1 / 27

HIPAA Audits: Are You Ready For the Next Wave?

HIPAA Audits: Are You Ready For the Next Wave?. Karen D. Smith, Esq. Partner Bricker & Eckler LLP 100 S. Third Street Columbus, OH 43215 ksmith@bricker.com (614) 227-2313. Today’s Agenda. HITECH Background Phase 1 review Phase 2 preview Recommendations. Background.

vonda
Download Presentation

HIPAA Audits: Are You Ready For the Next Wave?

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. HIPAA Audits: Are You Ready For the Next Wave? Karen D. Smith, Esq.Partner Bricker & Eckler LLP 100 S. Third Street Columbus, OH 43215 ksmith@bricker.com (614) 227-2313

  2. Today’s Agenda • HITECH Background • Phase 1 review • Phase 2 preview • Recommendations

  3. Background HITECH Enforcement • Increased enforcement under HITECH • Increased penalties • State AG enforcement • Public records of breach notifications • BAs directly subject to penalties • HHS audits

  4. Background HITECH Enforcement • HITECH Act requires HHS to conduct HIPAA audits (42 USC §17490) • “The Secretary shall provide for periodic audits to ensure that covered entities and business associates that are subject to the requirements of this subtitle and subparts C and E of part 164 of title 45, Code of Federal Regulations, as such provisions are in effect as of the date of enactment of this Act, comply with such requirements.”

  5. Phase 1PROGRAM OPPORTUNITY • OCR sought a comprehensive and flexible process for analyzing entity efforts to provide regulatory protections and individual rights • Identify • (1) best practices and • (2) uncover risks • not identified through other enforcement tools • Encourage consistent attention to compliance activities

  6. Phase 1 Audits Performed • 115 performance audits conducted through December 2012 • Initial 20 audits to test original audit protocol • Final 95 audits using modified audit protocol

  7. Phase 1 Overall Cause Analysis • For every finding cited in the audit reports, audit identified a “cause” • Most common across all entities: entity unaware of requirement. • 30% (289 of 980 findings) • 39% (115 of 293) of Privacy • 27% (163 of 593) of Security • 12% (11) of Breach Notification • Most of these related to elements of the Rules that stated what a covered entity had to do to comply • Other causes, included but not limited to: • Lack of application of sufficient resources • Incomplete implementation • Complete disregard

  8. Phase 1 Cause Analysis: Top Elements Unaware of the Requirement • Privacy • notice of privacy practices • access of individuals • minimum necessary • authorizations • Security • risk analysis • media movement and disposal • audit controls and monitoring

  9. Phase 1 Recommendations for the Audit Program • Implement a risk-based approach • would allow OCR to determine areas of the Rules that require implementation of controls, which, if not implemented effectively, would pose the greatest risk to the protection of PHI • OCR should consider a multi-tiered audit approach that can be tailored based on entity type, area or a hybrid

  10. Phase 2 Who Can Be Audited? • Any covered entity • Health plans of all types • Health care clearinghouses • Individual and organizational providers of all sizes • Any business associate • Selection through covered entities’ identification of their business associates

  11. Phase 2 Covered Entity Pool • Have selected a pool of covered entities eligible for audit • Used resources developed through Booz Allen Hamilton contract • Health care providers selected through NPI database • Clearinghouses & Health Plans from external databases (e.g., AHIP) • Random selection used when possible within types • Wide range (e.g., group health plans, physicians and group practices, behavioral health, dental, hospitals, laboratories)

  12. Phase 2 Pre-Audit Survey • Available entity databases lack data for entity stratification • Survey currently being processed through Paperwork Reduction Act clearance • Questions address • size measures • location • services • best contacts • OCR will conduct address verification with entities this spring • Entities will receive link to online screening “pre-survey” this summer; Expect to contact 550-800 entities • OCR will use results of survey to select a projected 350 covered entities to audit

  13. Phase 2 Audit Approach Primarily internally staffed Selected entities will receive notification and data requests in fall 2014 Entities will be asked to identify their business associates and provide their current contact information Will select business associate audit subjects for 2015 first wave from among the BAs identified by covered entities Desk audits of selected provisions Comprehensive on-site audits as resources allow

  14. Phase 2 Timing

  15. Phase 2 Desk Audit Expectations • Data request will specify: • content and file organization • file names • any other document submission requirements • Requested data will only be assessed if it is submitted on time • Documentation must be current as of request date

  16. Phase 2 Desk Audit Expectations • Documents must accurately reflect the program • Auditors will NOT have the opportunity to contact the entity for clarifications, or to seek out additional information • Do not submit extraneous information: OCR says it may increase difficulty for auditor to find and assess required items • Failing to respond to requests may lead to referral for regional compliance review

  17. Phase 2 On-site Audit Expectations Very little detail provided by HHS “Comprehensive on-site audits as resources allow” Interviews with key personnel Observations of processes and operations 3-10 days (in round 1) Length of audit depends on complexity of CE

  18. Phase 2 Protocol Criteria • Auditors will assess entity efforts via an updated protocol • New criteria will reflect the omnibus rule changes, more specific test procedures • Sampling methodology will be used in many provisions to assess compliance efforts • Provisions that resulted in a high quantity of compliance failures in the pilot audits will be targeted through the desk audits • The website will include the updated protocol for the entities’ use

  19. Phase 2 Audit Focus 2014 • Covered Entities • Security: Risk analysis and risk management • Breach: Content and timeliness of notifications • Privacy: Notice and access

  20. Phase 2 Audit Focus 2015 • Round 1: Business Associates • Security: Risk analysis and risk management • Breach: Breach reporting to CE • Round 2: Covered Entities (Projected) • Security: Device and media controls, transmission security • Privacy: Safeguards, training

  21. Phase 2 Audit Focus 2016 • Projected • Security: • Encryption and decryption • Facility access control (physical) • Other areas of high risk as identified by 2014 audits, breach reports and complaints

  22. Phase 2 Recommendations – Focus Areas • Risk Analysis • Review most recent Risk Analysis • Consider conducting new Risk Analysis • Consider obtaining third-party review of Risk Analysis • Business Associates • Review and update BA list • Review template BAA • Amend BAAs for Omnibus Rule compliance by Sept. 23 • Engage BAs in dialogue on compliance (e.g., BAs should conduct own risk analyses)

  23. Phase 2 Recommendations – Focus Areas • Breach Documentation • Review breach log • Review template notice and timeliness of past notices • Review files associated with breaches • Per OCR, files should include: • Documentation of root cause of breach • Documentation of compliance gap resulting in breach • Documentation that root cause was addressed

  24. Phase 2 Recommendations – Focus Areas • Notice of Privacy Practices • Review for Omnibus Rule compliance • Confirm distribution/posting requirements are being met • Patient Access • Review policy and procedure • Review related documentation • Security Rule • Review policies and procedures on transmission security, devices (focus on mobile devices), and facility access control • OCR recommends reviewing mobile device policy “at least annually”

  25. Phase 2 Recommendations - General • Policies and Procedures • Review policies against current OCR protocol (and new protocol once available) • Confirm that Omnibus Rule changes have been incorporated as applicable • Supporting Documentation • Confirm that documentation required by policies is actually being kept on file • Review documentation against current OCR protocol (and new protocol once available)

  26. Phase 2 Recommendations - General • Audits • Conduct self audit • Obtain third party mock audit • Training • Review and update training program as necessary • Review documentation of training • Provide annual training and remedial training

  27. Bricker & Eckler100 South Third StreetColumbus, Ohio 43215Karen Smith: (614) 227-2313ksmith@bricker.com

More Related