slide1 n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Nathan Gibson, CISA, CISSP PowerPoint Presentation
Download Presentation
Nathan Gibson, CISA, CISSP

Loading in 2 Seconds...

play fullscreen
1 / 25

Nathan Gibson, CISA, CISSP - PowerPoint PPT Presentation


  • 165 Views
  • Uploaded on

OCR Audit Process & Penalties: Understanding the U.S. DHHS Office of Civil Rights’ EHR Audit Process and Penalties. Nathan Gibson, CISA, CISSP. Agenda. Common Questions Background HIPAA Audits Audit Timeline Audit Process Penalties How to Prepare Tools Lessons Learned

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

Nathan Gibson, CISA, CISSP


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
slide1

OCR Audit Process & Penalties: Understanding the U.S. DHHS Office of Civil Rights’ EHR Audit Process and Penalties

Nathan Gibson, CISA, CISSP

agenda
Agenda
  • Common Questions
  • Background
  • HIPAA Audits
    • Audit Timeline
    • Audit Process
    • Penalties
    • How to Prepare
    • Tools
    • Lessons Learned
  • Meaningful Use Audits
    • How to Prepare
    • Tools
  • Summary
  • Resources
common questions
Common Questions
  • Who can audit us?
    • Office of Civil Rights (OCR)
    • State Attorneys General (SAG)
    • Centers for Medicare and Medicaid Services (CMS)
      • Meaningful Use
  • Will we be audited?
    • Short term – probably not (but always assume you will)
    • Eventually – YES
  • What are ways that we can be audited?
    • Random HIPAA
    • Complaint
    • Breach of Protected Health Information (PHI)
    • MU Audit
  • Could our Business Associates be audited?
    • Yes
background
Background
  • HITECH
    • Health Information Technology for Economic and Clinical Health
    • Included Enforcement & Penalties
      • Transferred Security Rule enforcement from CMS to OCR
  • Office of Civil Rights
    • Enforcement of the HIPAA Privacy and Security Rules
    • 115 audits to assess
      • Privacy Rule
      • Security Rule
      • Breach notification performance
    • Providing HIPAA Enforcement Training to State Attorneys General
  • State Attorneys General
    • Authority to bring civil actions on behalf of state residents for HIPAA violations
audit timeline
Audit Timeline
  • HIPAA Audit Timeline
    • June, 2011: Contract with KPMG
    • November, 2011: Draft audit protocols developed
    • April, 2012: Initial round of audits completed
    • December, 2012: All audits will be completed for the pilot program
audit process
Audit Process
  • Notification letter
    • Asked to provide documentation
  • Site visit
  • Final Report
    • Audit details
    • Findings
    • Actions taken

hhs.gov

penalties
Penalties
  • Loss of Contracts
  • Criminal and Civil Investigation
  • Federal Penalties
    • Up to $1.5 million
  • State Fines
    • Up to $25,000
  • Reputation
  • Legal Costs
  • Notification Costs

http://blog.willis.com/2011/10/scariest-financial-services-risk-data-breach/

how to prepare hipaa
How to Prepare (HIPAA)
  • Self-Assessment
    • Audit protocol
    • NIST 800-66
  • Documentation
    • Risk assessment
    • PHI stored and transmitted (including third parties)
    • Policies & procedures
    • Documentation Request List
  • Lessons Learned
    • Existing Audits and Penalties
    • Best Practices
  • Available Tools
    • REC, OCR, NIST, HIMSS, etc.
how to prepare hipaa1
How to Prepare (HIPAA)
  • Audit Protocol

http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/protocol.html

tools
Tools
  • REC Tools
    • Security Risk Assessment Tool
    • Information Security Policy Template
    • Breach notification guidance
    • Privacy and Security Checklist (HIPAA & HITECH)
  • OCR
    • Audit Protocol: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/protocol.html
  • NIST
    • HIPAA Security Rule Toolkit
      • http://scap.nist.gov/hipaa/
    • Special Publications (800 Series)
      • http://csrc.nist.gov/publications/PubsSPs.html
tools cont
Tools (cont.)
  • HIMSS
    • HIMSS Privacy and Security Toolkit for Small Providers
      • http://www.himss.org/asp/topics_PS_SmallProviders.asp
    • More Privacy & Security Toolkits
      • http://www.himss.org/asp/topics_pstoolkitsDirectory.asp?faid=568&tid=111
      • Risk Assessment Toolkit
      • Mobile Security Toolkit
      • Cloud Security Toolkit
lessons learned
Lessons Learned
  • Audit Reason: Complaint
  • Organization: Cignet
  • Lessons:
    • Process in place for patients’ request for copies of their medical records
    • Cooperate with OCR!

hhs.gov

lessons learned1
Lessons Learned
  • Audit Reason: Breach
  • Organization: DHSS (Alaska)
  • Incident: Stolen USB Drive
  • Lessons:
    • Policies & Procedures
    • Risk analysis / risk management
    • Workforce training
    • Device & media controls
    • Encryption
  • Corrective Action Plan (valuable!)http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/alaska-agreement.html

hhs.gov

lessons learned2
Lessons Learned
  • Audit Reason: Random Audits
  • HIPAA: OCR / KPMGMU: CMS
  • Lessons:
    • Review any audit reports released
    • Monitor progress of the audit program
    • Learn from findings discovered

hhs.gov

lessons learned3
Lessons Learned
  • Audit Reason: Complaint
  • Organization: Phoenix CardiacSurgery
  • Incident: Publicly postedclinical and surgical appt.
  • Lessons:
    • No practice is too small toexperience a breach
    • Security risk assessment needstoo include ALL locations of PHI
    • Documentation!
    • Review corrective action plan

hhs.gov

lessons learned4
Lessons Learned
  • Phoenix Cardiac Surgery

Resolution Agreement & Corrective Action Plan

meaningful use
Meaningful Use
  • CMS EHR Incentive Program
    • All providers attesting to receive an EHR incentive payment
      • Medicare or Medicaid EHR Incentive Programs
      • Retain ALL relevant supporting documentation (in either paper or electronic format used in the completion of the Attestation Module) Documentation to support the attestation should be retained for six years post-attestation
    • Medicare and dually-eligible (Medicare and Medicaid)
      • Audits performed by CMS, and its contractors
    • Medicaid
      • Audits performed by states, and their contractors
meaningful use1
Meaningful Use
  • Audit Contract
    • Figliozzi and Co., Garden City, NY (accounting firm)
    • Medicare recipients and hospitals that received incentive payments from both Medicare and Medicaid
    • Note: States and their individual contractors will audit incentive program participants who received bonuses from Medicaid alone
how to prepare mu
How to Prepare (MU)
  • Documentation
    • Proof that the EHR system used to meet meaningful use requirements is certified.
    • Supporting documentation proving that core objectives were met.
    • Supporting documentation that menu objectives were met.
tools1
Tools
  • CMS
    • Attestation FAQ’s (overview, preparing, and details of an audit)
      • https://www.cms.gov/Regulations-and-Guidance/Legislation/EHRIncentivePrograms/Attestation.html#10
  • REC
    • Security Risk Assessment Tool
    • Information Security Policy Template
    • Breach notification guidance
    • Privacy and Security Checklist (HIPAA & HITECH)
summary
Summary
  • Assume you’ll be audited
  • Prepare
    • Keep documentation updated
    • Understand & document where all PHI is stored & transmitted
    • Reasonable and appropriate security controls
      • Based on security risk assessment
resources
Resources
  • OCR (hhs.gov)
    • Audit Pilot Program
      • http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/auditpilotprogram.html
    • Sample Notification Letter
      • http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/sample-ocr_notification_ltr.pdf
    • Audit Protocol
      • http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/protocol.html
  • CMS
    • FAQ’s
      • https://www.cms.gov/Regulations-and-Guidance/Legislation/EHRIncentivePrograms/Attestation.html#10
  • NIST
    • Security Rule Toolkit
      • http://scap.nist.gov/hipaa/
  • GAO Report
    • http://www.gao.gov/assets/600/590538.pdf
  • OCR Documentation List
    • http://cynergistek.files.wordpress.com/2012/04/ocr-audit-documentation-request-list.pdf
slide25

Have a question, comment, or suggestion?

  • Contact Nathan Gibson at:
    • ngibson@wvmi.org
    • 304-346-9864 ext. 2236