Ready or Not, Here They Come Preparing For Phase 2 HIPAA Compliance Audits

WEBINAR

2

Introductions

• Gant Redmon, CIPP/US General Counsel & VP of Business Development, Co3 Systems

• Amy Derlink, Chief Privacy Officer, IOD Incorporated

© IOD Incorporated. All rights reserved.

3

About Co3 – Incident Response Management

MITIGATE

Document Results &

Improve Performance

• Generate reports for management,

auditors, and authorities

• Conduct post-mortem

• Update SOPs

• Track evidence

• Evaluate historical performance

• Educate the organization

ASSESS

Identify and Evaluate Incidents

• Assign appropriate team members

• Evaluate precursors and indicators

• Correlate threat intelligence

• Track incidents, maintain logbook

• Prioritize activities based on criticality

• Generate assessment summaries

PREPARE

Improve Organizational Readiness

• Appoint team members

• Fine-tune response SOPs

• Escalate from existing systems

• Run simulations (firedrills / table tops)

MANAGE

Contain, Eradicate, and

Recover

• Generate real-time IR plan

• Coordinate team response

• Choose appropriate containment strategy

• Isolate and remediate cause

• Instruct evidence gathering and handling

• Log evidence

4

• IOD serves as a trusted partner for more than 2,000 hospitals, clinics and integrated delivery networks (IDNs) nationwide.

• Specializes exclusively in healthcare so they understand the myriad of challenges associated with patient records management and patient confidentiality.

• Provides customized solutions that are precisely designed and scaled to help you achieve your business goals.

About IOD


5

Is it really necessary now?


6

Reported Breaches 2009 – To Date (Involving >500 individuals)

1136 Reported Breaches

39M

Patient Records affected

64% theft or loss - of which 34% was due

to unencrypted portable devices

29% breach by BA

44% of

breaches stem from the five

largest incidents


7

The Purpose of the OCR Audits

• Not for enforcement

• Lead to compliance activity

• Bring to light the security and privacy responsibilities

• Share best practices amongst CEs and BAs


8

Who is eligible for being audited?

• Every CE is eligible for an audit

• OCR starts with 200 Desk Audits

• Surveyed over 1200 entities governed by HIPAA

– 800 Covered Entities

– 400 Business Associates

• Of the 1200 OCR selects, 350 CEs and 50 BAs for comprehensive audits


9

How are you chosen for the audit?

RANDOMLY CHOSEN

10

Who is the auditor?

Summarize

findings & results,

highlight

consistent

The CE and BA

sends Final reportIssues found

How the audit was conducted;

What the findings were and;

What actions the covered

entity is taking in response

to those Findings.


11

OCR Audit Notification

• For on-site audits – OCR will call to verify contact info

• Letter is sent registered mail

– 30-90 days pror to the audit

• Who gets the letter?

– CEO…

– Clerical staff…


12

OCR Notification Clock Starts

Date of signature

= TIME CLOCK Covered Entity

has 10-14Days to provide documentation

to the OCR


13

How Does the Audit Program Work?

ELAPSED TIME

Notification letter sent to

Covered Entities

Receiving and Reviewing Documentation and Planning

the Audit Field Work

on-site fieldwork

Draft Audit Report

Covered Entities Reviews and Comment on Draft Audit

Report

Final Audit Report

1 DayMinimum

of 10 Days

3 – 10 Days

20 – 30 Days

10 Days 30 Days

DAY 1 DAY 10 DAY 30/90 Dependent on completion of fieldwork

START TIME


14

What is the audit protocol?

• It is a compliance initiative that:

– Targets certain failures

– Includes policy and procedure review and sit visit

• The audit may uncover vulnerabilities and weaknesses that can be appropriately addressed through corrective action on the part of the entity.


15

Audit Protocol

• Analyzes processes, controls and policies of selected CEs pursuant to the HITECH Act audit mandate.

• OCR provides the set requirements to be assessed through these performance audits.

• Organized around modules, representing separate elements of privacy, security, and breach notification.

http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/protocol.html



16

Audit Protocol Basis

• Analysis of Finding by Rules

– The OCR collected findings and data by looking at each of three modules:

26%Security

9%Breach

65%Privacy


17

What’s being audited? 169 criteria

81 criteriafor Privacy Rule Requirements

78 criteriafor Security Rule Requirementsadministrative, physical, and technical safeguards

10 criteriafor Breach Notification Rule




19

The procedure the auditors will use:

• http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/protocol.html



20

Desk Audit Process

• All P&P and strategic plans are due within 15 days of receipt of the letter

– Any signed after the date of the letter do not count

• On-site Audit and data collection occurs 3-10 days after the desk audit

– on-site audits last up to 10 business days and involve up to five auditors


21

On-Site Review

• Interview personnel and random staff

– Site walk thru

– Operational reviews

– After interview request supporting documentation

• Consistency must be evident between what Management states, what the policy states and what is being practiced in the organization


22

Post On-Site Audit Activity

• Audit team will deliver draft report to CE/BA within 20-30 days post on-site review

• Your Audit Response Team should expect additional questions and data collection

• Prepare to respond to the findings from the OCR and their recommendation


23

Audit Response Team

• Review the Draft Report and respond to all deficiencies noted

• Identify clarifying questions, mitigating information and plans for remediation

• Team should utilize advice from consultants and legal when developing response


24

Audit Readiness


25

Audit Readiness: Team

• Establish an Audit Response Team or Committee for auditor to meet with

• Audit Response Team identifies all potential auditors:

– State laws

– HIPAA

– SOC

– OCR

– HITECH

– Attorney Generals

– Meaningful Use

– etc


If you have an audit

task force in place to

respond to

complaints or

inquiries and are you

a member of it?

POLL

27

Who is our Audit Response Team?

• Not IT driven

• HR - Education

• Privacy Officer

• Physicians

• Nursing

• Compliance Officer

• Security Officer

• CEO


28

Audit Response Readiness: Response

• Develop plan for interaction with audit team

• Identify key personnel who will handle coordination activities

• Identify clear roles and responsibilities

• Conduct mock audits to exercise plan and keep personnel current


29

Audit Response Team: Tasks

• Conduct a risk analysis to determine exposure and how to best manage risks appropriately

– Confidentiality

– Integrity

– Technical infrastructure, hardware and software security, mobile devices

– Availability of ePHI

– Privacy concerns

• Determine how to sufficiently reduce the risks and vulnerabilities to a reasonable and appropriate level


30

Control Catalogue


31

Current Findings of Audits by OCR

• Impermissible uses and disclosures of protected health information (PHI);

• Lack of safeguards of PHI;

• Lack of patient access to their PHI;

• Uses or disclosures of more than the Minimum Necessary PHI; and

• Lack of administrative safeguards of electronic PHI.


32

Problem with Meeting Protocol

• Non Prioritization of HIPAA compliance

• Documentation of P&P

• Evidence of compliance

• Consistency in all areas of the CE and their BAs

• Management unaware of P&P


33

Audit Readiness


Does your

organization have

annual reviews of

your policies and

procedures in regard

to HIPAA?

POLL

35

Audit Readiness: Ensuring Success

Leadership is Key

• Positive attitude

• Good preparation creates successful audit outcomes

• Develop a process that ensures

• Communication and feedbackwithin your organization


36

Audit Response: Ensuring Success

Response Preparation is Key

• Conduct frequent meeting to collect observations and staff input

• Note deficiencies the team has had with responding to an audit question

• Engage consultants and seek legal advice when creating responses

• Focus on plans for remediation and timelines


37

Audit Readiness: Ensuring Success

Audit plan

+ Audit response team

= SUCCESS


38

IOD’s Approach to OCR Compliance

• Environmental Scan: Monitoring of Privacy Compliance and Investigations into Privacy Violations

• Conduct internal audits and risk assessments

• Focus on your BAs

• Manage 3rd party Risks

• Address Privacy Challenges


39

IOD’s Approach

• OCR Audit Protocol as Internal Tool

– Downloaded and created as an organizational reference tool

– Identify and document how the organization meets compliance to the protocol criteria/standards through activities, plans, policies, procedures, etc.


40

Refined Business Associate Management

• Identify all Business Associates (BA) and Business Associate Agreements (BAA)

• Developed Compliant BAAs

• Address Assurances that BA is Compliant

– Consider size and scope of BA arrangement and potential impact of breach/security incidents (e.g., ROI and collections vendors)

– Monitor industry reported breaches for BA concerns

– Consider annual communications to key BA contacts


41

Refined Breach Management Process

• Breach Management

• What Is Happening in Industry

• Increasing Investigations

• Increasing EHR Access Issues

• What are Key Risk Areas

• Targeted Training, Education, and Awareness Activities

• High Risk Events – Prepare and Document in Anticipation of External Audit (OCR, State Licensing Bureau, Joint Commission, etc.)


42

Target High Risk Areas

• Refocus Training, Education and Awareness

• All Staff – Reduced “Academics” of Privacy and Security and Focused on Breach Scenarios

– Focused Newsletter Articles

• High Risk/Problematic Areas

– Unauthorized EHR Access, Use, Disclosure EHRs

– Lost/Stolen Devices (new reporting checklists)

– Social Media (strong policy/education)


43

Evaluate P&Ps and Refine as Necessary

• Create, Review, Revise Privacy and Security P&P

– Templates need to be customized!

• Share with Business Associates and Partners

• Hold Workforce Members Accountable

• Strong Breach and Sanctions Guidance Required


44

Lack of Compliance… at what cost?

$4.3 million HHS Civil Money Penalty for HIPAA Privacy Rule Violations

$3.3 millionNew York Presbyterian Hospital settles HIPAA case

$1.7 millionConcentra Health Services settles HIPAA case

$1.7 millionWellPoint Inc. settles HIPAA case

$1.5 million Massachusetts provider settles HIPAA case

$800,000Parkview Health System Settles HIPAA Case


45

Handling the Audit Challenge

• Recognize that security is a good thing

• Recognize that you can’t do it alone

• Recognize that you can’t do it overnight

• Believe that you can make it happen


47

Upcoming Co3 Events

• FS-ISAC EU Summit, London, UK: November 3-5

• QCon, San Francisco, CA: November 3-5

One Alewife Center, Suite 450

Cambridge, MA 02140

PHONE 617.206.3900

WWW.CO3SYS.COM

“Co3 Systems makes the process of planning for a

nightmare scenario as painless as possible,

making it an Editors’ Choice.”

PC MAGAZINE, EDITOR’S CHOICE

“One of the hottest products at RSA…”

NETWORK WORLD – FEBRUARY 2013

“Co3…defines what software packages for

privacy look like.”

GARTNER

“Platform is comprehensive, user friendly, and

very well designed.”

PONEMON INSTITUTE

Amy Derlink, RHIA, CHA

Chief Privacy Officer

IOD Incorporated

49

“Co3 makes the process of planning for a nightmare scenario as painless as possible, making it an Editors’ Choice.”

– PC Magazine, Editor’s Choice

“Co3…defines what software packages for privacy look like.”

– Gartner

“Platform is comprehensive, user friendly, and very well designed.”

– Ponemon Institute

“One of the most important startups in security…”

– Business Insider

“...an invaluable weapon when responding to security incidents.”

– Government Computer News

“Co3 has done better than a home-run...it has knocked one out of the park.”

– SC Magazine

“Most Innovative Company 2014 Top 10 “

– RSA Conference

Ready or Not, Here They Come Preparing For Phase 2 HIPAA Compliance Audits

Technology

Transcript of Ready or Not, Here They Come Preparing For Phase 2 HIPAA Compliance Audits