Why preparing for an OCR audit is neither boiler plate ... · Why preparing for an OCR audit is...

20/02/2014

1

Why preparing for an OCR audit is neither boiler plate, straightforward or predictable. . .and what to do when everything you thought you knew changes throughout the process

A Case Study

Presented to:Health Care Compliance Association April 2, 2014 Andi Bosshart, CHS

Donna Hinton, CHSDion Sheidy, PwC

and Laurie Smaldon, PwC

www.pwc.com

PwC/CHS

Agenda

• Background

• Receipt of notice

• Managing the response

• Preparing for the on-site assessment

• What is the OCR doing now?

• Lessons Learned – where you should focus and how to prepare

2

20/02/2014

2

PwC/CHS

• Medical identity theft is increasingly on the rise. More than 7 million patient records were breached last year – up 138% from 2012.

• A breach of PHI occurs, on average, every other day resulting in an estimated $50 billion in losses to business from data and identify theft.

• Of the 11 million people affected by a data breach since September 2009, 55% were affected by a data breach involving business associates.

• Nearly half (55%) of healthcare organizations have not addressed the privacy and security of mobile devices.

• Fewer than 50% of organizations note that they have included approved uses of social media and mobile devices in their organization’s training.

3

PwC/CHS

Background

The HITECH Act in the American Recovery and Reinvestment Act of 2009 requires the Department of Health & Human Services ("HHS") to conduct periodic audits to ensure covered entities and business associates are complying with the HIPAA Privacy and Security Rules and Breach Notification Standards.

4

20/02/2014

3

PwC/CHS

Background

For the pilot phase OCR identified a broad representative pool of covered entities.

Criteria reportedly used in the selection process:

whether the entity is public or private

the size of an entity

affiliation with other healthcare organizations

the type of entity and relationship to patient care

past and present interaction with OCR concerning HIPAA enforcement and breach notification

consideration of geographical factors

OCR retained Booz Allen Hamilton to recommend a model HIPAA auditing plan; KPMG engaged to implement the audit plan.

5

PwC/CHS

Completed audits of 115 entities: 61 providers, 47 health plans and 7 clearinghouses – assessed compliance with 169 requirements under the HIPAA privacy, security and breach notification rules.

Level 1 Entities

Large Provider / Health Plan

Extensive use of HIT ‐ complicated HIT enabled clinical /business work streams

Revenues and or assets greater than $1 billion

Level 2 Entities

Large regional hospital system (3‐10 hospitals/region) / Regional Insurance Company

Paper and HIT enabled work flows

Revenues and or assets $300 million to $1 billion

Level 3 Entities

Community hospitals, outpatient surgery, regional pharmacy / All Self‐

Insured entities that don’t adjudicate their claims

Some but not extensive use of HIT – mostly paper based workflows

Revenues $50 Million to $300 million

Level 4 Entities

Small Providers (10 to 50 Provider Practices, Community or rural pharmacy)

Little to no use of HIT – almost exclusively paper based workflows

Revenues less than $50 million

6

20/02/2014

4

PwC/CHS

Summer – Nashville TN

7

PwC/CHS

Receipt of Notice

• Wesley Medical Center in Hattiesburg, Mississippi

• Wesley is a 211 bed hospital and an affiliate of Community Health Systems Professional Services Corporation (“CHS”)

• CHS is 206 affiliated hospitals in 29 states

• Compliance is a Corporate Program implemented locally

• OCR Notice of Audit was received June 8, 2012 (audit conclusion and final report was December 2012)

• The Notice of Audit is a detailed and extensive document request list

• Document submission is required within 15 days of receipt of notice

• The audit is conducted based on the documentation submitted in response to the document request list – no late entries are accepted

8

20/02/2014

5

PwC/CHS

Notice and Document Request List

Documents requested support three categories: (i) general information, (ii) security, and (iii) privacy including breach notification.

• General information includes previous audit reports, evaluation or assessments related to HIPAA, organizational charts, governance, etc.

Security documentation includes administrative, technical and physical safeguard policies but also:

• List of role based access by job level and level of PHI access needed

• Log of employees based on their access to PHI access

• System generated user listing of all individuals with access to systems housing ePHI – (which means you need to have an application inventory and know where your ePHI is stored).

9

PwC/CHS

Notice and Document Request ListPrivacy documentation includes:

Notice of Privacy Practices

Use & Disclosures

Right to request privacy information

Right to request privacy protection of PHI

Right to access PHI

Denial of access to PHI

Right to request amendment to PHI

Accounting of disclosures of PHI

Fundraising & marketing

Verification of identity and authority

Administrative requirements

Training Document retention Position descriptions complaints

Mitigation and disciplinary policies

Non-retaliation / non-intimidation policies

Deceased individuals

Personal representatives

Confidential communications

Business associates and business associate templates

Treatment, payment & health care operations

Consent & authorization

Judicial & administrative proceedings

Research requirements

De-identification, re-identification, limited data sets

Restriction of PHI

Minimum necessary disclosure

10

20/02/2014

6

PwC/CHS

Managing the Response

• You can create, edit or update documentation up to the document submission deadline

• Newsflash: If you do not have the documentation you cannot reasonably create it within 15 days let alone implement and train on it

• Identified and gathered documents and policies

Simultaneously and on parallel tracks (privacy / security)

You cannot go linear you will run out of time

• Confirmed all documentation requested was current for regulatory requirements

• Interviewed key staff to ensure all documentation was drafted in accordance with operations

• Identified quickly that Wesley had an up-to-date application inventory but not necessarily to the data element level

11

PwC/CHS


• Time is of the essence.

• The process requires you to go through and identify every document and its applicability to the request

• For example: how does your organization address uses & disclosures that do not require authorization? One policy or several?

(organ donation, workers’ comp, judicial and administrative proceedings, coroners, victims of abuse, neglect, required by law, public health activities, etc.)

• Does your organization have a thorough handle on accounting of disclosures?

12

20/02/2014

7

PwC/CHS


• Once documentation was identified it was “ticked” and “tied” one for one with the document request list

• Separated by categories exactly as described in the document request list

• Each policy within a category was then individually segregated and noted on a cover sheet with the exact request number and as described in document request list – remember your policies likely title differently

• If a request was not applicable a separate page was inserted with the exact request number and description with verbiage “not applicable” and why

• If a request was left blank a separate page was inserted with the exact request number and description with verbiage “intentionally left blank” and any reference or reason

• Resulted in two (2) five inch binders and two (2) flash drives

BUT WAIT THERE IS MORE! . . . . .

13

PwC/CHS


The OCR published its Audit Protocol

14

20/02/2014

8

PwC/CHS


Key Points to Remember:

• If you don’t have the requested policy or document you will not be able to create it in the requisite time

• Don’t wait for an OCR notice of audit, review policies on an annual basis for regulatory requirements and operations

• Keep training relevant and up-to-date

• Keep application inventory – down to data element level – current

• Keep role base access documented and current including timely termination of access rights of employees that have left

• When you submit a document request to the OCR detail and label each policy and document with a cover sheet

• Keep an exact copy for your records

• Mail certified or express mail to track and receive acknowledgement of OCR receipt

15

PwC/CHS

Preparing for the on-site assessment

The actual on-site assessment occurs anywhere from 30-120 days from receipt of notice (not submission of documentation requested).

The OCR provides five (5) days notice prior to actually showing up.

On-site duration of audit can range from 300 – 400 hours and 3-4 weeks of active audit work depending on the organization’s size and structure.

Site visits included:

• Interviews with leadership (e.g., CEO, CIO, Privacy Officer, Legal Counsel, HIM)

• Physical security walk-through and operations • Consistency of process to policy • Observation of compliance with regulatory requirements • Sample testing

16

20/02/2014

9

PwC/CHS

Sample testing

• Does your current audit plan include privacy or data security?

• When is the last time you conducted a sample test / audit of compliance with:

- Access requirements

- Authorization requirements

- Amendment requirements

- Business associate agreements

- Timely termination of access rights for departed employees

- Role based access

- Media reuse and destruction

- Adequacy of ‘addressable’ security documentation


17

PwC/CHS

• Conduct a facility walk through . . . with a fine tooth comb

Consider having others review departments / facilities as they will see things that others may not notice every day

• General training - multiple sessions. Not about the law but about your organization’s privacy and data security program

Consider instructor-led to give employees the opportunity to ask questions

• Focused preparation for individuals likely to be interviewed by the auditors

• How to respond to an OCR interviewer

• What if you don’t have the documentation

• Do you know what the documents are when asked?

• What if the auditor stops you in the hall and asks questions?

BUT WAIT THERE IS MORE! . . . . .


18

20/02/2014

10

PwC/CHS

Preparing for the on-site

Who is your Privacy Officer?

Security Officer?

How much time do they dedicate to the

function?

19

PwC/CHS

Federal regulators are planning for a permanent HIPAA audit program

The OCR asked for a budget increase and will also use $4.5 million in collected HIPAA non-compliance penalties to fund the audits

Business Associates, (in addition to covered entities), will be audited in the permanent program as they are now directly liable for HIPAA compliance under the Omnibus Rule (effective September 23, 2013)

The audits will be narrower in scope than the criteria utilized in the pilot program during 2012 to increase the number of organizations to be audited

“we want to hit more entities and be more focused on parts of the privacy and security rules for which breaches are at high risk”

Leon Rodriguez, Director DHHS

What is the OCR doing now?

20

20/02/2014

11

PwC/CHS

In OCR's audits and breach investigations they will be looking at the level of compliance

Audits will focus on vulnerabilities that might change year to year as new issues come into focus

As new business strategies and information systems are added, include a risk assessment of that system – which implies doing a risk assessment more than annually

What is the OCR doing now?

21

PwC/CHS

How to Prepare - 5 Key Steps to Readiness

#1. Select / Develop Integrated Framework

#2. Inventory Data

#3. Conduct Risk and Control Assessment

#4. Implement Controls

#5. Monitor and Control

22

20/02/2014

12

PwC/CHS

Where should you focus and how to prepare1. Refresh Policies and Procedures (and follow them)

2. Update and provide training where needed

3. Conduct a self-assessment of policy compliance

4. Perform a risk assessment and execute risk management strategy (document decisions on risks and controls)

5. Document controls, gaps, and action plans

6. Identify Business Associates and ensure BAAs are executed including due diligence of the vendor

Other considerations:

• Identify lines of business affected by HIPAA

• Map movement of PHI (data flows) within the organization as well as exchanges with third parties;

• Catalog locations where PHI resides within an organization

23

PwC/CHS

Where should you focus and how to prepare

Policies and Procedures:

The privacy regulation called out ~18 specific policies

Be certain P&P are drafted in accordance with operations – especially if your organization purchased policy templates. . .

Be certain P&Ps are reviewed regularly and updated as needed

Be certain P&Ps are easily accessible and staff know where they are located

Note: Rodriguez also cautions against doing something ‘blatantly stupid’ that starts an audit off poorly. . . such as printing policies from an internet site and leaving the printout date on the documentation

24

20/02/2014

13

PwC/CHS


Training:

Training should not be a restatement of the law but rather the organization’s policy and processes in response to implementing the law

Specialized training should be provided for key operational

Ensure those involved in Research understand the use of data requires specific authorization; or IRB approved waiver of authorization

Teach workforce members not to access, use or disclose PHI unless they have a work related reason and be clear on penalties (e.g. loss of merit increase, final warning, termination)

25

PwC/CHS

Where should you focus and how to prepareRisk Assessment:

Conduct risk and control assessment

Document decisions on risks and controls

Document corrective actions planned or underway

Conduct interim risk assessment when new business strategies or new information systems are added

If you can demonstrate and articulate that you are monitoring and auditing your risks (with corrective action plans where needed) it will be viewed more favorably opposed to no active and on-going identification of risk

While the new audit program has yet to be announced or released, the OCR has stated that the one thing that can be ‘absolutely counted on’ is focus on an organizations risk assessment and analysis

26

20/02/2014

14

PwC/CHS


Business Associates:

Work with Purchasing, Accounts Payable, and your contract database manager to develop a list all Business Associates that may have PHI.

Make sure these BAs have been screened for federal program exclusion checks.

Make sure there are executed updated BAAs in place.

Periodically audit BA privacy and data security practices – reserve the right to audit in BAA or underlying contracts.

27

PwC/CHS


Other thoughts:

Stress the importance of securing paper PHI off-site (i.e. family members, loss or theft, disposal)

Prohibit transporting paper PHI, on a laptop or mobile device orensure encryption

Consider data loss prevention software (i.e. Fair Warning)

Ensure that staff know who the Privacy Officer and Security Officer are and their roles in the organization

Require workforce members to report issues that may violate law, regulation or policy

Prepare staff likely to be interviewed on how to interview and interact with the auditors

28

20/02/2014

15

PwC/CHS

Action Items

a) Conduct a mock audit

b) Perform a detailed risk assessment and routine assessments thereafter

c) Implement policies which are drafted in accordance with operations and easily accessible to employees

d) Educate employees on their role in HIPAA privacy and security compliance

e) Engage employees to report known or suspected risks and/or breaches

f) Investigate each report to conclusion

29

PwC/CHS

In Summary

a) Regulators are interpreting HIPAA broadly

b) Penalties for non-compliance are expensive; but settlement agreements requiring remediation and long term monitoring can be even more costly

c) Investigations are being conducted by multiple agencies including but not limited to the OCR, State Attorneys General, Federal Trade Commission, CMS, the Secret Service, and potentially even the IRS

30

20/02/2014

16

PwC/CHS

Questions?

Dion Sheidy, PartnerPricewaterhouseCoopers(615) 503-2861 [email protected]

Laurie Smaldon, DirectorPricewaterhouseCoopers(203) 376-9989 [email protected]

Andi Bosshart, RHIA, CHCSenior Vice President, Corporate Compliance and Privacy OfficerCommunity Health Systems (615)-465-7150 [email protected]

Donna Hinton, RN, BSNDirector, ComplianceCommunity Health [email protected]

31

LS2

This publication has been prepared for general guidance on matters of interest only, and does not constitute professional advice. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is given as to the accuracy or completeness of the information contained in this publication, and, to the extent permitted by law, PricewaterhouseCoopers LLP, its members, employees and agents do not accept or assume any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it.

© 2013 PricewaterhouseCoopers LLP. All rights reserved. In this document, “PwC” refers to PricewaterhouseCoopers LLP which is a member firm of PricewaterhouseCoopers International Limited, each member firm of which is a separate legal entity.

LS2 Please add in lsmaldon001, 2/17/2014

Why preparing for an OCR audit is neither boiler plate ... · Why preparing for an OCR audit is...

Documents

Transcript of Why preparing for an OCR audit is neither boiler plate ... · Why preparing for an OCR audit is...