PRIVACY AND SECURITY PROGRAM AUDIT AND MONITORING · 9Compare Auditing vs. Monitoring 9Overview of...
Transcript of PRIVACY AND SECURITY PROGRAM AUDIT AND MONITORING · 9Compare Auditing vs. Monitoring 9Overview of...
![Page 1: PRIVACY AND SECURITY PROGRAM AUDIT AND MONITORING · 9Compare Auditing vs. Monitoring 9Overview of key privacy and security program provisions 9How to audit the privacy and security](https://reader036.fdocuments.us/reader036/viewer/2022070811/5f09b9637e708231d4283694/html5/thumbnails/1.jpg)
1
PRIVACY AND SECURITY PROGRAM AUDIT AND
MONITORING
HEALTH CARE COMPLIANCE ASSOCIATION
COMPLIANCE INSTITUTEKenneth Hopkins, Director, Internal Audit & Privacy
Officer April 24, 2007
OBJECTIVESCompare Auditing vs. MonitoringOverview of key privacy and security program provisions How to audit the privacy and security programs for compliance and improvementHow operating departments can monitor the programPractical tips to implement an effective audit and monitoring program
![Page 2: PRIVACY AND SECURITY PROGRAM AUDIT AND MONITORING · 9Compare Auditing vs. Monitoring 9Overview of key privacy and security program provisions 9How to audit the privacy and security](https://reader036.fdocuments.us/reader036/viewer/2022070811/5f09b9637e708231d4283694/html5/thumbnails/2.jpg)
2
DEFINITIONAuditing
A systematic and structured approach • Formal review (performed by an individual(s)
independent of the department);• Includes planning, risk identification, assessing
internal controls, sampling of data, testing of processes, validating information; and
• Formal communication of recommendations and corrective action to management and the Board.
DEFINITIONMonitoring A process involving ongoing “checking” and
“measuring” to ensure quality control• The process is less structured than auditing; and• typically is performed by departmental staff
– Operational managers or the privacy officer
• Daily, weekly, or other periodic spot checks to verify that essential functions are being adequately performed and that processes are working effectively.
• May identify the need for a more detailed audit
![Page 3: PRIVACY AND SECURITY PROGRAM AUDIT AND MONITORING · 9Compare Auditing vs. Monitoring 9Overview of key privacy and security program provisions 9How to audit the privacy and security](https://reader036.fdocuments.us/reader036/viewer/2022070811/5f09b9637e708231d4283694/html5/thumbnails/3.jpg)
3
PRIVACY PROGRAM
PRIVACY OFFICIAL
NOTICE OF PRIVACY
PRACTICES
POLICY AND PROCEDURES
PATIENT PRIVACY RIGHTS
TRAINING
COMPLAINTS
PATIENT PRIVACY RIGHTS
ACCESS
CHANGES
ACCOUNTING
RESTRICT
CONFIDENTIAL COMMUNICATION
NOTICE OF PRIVACY PRACTICES
![Page 4: PRIVACY AND SECURITY PROGRAM AUDIT AND MONITORING · 9Compare Auditing vs. Monitoring 9Overview of key privacy and security program provisions 9How to audit the privacy and security](https://reader036.fdocuments.us/reader036/viewer/2022070811/5f09b9637e708231d4283694/html5/thumbnails/4.jpg)
4
PRIVACY PROGRAMAuditing – audit more visible areas and higher
risk; high volume or problem prone • Notice and acknowledgment• Faxing of PHI • Training • Disposal of PHI• Complaints
AUDITING PROCESS
• Plan & understand the process• Risk assessment• Internal controls• Audit steps - test and documentation • Audit report and recommendations• Corrective actions
![Page 5: PRIVACY AND SECURITY PROGRAM AUDIT AND MONITORING · 9Compare Auditing vs. Monitoring 9Overview of key privacy and security program provisions 9How to audit the privacy and security](https://reader036.fdocuments.us/reader036/viewer/2022070811/5f09b9637e708231d4283694/html5/thumbnails/5.jpg)
5
AUDITING NOTICEMost visible HIPAA requirement !Planning• Provide notice at time of service• Tracking notice in the computer • Signed acknowledgment – chart• Notice Posters – service locations• Notice posted on web-site
AUDITING NOTICE
Risk Assessment• Complaints - Office of Civil Rights (OCR)• Potential fines and penalties - $100 per
violation up to $25,000 per standard annually • Potential OCR investigation• Potential damage to hospital reputation
![Page 6: PRIVACY AND SECURITY PROGRAM AUDIT AND MONITORING · 9Compare Auditing vs. Monitoring 9Overview of key privacy and security program provisions 9How to audit the privacy and security](https://reader036.fdocuments.us/reader036/viewer/2022070811/5f09b9637e708231d4283694/html5/thumbnails/6.jpg)
6
AUDITING NOTICE
Internal Controls• Notice tracking process• Acknowledgement signed by patient • Policy and Procedures• Training staff
AUDITING NOTICE
Audit steps -• Review notice tracking reports by service • Review sample of patient charts • Determine compliance percentage• Walkthrough – for posters • Review web-site for posted notice • Document exceptions
![Page 7: PRIVACY AND SECURITY PROGRAM AUDIT AND MONITORING · 9Compare Auditing vs. Monitoring 9Overview of key privacy and security program provisions 9How to audit the privacy and security](https://reader036.fdocuments.us/reader036/viewer/2022070811/5f09b9637e708231d4283694/html5/thumbnails/7.jpg)
7
AUDITING NOTICE
Audit reportPrepare audit report with findings and
conclusions (what needs improvement?) – recommendations – corrective actions – follow-up
AUDITING FAXINGRequirements
• Cover sheet (important warning)• Procedures
– cover sheets at all fax machines? - double check fax numbers? - complaints related to faxing? - misdirected faxes? - walk-through
![Page 8: PRIVACY AND SECURITY PROGRAM AUDIT AND MONITORING · 9Compare Auditing vs. Monitoring 9Overview of key privacy and security program provisions 9How to audit the privacy and security](https://reader036.fdocuments.us/reader036/viewer/2022070811/5f09b9637e708231d4283694/html5/thumbnails/8.jpg)
8
AUDITING FAXING
• Findings – PHI left on fax machines - Patient complaints
• Corrective actions - HIPAA e - mail - Training focus - Discipline employee
AUDITING TRAININGKey to effectiveness!List of all new workforce members (1 year) • Understand the processes and content
- orientation and web based course • Sample – higher risk areas • 100% audit of training • HealthStream reports • Physician credentialing
![Page 9: PRIVACY AND SECURITY PROGRAM AUDIT AND MONITORING · 9Compare Auditing vs. Monitoring 9Overview of key privacy and security program provisions 9How to audit the privacy and security](https://reader036.fdocuments.us/reader036/viewer/2022070811/5f09b9637e708231d4283694/html5/thumbnails/9.jpg)
9
AUDITING TRAININGResults • Identify delinquent staff • 2nd chance to complete • Manager accountability • Alternate training methods• Corrective action
AUDITING DISPOSAL OF PHI
List of all confidentiality bins • Understanding the process• Check copy machines for PHI • Check waste baskets for PHI • Audit vendor facilities• Identify problem areas • Mitigate • Corrective action
![Page 10: PRIVACY AND SECURITY PROGRAM AUDIT AND MONITORING · 9Compare Auditing vs. Monitoring 9Overview of key privacy and security program provisions 9How to audit the privacy and security](https://reader036.fdocuments.us/reader036/viewer/2022070811/5f09b9637e708231d4283694/html5/thumbnails/10.jpg)
10
AUDITING COMPLAINTS
List of all complaints during the past year (identify that procedures are effective)
• Review the complaint log and issues• Review the investigations • How was each resolved? timely? • Summarize by types of issues • Mitigate – improve processes• Corrective action taken
AUDITING COMPLAINTS
Review OCR national data base statistics on complaints (Top 5: 11,280 complaints)
• Impermissible disclosures (gossiping)• Lack of adequate safeguards (leave files out) • Failure to provide access to records • Disclosure of more than minimum necessary • Failure to include valid language in
authorizations
![Page 11: PRIVACY AND SECURITY PROGRAM AUDIT AND MONITORING · 9Compare Auditing vs. Monitoring 9Overview of key privacy and security program provisions 9How to audit the privacy and security](https://reader036.fdocuments.us/reader036/viewer/2022070811/5f09b9637e708231d4283694/html5/thumbnails/11.jpg)
11
AUDITING COMPLAINTS
Results -• 24% - Impermissible disclosures • 52% - Lack of adequate safeguards or
following established procedures • Recommendations/trends
- consistent discipline, follow procedures - training, training, training - HIPAA h-mail (reminders)
PRIVACY PROGRAMMonitoring
• Notice and acknowledgement - registration • Disposal of PHI - department• Faxing of PHI - department • Accounting of disclosures - department
![Page 12: PRIVACY AND SECURITY PROGRAM AUDIT AND MONITORING · 9Compare Auditing vs. Monitoring 9Overview of key privacy and security program provisions 9How to audit the privacy and security](https://reader036.fdocuments.us/reader036/viewer/2022070811/5f09b9637e708231d4283694/html5/thumbnails/12.jpg)
12
MONITORING PROCESS
• Determine what to monitor • Buy-in from department managers• Periodic spot checking• Identify problem areas or compliance • Communicate Issues • Corrective actions• Follow-up
MONITORING NOTICE
• Registration manager reviews notice report daily for compliance
• Review a few charts for patient sign-off • Observe registration process periodically • How are exceptions being handled? • Reinforce importance with staff• Communicate issues - staff & Privacy Officer
![Page 13: PRIVACY AND SECURITY PROGRAM AUDIT AND MONITORING · 9Compare Auditing vs. Monitoring 9Overview of key privacy and security program provisions 9How to audit the privacy and security](https://reader036.fdocuments.us/reader036/viewer/2022070811/5f09b9637e708231d4283694/html5/thumbnails/13.jpg)
13
MONITORING DISPOSAL OF PHIAreas with significant PHI access• Confidential shredding bins (locked)• Shredder (if available)• Paper, computer medium such as CDs,
plastic, etc.• Walkthrough:
- Check copy machines for PHI - Waste baskets for PHI
MONITORING FAXING OF PHI Areas – high volume faxing Sending faxes that contain PHI• Use of approved cover sheet • 5 point fax checklist• Reasonable steps• Misdirected faxes• PHI left on fax machines
![Page 14: PRIVACY AND SECURITY PROGRAM AUDIT AND MONITORING · 9Compare Auditing vs. Monitoring 9Overview of key privacy and security program provisions 9How to audit the privacy and security](https://reader036.fdocuments.us/reader036/viewer/2022070811/5f09b9637e708231d4283694/html5/thumbnails/14.jpg)
14
MONITORING ACCOUNTING OF DISCLOSURES
Accounting of Disclosures Must Contain
Date, Name and, if known, address: Description of the PHI disclosed; andPurpose of disclosure6 year period
Centralized software such as – Disclosure Trac
.
MONITORING ACCOUNTING OF DISCLOSURES
– Print Disclosure Trac report for the period – 7/1/2006 – 12/31/2006– By disclosure reason (user)– Print out a sample of detail (25 patients)– Review any requests for AOD
![Page 15: PRIVACY AND SECURITY PROGRAM AUDIT AND MONITORING · 9Compare Auditing vs. Monitoring 9Overview of key privacy and security program provisions 9How to audit the privacy and security](https://reader036.fdocuments.us/reader036/viewer/2022070811/5f09b9637e708231d4283694/html5/thumbnails/15.jpg)
15
SECURITY PROGRAM
Definition:Formal information security program with administrative, physical facility and technical safeguards; policies and procedures; and processes to manage security.
Covers – all electronic patient health information
SECURITY PROGRAM
SECURITY OFFICIAL
POLICY AND PROCEDURES
SAFEGUARDS
TRAINING and REMINDERS
AUDIT AND MONITORING
SECURITY INCIDENT
PROCEDURES
![Page 16: PRIVACY AND SECURITY PROGRAM AUDIT AND MONITORING · 9Compare Auditing vs. Monitoring 9Overview of key privacy and security program provisions 9How to audit the privacy and security](https://reader036.fdocuments.us/reader036/viewer/2022070811/5f09b9637e708231d4283694/html5/thumbnails/16.jpg)
16
SAFEGUARDS
• Administrative• Physical facilities• Technical
SECURITY PROGRAM AUDITING
• Security management• Security Walkthrough - new facilities• Training and reminders• Incidents• Evaluation• Security rounds
![Page 17: PRIVACY AND SECURITY PROGRAM AUDIT AND MONITORING · 9Compare Auditing vs. Monitoring 9Overview of key privacy and security program provisions 9How to audit the privacy and security](https://reader036.fdocuments.us/reader036/viewer/2022070811/5f09b9637e708231d4283694/html5/thumbnails/17.jpg)
17
AUDITING SECURITY MANAGEMENT
• Select all new hires for review • Obtain security access authorizations• Review for appropriate access for job• Termination of access (timely)• High risk areas
- data center employees- disgruntled employees (high risk)
AUDITING SECURITY WALKTHROUGH
New facilities:• Perform a physical security walk-through • Document controls and safeguards• Card key access• Data center• Exits not closing• Workstation locations• Laptops
![Page 18: PRIVACY AND SECURITY PROGRAM AUDIT AND MONITORING · 9Compare Auditing vs. Monitoring 9Overview of key privacy and security program provisions 9How to audit the privacy and security](https://reader036.fdocuments.us/reader036/viewer/2022070811/5f09b9637e708231d4283694/html5/thumbnails/18.jpg)
18
AUDITING TRAINING & REMINDERS• Combined privacy & security training
Same audit as privacyDifferences:
• Awareness of risks – training content- passwords and malicious software
• Periodic reminders – (HIPAA e-mail)
AUDITING SECURITY INCIDENTS
• Security log maintained – all incidents• Identify top 5 issues/trends • Documentation • Inappropriate access to computer PHI• Audit trail (permanent record on CD)
- What patients has a user accessed? • Sanctions – suspension, termination
![Page 19: PRIVACY AND SECURITY PROGRAM AUDIT AND MONITORING · 9Compare Auditing vs. Monitoring 9Overview of key privacy and security program provisions 9How to audit the privacy and security](https://reader036.fdocuments.us/reader036/viewer/2022070811/5f09b9637e708231d4283694/html5/thumbnails/19.jpg)
19
AUDITING ANNUAL EVALUATIONChanges and new facilities
• Ongoing evaluation and audit • New computer applications• New physical facilities• New technical safeguards• New risks (Wireless, camera phone, PDA)• Document actions to reduce risk
AUDITING SECURITY ROUNDSUse the work of security staff
• Open doors • Theft of computers• Surveillance cameras – proactive• Card key access reports• ID Badges • Opening doors for staff• Termination of facility access
![Page 20: PRIVACY AND SECURITY PROGRAM AUDIT AND MONITORING · 9Compare Auditing vs. Monitoring 9Overview of key privacy and security program provisions 9How to audit the privacy and security](https://reader036.fdocuments.us/reader036/viewer/2022070811/5f09b9637e708231d4283694/html5/thumbnails/20.jpg)
20
SECURITY PROGRAM MONITORING
Computer access Lap top securityPhysical securitySecurity officer walk-throughWorkstationsCard key access reportsPassword management
MONITORING COMPUTER ACCESS
Discourage unauthorized viewing of PHI • Computer access based upon job• Use of audit trail (CD permanent storage) • High Profile patients (VIP, celebrities) • New hires within 60 days• High risk departments • Random selection of users
![Page 21: PRIVACY AND SECURITY PROGRAM AUDIT AND MONITORING · 9Compare Auditing vs. Monitoring 9Overview of key privacy and security program provisions 9How to audit the privacy and security](https://reader036.fdocuments.us/reader036/viewer/2022070811/5f09b9637e708231d4283694/html5/thumbnails/21.jpg)
21
MONITORING LAPTOPSObtain inventory of laptops and locations• Walkthrough locations • Locking cables in use • Check for PHI stored on the hard drive• CDs or diskettes with PHI secured• Are laptops taken home?
MONITORING PHYSICAL SECURITY
• Walkthrough areas where PHI is stored after regular hours and week ends
• Are doors secured by loading docks? • Data center access – card key access
reports• Sensitive areas (i.e. PHI or computers)
![Page 22: PRIVACY AND SECURITY PROGRAM AUDIT AND MONITORING · 9Compare Auditing vs. Monitoring 9Overview of key privacy and security program provisions 9How to audit the privacy and security](https://reader036.fdocuments.us/reader036/viewer/2022070811/5f09b9637e708231d4283694/html5/thumbnails/22.jpg)
22
MONITORING – WALK-THROUGH
• Observe do employees wear ID badges?• Workstations logged on unattended • Doors locked appropriately• Workstation with password labeled• Wireless personal computer carts • Compare employee behavior to policies • Weekends and off hours
MONITORING WORKSTATIONSScreens pointed away from public• Screen savers in use • Check for anyone logged on and not present• Any passwords attached to keyboard
![Page 23: PRIVACY AND SECURITY PROGRAM AUDIT AND MONITORING · 9Compare Auditing vs. Monitoring 9Overview of key privacy and security program provisions 9How to audit the privacy and security](https://reader036.fdocuments.us/reader036/viewer/2022070811/5f09b9637e708231d4283694/html5/thumbnails/23.jpg)
23
MONITORING CARD KEY ACCESS
Obtain list of those with access to sensitive areas and card key access reports:
• Data Center • Medical Records/coding• Operating Room• Billing• MIS
MONITORING PASSWORD MANAGEMENT
Review password do’s and don’ts:• Policy on passwords• Expiration period • Request report of passwords used• Review logs of failed log–on attempts• Help desk – resetting passwords
![Page 24: PRIVACY AND SECURITY PROGRAM AUDIT AND MONITORING · 9Compare Auditing vs. Monitoring 9Overview of key privacy and security program provisions 9How to audit the privacy and security](https://reader036.fdocuments.us/reader036/viewer/2022070811/5f09b9637e708231d4283694/html5/thumbnails/24.jpg)
24
Disclaimer
The information contained herein has been obtained from sources believed to be reliable. The author and Jefferson Regional Medical Center disclaims all warranties as to the accuracy, completeness or adequacy of such information and and shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations hereof. The reader assumes the sole responsibility for the selection of these materials to achieve the intended result. The opinions expressed
herein and by the presenter are subject to change without notice and are not necessarily the opinions of Jefferson Regional Medical Center.
PRIVACY AND SECURITY PROGRAM AUDIT AND
MONITORING
Questions and Answers
Kenneth Hopkins, Director, Internal Audit & Privacy Officer, CPA, CIA, CISA, CHC