliance:• Documentation showing Privacy and Security Officer

assigned• Documentation of job duties description of HIPAA Privacy

and Security Officer• Org chart showing chain of command and

communication line relevant to the HIPAA Officers

OCR Audit Tool - Security

CE must implement security measures regarding assigning access to workforce members to PHI

Elements of Compliance:• Policy on how access to PHI is assigned/set up for employees

and relevant contractors (e.g., IDs, passwords)• Policy on levels of access to PHI (including ePHI), and how

those whose jobs do not require access to PHI is not given access to PHI

• Policy on terminating access to PHI• Does IT system have capacity to set access controls (e.g., read

only, modify, full access, print, etc.)?

OCR Audit Tool - Workforce Training

CE must provide training to its workforce members on HIPAA compliance

Elements of Compliance:• Training materials

• Documentation of who is trained

4/15/2016

8

OCR Audit Tool – Workforce Training

Additionally, OCR will want to see actual evidence of workforce training

Elements of Compliance:• Policy on training

• Training materials

• Evidence of initial and periodic training.

OCR Audit Tool - Breaches

CE must have procedures on how to respond to suspected or known breaches

Elements of Compliance:• Policy on breach incidents, to include: how to identify,

document and appropriate responses and post-incident analysis (e.g., root cause analysis)

OCR Audit Tool - Breaches

CE must conduct a risk assessment of each breach event

Elements of Compliance:• Evidence of analysis of breach event in order to mitigate future

breaches

• Corrective actions (including workforce member discipline, equipment repairs, etc.)

• Notices to affected patients (timeliness of such notices as well)

• Notification to OCR within 60 days (if >500 individuals affected) or within 60 of end of year (if <500)

4/15/2016

9

OCR Recommendations -Breaches

If a breach is close to 500 affected individuals, carefully determine the exact number affected. If 501, then case will be immediately opened and survey will occur.

If a good faith risk assessment and internal audits are in place (including proper policies and training of workforce), then OCR will be easier on the CE.

If CE does not cooperate during investigation, OCR will take harder stance and may even invoke CMP law.

OCR Audit Tool - Contingency Plan

CE must have a defined contingency plan

Elements of Compliance:• Documentation of process for identifying critical applications,

data, operations, and manual and automated processes involving ePHI

• Process for backing up and recovering ePHI• Process for enabling the continuation of critical business

processes that protect the security of ePHI while operating in emergency mode

• Is contingency plan tested periodically?

OCR Audit Tool – Evaluation Plan

CE must have an evaluation plan

Elements of Compliance:• Policy on evaluating effectiveness of security measures

• Example, does software or other technology implemented adequately safeguard PHI, and if not, what changes were made?

• Are processes revised and updated in response to changes in environment and operations in the organization?

4/15/2016

10

OCR Audit Tool - BAAs

CE must enter into Business Associate Agreement as applicable

Elements of Compliance:• Policy or process for ensuring BAAs are entered into

appropriately

• OCR will request samples of BAAs.

OCR Audit Tool – Physical Access

CE must ensure facility and equipment are protected from unauthorized physical access to and tampering or theft of PHI

Elements of Compliance:• Policy regarding access to and use of facilities and

equipment that house PHI

• Should address employees, contractors, visitors.

OCR Audit Tool –Disaster/Emergency Plan

CE must have a Disaster Recovery Plan and Emergency Mode Operations Plan

Elements of Compliance:• Policy regarding access to and restoration of lost data

• Should include how to repair or modify physical components of the facility (e.g., hardware, walls, doors, locks, etc.)

4/15/2016

11

OCR Audit Tool - Workstations

CE must assess workforce workstation for risk areas

Elements of Compliance:• Assess workstations to determine risk of unauthorized access to

PHI.

• Implement safeguards (e.g., screen covers, auto log off, etc.)

• If laptops are used, are they encrypted and secured in the event they are removed off site.

• Is PHI protected from the elements (e.g., fire, water damage, etc.)

OCR Audit Tool - Disposal

CE must have a Disposal Plan

Elements of Compliance:• Policy on how to properly dispose of PHI, including

equipment that contains PHI.

OCR Audit Tool - Access

CE must have measures to authenticate users who access ePHI

Elements of Compliance:• Documentation and process regarding authenticating

(verifying) that a person is who he/she is to access ePHI(e.g., passwords, smart cards, fingerprint scan).

• Is the authentication process periodically tested for accuracy?

4/15/2016

12

OCR Audit Tool - Authorizations

CE must document and retain any signed authorization

Elements of Compliance:• Policy regarding documentation and retention of signed

authorization to release PHI.

• OCR will review patient intake forms for both inpatient and outpatient services for consent and authorization forms, if any

OCR Audit Tool – Facility Directory

If CE has facility patient directory, only limited information is disclosed

Elements of Compliance:• Name, location in facility, general condition only, religious

affiliation.• Only release such information to clergy or persons who ask

about the patient by name. • Policy and process permitting patient to object to

disclosure in directory.

OCR Audit Tool - Disclosure

CE must verity person authorized to consent to disclosure

Elements of Compliance:• Policy must evidence process on:

• How CE verifies the identity of the person authorizing disclosure

• If a public official is requesting PHI, then must show (1) ID card if in person; or (2) request on government letterhead if not in person

4/15/2016

13

OCR Audit Tool - NPP

Notice of Privacy Practices

Elements of Compliance:• Notice of Privacy Practices must meet minimum statements

under HIPAA

• See 45 CFR §164.520

• How are NPPs distributed to patients?

OCR Audit Tool – Patient Rights

Right of Individual to Request Restrictions and Right to access and Right to amend

Elements of Compliance:• Policy of patient’s right to restrict of uses and disclosures of PHI• Policy on patient’s right to access their PHI• Policy on patient’s right to amend their PHI• If CE denies access to or ability amend PHI, then process in

place for a designed reviewing official to make decision• Documentation evidencing each incident

OCR Audit Tool – Accounting of Disclosures

Right of Individual for accounting of disclosures

Elements of Compliance:• Policy of patient’s right accounting of disclosures of PHI• Documentation of why accounting is denied (e.g., impedes

law enforcement activities)• Documentation evidencing that accounting minimally contains

the following: (1) name and address of entity disclosed to; (2) brief statement as to purpose of disclosure; (3) description of PHI disclosed; (4) why it was or was not disclosed.

• OCR will request a sampling of such accounting records.

4/15/2016

14

OCR Audit Tool - Sanctioning

Sanctioning Workforce Members and Contractors

Elements of Compliance:• Policy on sanctioning (disciplining) workforce members for

violating policies and HIPAA

• Corrective actions (including termination) of contractors

• Policy on non-retaliation of workforce members for reporting HIPAA concerns

Key elements of a HIPAA Compliance Plan

• Privacy and Security policies and procedures• BAAs in place• Privacy Officer/Security Officer appointed• Workforce Training• Understanding breach reporting obligations• Periodic Security Risk Assessment• HHS Security Risk Assessment Tool at healthit.gov

“Lack of robust plan can lead to higher penalties” -OCR

Six Quick & Dirty TipsTo Help You Survive an OCR HIPAA Audit

4/15/2016

15

1. Practice & Prepare

• Before OCR comes a knockin’, conduct HIPAA risk assessments and internal audits, review findings, assess vulnerabilities and implement corrective action

• Two-Thirds of CEs audited in Phase 1 had not completed a risk assessment

• Overachievers – Impress OCR by showing them documentation that you conduct risk assessments and internal audits regularly

2. Evaluate Your Privacy & Security Policies

• Perform an in-depth assessment of your privacy and security policies & procedures or HIPAA active compliance program

• Appoint a HIPAA Compliance Officer or Coordinator

• Privacy compliance should focus on PHI access, administrative requirements, uses and disclosures

• For security compliance, focus on administrative physical and technical safeguards

3. Perform an Internal Review of Electronic Files

• Encrypting all electronic files is key – primarily patient sensitive data

• Verify and validate which electronic files are being encrypted• Perform this assessment before any external audits are

done

4/15/2016

16

4. Assess Organizational Compliance Risks

• Phase 1 of the OCR HIPAA audits revealed that two-thirds of organizations were not conducting a complete and accurate HIPAA security risk assessment• Start by inventorying all of your organization’s systems that

handle PHI• Develop remediation plans, if necessary

• HHS has a free HIPAA security risk assessment tool on their website:

• www.HealthIT.gov/security-risk-assessment

5. Compile a List of Vendors & Business Associates

• OCR will ask to see a list of all business associates that have access to your PHI

• Include anyone that works “behind the scenes” with your hospitals, health plan or providers• i.e., contractors, consultants, software vendors, data

storage companies, attorneys, third-party billers, etc.

6. Evaluate, Evaluate, Evaluate

• Inspect your HIPAA policies and procedures, especially:• Employee access• New hire employee training• ePHI policies• eFile sharing procedures• Faxing, emailing• Notice of Privacy Practices & policies• Breach mitigation• Disaster recovery• Data backup• Update policies & procedures regularly

4/15/2016

17

One Last Joke…

I’m sorry…

Thank you for your kind attention!

51

Questions?

Christopher J. Allman, JD, CPHRM

Director of Risk Management, Compliance & Insurance

Garden City Hospital

Garden City, Michigan

callman@primehealthcare.com