DisclaimerThis webinar may be recorded. This webinar presents a sampling of best practices and overviews, generalities, and some laws. This should not be used as legal advice. Itentive recognizes that there is not a “one size fits
all” solution for the ideas expressed in this webinar; we invite you to follow up directly with us for more personalized information as it pertains
to your specific practice and issues.
Thank you, and enjoy the webinar.
About Us
Our passion is to provide solutions for our healthcare provider partners which help them improve patient care, enhance the patient experience and maintain a financially healthy practice.
Since 2003 we have specialized in NextGen®
Healthcare services including:
• Consulting
• Hosting
• Customization
• And productivity tools such as ChartGuard® and RefundManager®
Upcoming Webinars:
Last webinar in our 3 part series
Improving Federal Security Initiatives: The True Impact
July 27th – MACRA: Breaking Down the Proposed Rule
HIPAA Audits:
What Phase II Means For You
Introductions
Kathy Thompson
Managing Consultant
Cindi Kincade
Vice President, Consulting Solutions
Lindsey Lanning
Healthcare Informatics Coordinator
HIPAA Audits:
What Phase II Means For You
Attention:• Phase Two of OCR's HIPAA audit program officially has begun
• OCR has sent selected covered entities notification letters
• Email notification letters were delivered on Monday, July 11, 2016 to 167 health plans, healthcare providers and healthcare clearinghouses (covered entities)
• Covered entities should monitor their spam filtering and junk mail folders for emails from [email protected].
• Entities ONLY have 10 business days, until July 22, 2016, to respond to the document requests.
• Desk audits of business associates will follow this fall
Today’s Webinar
• HIPAA Review
• The Audit Process
• New Audit Protocol
• The Elements to an Effective Compliance Program
Headlines
• OCR Releases New HIPAA Audit Protocol
• HIPAA Compliance Audit Prioritized in 2017 Fiscal Budget
• Business Associates: More Than a Checkbox
• Holy MACRA! – Being HIPAA Compliant is Part of How Physicians get Paid
• Business Associate Agrees to $650K OCR HIPAA Settlement
HIPAA Enforcement
• Settlements in 2016 have totaled more than any other year at $8,664,800
• Consequences include:
High fines
Prison sentences
Medical License revoked
Image taken from Compliancygroup.com
What is Causing Increased Enforcement?
• Large Breaches
Anthem Blue Cross
• New OCR Director in 2015
“While the first years of HIPAA were about education, the years ahead are going to firmly stress enforcement”
• Phase 2 Audits
New Audit Protocol
Expanded pool of auditees
Federal program overlap
• Increased Budget
HIPAA Review
Regulation Overview
• HIPAA
Goal: Protect PHI while increasing patient access and control over information
• Omnibus
Goal: Extend protection of PHI by requiring Business Associates to comply with HIPAA
• HITECH/Meaningful Use
Goal: Increase the adoption of EHRs
HIPAA
HITECH / Meaningful
Use
Omnibus
HIPAA Overview
• HIPAA has 3 parts:
Privacy Rule
Security Rule
Breach Notification Rule
• Who has to comply with HIPAA?
Covered Entities
Business Associates
HIPAA Security Rule
• The HIPAA Security Rule is in place to ensure the confidentiality, integrity, and availability of all electronic protected health information (ePHI) that a CE or BA creates, maintains, or transmits.
• The Security Rule lays out 3 sets of safeguards
Administrative
Technical
Physical
HIPAA Privacy Rule
Two “pods” of the HIPAA privacy rule:
• “Access”
Greater for patients
Limited for others
• Patient “rights”
Increased rights
Greater control over their own information
The Difference Between Privacy and Security
The HIPAA Privacy Rule describes what
information is protected and how protected
information can be used and disclosed.
v.s
The HIPAA Security Rule describes what
safeguards must be in place to ensure
appropriate protection of electronic protected
health information.
The Audit Process
Program Objective
The audit program is an important part of OCR’s overall health information privacy, security, and breach notification compliance activities.
OCR uses the audit program to assess the HIPAA compliance efforts of a range of entities covered by HIPAA regulations.
The audits present an opportunity to examine mechanisms for compliance, identify best practices, discover risks and vulnerabilities that may not have come to light through OCR’s ongoing complaint investigations and compliance reviews, and enable OCR to get out in front of problems before they result in breaches.
OCR will broadly identify best practices collected through the audit process and will provide guidance targeted to identified compliance challenges.
OCR HIPAA Audits
• The Office for Civil Rights (OCR)
is conducting audits to make
sure providers are HIPAA
compliant.
Phase 1 Audits in 2011-2012
Phase 2 Audits in 2015-2016
OCR Phase 2 Audits
Phase 2 Audits focuses on:
• Covered Entities and their Business Associates
• Non-compliant standards discovered during Phase 1
• Risk analysis
• Risk management
• Security Standards’ encryption and decryption requirements
• Facility access control
• Breach notification
Key Things to Point Out
• OCR has issued and finalized a new audit protocol for Phase 2 OCR Audits
• Phase 2 will include Covered Entities & Business Associates
• Phase 2 of OCR’s HIPAA audit program is currently underway. Selected covered entities received notification letters Monday, July 11, 2016. Business associate audits will commence in the fall.
• OCR has contracted with FCi Federal to conduct the audits in conjunction with OCR staff
• These audits will proceed throughout 2016 and beyond
• A pool of potential audit targets will be identified and out of this pool several hundred will be selected for audits
Who Can Be Audited?
Covered Entities
Health Plans
Healthcare Clearinghouses
Healthcare Providers
Business Associates
Selected through Covered Entities
Phase 2 Audit Distribution Projections
Information taken from Compliancygroup.com
Entity Type Privacy Breach Security
Covered Entities 100 100 150
Health Plans 33 31 45
Providers 67 65 100
Clearinghouses - 4 5
Business Associates 0 0 50
IT Related - - 35
Non-IT Related - - 15
Total Audits by Protocol 100 100 200
How Will Auditees Be Selected?
• For this phase of the audit program, OCR is identifying pools of covered entities and business associates that represent a wide range of health care providers, health plans, health care clearinghouses and business associates.
• Sampling criteria for auditee selection will include size of the entity, affiliation with other healthcare organizations, the type of entity and its relationship to individuals, whether an organization is public or private, geographic factors, and present enforcement activity with OCR.
• OCR will not audit entities with an open complaint investigation or that are currently undergoing a compliance review.
Audit Phases
• Phase One: Desk Audit of Covered Entities
Request for Gap and Remediation Report
• Phase Two: Desk Audit of Business Associates
• Phase Three: Onsite Audit targeting both Covered Entities and BA’s and with a broader scope of coverage
Looking for a complete compliance plan
• Results: Corrective Action Plan and Fines
Desk Audits
Requirements Selected for Desk Audit Review:
• Privacy Rule
Notice of Privacy Practices & Content Requirements
Provision of Notice – Electronic Notice
Right to Access
• Breach Notification Rule
Timeliness of Notification
Content of Notification
• Security Rule
Security Management Process – Risk Analysis
Security Management Process – Risk Management
The Audit Process–Desk Audit
1. Address Verification Email
2. Pre-screening questionnaire
3. Identify Business Associates
4. Auditees will be notified of their selection
5. Document request letter which will include the type of audit (Privacy, Security or Breach)
6. Those being audited will be required to upload requested documents via a secure portal (within 10 days)
7. Auditors prepare draft findings and send to auditees
8. Those being audited may prepare a response to draft within 10 days
9. Preparation and sending of final report
The Audit Process–Onsite Audit
1. Entities will be notified of their selection
2. OCR auditors will schedule an entrance conference and provide information about audit process and expectations
3. The audit will be conducted over three to five days on-site
4. A draft report will be prepared and shared with entity
5. The entity will have 10 days to review findings and provide written comments to auditor
6. Final audit report will be completed within 30 business days
7. OCR will share a copy of the final report with entity
Address Verification EmailOCR conducted address verification this spring to confirm contact information to identify covered entities and business associates of various types and determine which are appropriate to be included in potential auditee pools.
Communications from OCR will be sent via email and may be incorrectly classified as spam.
If your entity’s spam filtering and virus protection are automatically enabled, we expect you to check your junk or spam email folder for emails from OCR: [email protected].
Pre-screening Questionnaire
The questionnaire is made up of 4 parts:
1. Instructions
2. Contact/Entity Info
3. Questions
4. Review & Submit
Pre-screening Questionnaire
There are 5 sections of questions found in the questionnaire:
1. Basic Description Information About Your Organization
2. Healthcare Providers
3. Healthcare Clearinghouse
4. Health Plans
5. Business Associates
Selection Email
If you are selected you will receive two emails:
• One e-mail includes a notification letter which will introduce the audit team, explain the audit process and discuss OCR’s expectations in more detail. It will also provide instructions for responding to the desk audit document request, the timeline for response, and a unique link for each organization to submit documents via OCR's secure online portal.
• A second email contains an additional request to provide a listing of the entity's business associates.
Identify Business Associate
• Selected auditees will be requested by OCR to identify and provide detailed information regarding their business associates. The information collected by OCR will be used to help identify business associates for the Phase 2 audits.
• Covered entities should provide the requested information to the best of their knowledge and include the name and types of services provided by each business associate.
• OCR has developed a template which covered entities may find helpful to use when responding to the business associate list request.
Business Associate Information Requested
• Business Associate Name
• Type of Service(s) provided
• 1st Point of Contact Title, First Name, and Last Name
• 1st Point of Contact Address, City, State, Zip
• 1st Point of Contact Phone and extension (if needed), Contact Fax, and Contact Email
• 2nd Point of Contact Title, First Name, and Last Name
• 2nd Point of Contact Address, City, State, Zip
• 2nd Point of Contact Phone and extension (if needed), Contact Fax, and Contact Email
• Website URL
Final Audit Report
• The Final Audit Report will contain:
Stage of Audit conducted
Findings of Audit
Entity responses to draft findings
• OCR will use the audit reports to determine what types of technical assistance should be developed and what types of corrective action would be most helpful. Through the information gathered from the audits, OCR will develop tools and guidance to assist the industry in compliance self-evaluation and in preventing breaches.
Audit Timeline
• OCR will have notified Covered Entities by July 11th if they were selected for an audit
• The CE being audited must submit requested documentation within 10 business days
Or if it is an onsite audit it will be conducted over 3-5 business days onsite, depending on the size of the entity.
• After these documents are received, the auditor will review the information submitted and provide the auditee with draft findings.
• Auditees will have 10 business days to review and return written comments, if any, to the auditor.
• The auditor will complete a final audit report for each entity within 30 business days after the auditee’s response
What Causes A HIPAA Audit?
Audit
Business Associates
Random
Meaningful Use Failed
AuditReported
Breach Notification
Meaningful Use and SRA
• Just because your Security Risk Analysis passed for Meaningful Use DOES NOT mean you are HIPAA compliant, however if your SRA is HIPAA compliant then it will pass for MU.
• HIPAA SRA criteria is more stringent than MU criteria
Does HIPAA Satisfy
Meaningful Use?
HIPAA Meaningful Use
The ‘Wall of Shame’
• The OCR has an entire “Wall of Shame” listing health data breaches affecting 500 or more individuals.
• Breach notification rule
500+ individuals affected go on the wall due to obligation to notify HHS immediately
Less then 500 individuals affected need to be reported for whole year by deadline
Business Associates
• 59% of Business Associates reported a data breach in the last two years that resulted in loss/theft of PHI.
• If one of your Business Associates is not HIPAA compliant, the chances of OCR selecting you for an audit increases significantly.
Ramifications of Failing
• A compliance review for further investigation
• Large fines and penalties
• Increased chances for future audits
Meaningful Use
OCR HIPAA
• Criminal charges
Real World Consequences
• Catholic Health Care Services in Philadelphia (CHCS) agreed to pay $650,000 as part of its settlement following a mobile device theft that exposed patient PHI
• CHCS provided management and information technology services as a BA to six skilled nursing facilities
• OCR found that from the compliance date of the HIPAA Security Rule to the present, CHCS had not conducted “an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of e-PHI held by CHCS”
• The BA also did not “implement appropriate security measures sufficient to reduce the risks and vulnerabilities to a reasonable and appropriate level to comply” with the HIPAA Security Rule
The New Audit Protocol
New Audit Protocol
• The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) released an updated Audit Protocol that it plans to use while investigating healthcare entities for HIPAA compliance.
• The biggest change to the audit protocol is the distinction that OCR has made between what’s required of Business Associates (BAs) versus what’s required of Covered Entities (CEs). The guidance is extensive and covers each type of audit along with precisely what action needs to be taken and by whom.
Audit Protocol Coverage• OCR established a comprehensive audit protocol that contains the
requirements to be assessed through audits. The entire audit protocol is organized around elements of privacy, security, and breach notification. The combination of these multiple requirements may vary based on the type of covered entity selected for review.
• The audit protocol covers Privacy Rule requirements for:
notice of privacy practices for PHI,
rights to request privacy protection for PHI,
access of individuals to PHI,
administrative requirements,
uses and disclosures of PHI,
amendment of PHI, and
accounting of disclosures.
• The protocol also covers Security Rule requirements for administrative, physical, and technical safeguards.
Protocol Framework
• Printed out the protocol is 350+ pages long
• Column Headers
Audit Type – Security / Privacy / Breach
Section – Code of Federal Regulation (CFR) reference
Key Activity - Describes the category of the relevant rules
Established Performance Criteria - Verbiage from the subparts of the CFR
Audit Inquiry - Questions and Data being requested
Required/Addressable
• Primarily four types of entries for audit inquiry
Questions
Inquire of management
Obtain/ Review
Evaluate
Column Headers
General Instructions
• Where the document says entity, it means both covered entities and business associates unless identified as one or the other;
• Management refers to the appropriate privacy, security, and breach notification official(s) or person(s) designated by the covered entity or business associate for the implementation of policies and procedures and other standards;
• Entities must provide only the specified documents, not compendiums of all entity policies of procedures. The auditor will not search for relevant documentation that may be contained within such compilations;
• Unless otherwise specified, all document requests are for versions in use as of the date of the audit notification and document request;
General Instructions
• Unless otherwise specified, selected entities should submit documents via OCR's secure online web portal in PDF, MS Word or MS Excel formats;
• If the requested number of documentations of implementation is not available, the entity must provide instances from equivalent previous time periods to complete the sample. If no documentation is available, the entity must provide a statement to that effect.
• Workforce members include entity employees, on-site contractors, students, and volunteers; and,
• Information systems include hardware, software, information, data, applications, communications, and people.
Audit Type: Privacy Example
Audit Type: Security Example
Audit Type: Breach Example
Elements of an Effective Compliance Program
7 Elements of a Compliance Program
According to HHS an effective compliance program has 7 elements:
1. Implementing written policies, procedures and standards of conduct
2. Designating a compliance officer and compliance committee
3. Conducting effective training and education
4. Developing effective lines of communication
5. Conducting internal monitoring and auditing
6. Enforcing standards through well-publicized disciplinary guidelines
7. Responding promptly to detected offenses and undertaking corrective action
Compliance Means…
• Having policies and procedures in place that directly coordinate to regulations and demonstrate the results of your security risk analysis
• While being able to prove with a paper trail or other forms of evidence that your workforce follows these policies and procedures
Preparing for an Audit
How to prepare:
• Complete your annual security risk assessment; make sure it is comprehensive per HIPAA regulations
• Document action plans with reasonable target completion dates for deficiencies discovered in your assessment
• Have a complete inventory of your business associates with their current contact information and up-to-date BAA on file
• Implement a breach notification policy per the Breach Notification Standards
• Have a compliant Notice of Privacy Practices (NPP)
• Review your HIPAA-related policies and procedures; perform any items that are past due
Key QuestionsCovered entities should ask themselves:
• Does my business have written policies and protocols in place to address HIPAA standards?
• Is my business performing and documenting regular risk assessments?
• Does my business have an established data security policy?
• Does my business have a BYOD security and use policy?
• Are the business associates affiliated with my organization HIPAA compliant?
• Does my business have an effective incident response plan to handle a breach if it occurs?
• Are my employees required to complete regular HIPAA training programs?
What We Learned from 2015 Audits
• Small facilities are not exempt from OCR oversight
• Timely detection and response time is essential
• No risk analysis can lead to data security oversights
• Basic adherence to Privacy, Security rules is key
• Reviewing policies and performing regular updates is necessary to maintain compliance
Mandatory
• Adjective
Obligatory; required or commanded by authority.
Of, being or relating to a mandate.
• Synonyms
compulsory
obligatory
MACRA and HIPAA
HIPAA is a mandatory part of MACRA
MACRA states:
“We would require the MIPS eligible clinician to meet the requirement to protect patient health information (Complete an SRA) created or maintained by certified EHR technology to earn any score within the advancing care information performance category; failure to do so would result in a base score of zero, a performance score of zero, and an advancing care information performance category score of zero.”
Next Steps
• Visit us Itentive.com
• Sign-up for our informative webinars and blog
• Consider our 3 security risk analysis options:
Self- Assessment
Remote Security Risk Analysis
Onsite Security Risk Analysis
Itentive HIPAA Risk AnalysisItentive can assist you in performing a thorough and accurate HIPAA Security Risk Analysis
• Itentive will manage your HIPAA Security Risk Analysis and guide you, step-by-step through the entire process
• Our methodology leverages the proven and tested HIPAA One software platform which includes a comprehensive set of compliance questions and acts as a repository for maintaining the interview responses, supporting documentation and remediation action plan
• We will:
Review your interview responses and supporting materials and identify areas which need additional information or clarification
Identify threats/vulnerabilities and analyze controls in place
Guide the development of your remediation plan prioritizing risks by likelihood and impact
Help you track and document your ongoing remediation efforts throughout the year
Be available as a resource to answer your HIPAA and Meaningful Use compliance related questions
Questions• Lindsey Lanning
Healthcare Informatics Coordinator
224-220-5621
• Cindi Kincade
Vice President, Client Solutions
224-220-5575
• Kathy Thompson
Managing Consultant
224-220-5531
Thank you
Top Related