1 / 25

Nathan Gibson, CISA, CISSP

OCR Audit Process & Penalties: Understanding the U.S. DHHS Office of Civil Rights’ EHR Audit Process and Penalties. Nathan Gibson, CISA, CISSP. Agenda. Common Questions Background HIPAA Audits Audit Timeline Audit Process Penalties How to Prepare Tools Lessons Learned

damien
Download Presentation

Nathan Gibson, CISA, CISSP

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. OCR Audit Process & Penalties: Understanding the U.S. DHHS Office of Civil Rights’ EHR Audit Process and Penalties Nathan Gibson, CISA, CISSP

  2. Agenda • Common Questions • Background • HIPAA Audits • Audit Timeline • Audit Process • Penalties • How to Prepare • Tools • Lessons Learned • Meaningful Use Audits • How to Prepare • Tools • Summary • Resources

  3. Common Questions • Who can audit us? • Office of Civil Rights (OCR) • State Attorneys General (SAG) • Centers for Medicare and Medicaid Services (CMS) • Meaningful Use • Will we be audited? • Short term – probably not (but always assume you will) • Eventually – YES • What are ways that we can be audited? • Random HIPAA • Complaint • Breach of Protected Health Information (PHI) • MU Audit • Could our Business Associates be audited? • Yes

  4. Background • HITECH • Health Information Technology for Economic and Clinical Health • Included Enforcement & Penalties • Transferred Security Rule enforcement from CMS to OCR • Office of Civil Rights • Enforcement of the HIPAA Privacy and Security Rules • 115 audits to assess • Privacy Rule • Security Rule • Breach notification performance • Providing HIPAA Enforcement Training to State Attorneys General • State Attorneys General • Authority to bring civil actions on behalf of state residents for HIPAA violations

  5. Audit Timeline • HIPAA Audit Timeline • June, 2011: Contract with KPMG • November, 2011: Draft audit protocols developed • April, 2012: Initial round of audits completed • December, 2012: All audits will be completed for the pilot program

  6. Audit Process • Notification letter • Asked to provide documentation • Site visit • Final Report • Audit details • Findings • Actions taken hhs.gov

  7. Notification Letter (sample) hhs.gov

  8. Documentation Request

  9. Penalties • Loss of Contracts • Criminal and Civil Investigation • Federal Penalties • Up to $1.5 million • State Fines • Up to $25,000 • Reputation • Legal Costs • Notification Costs http://blog.willis.com/2011/10/scariest-financial-services-risk-data-breach/

  10. How to Prepare (HIPAA) • Self-Assessment • Audit protocol • NIST 800-66 • Documentation • Risk assessment • PHI stored and transmitted (including third parties) • Policies & procedures • Documentation Request List • Lessons Learned • Existing Audits and Penalties • Best Practices • Available Tools • REC, OCR, NIST, HIMSS, etc.

  11. How to Prepare (HIPAA) • Audit Protocol http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/protocol.html

  12. Tools • REC Tools • Security Risk Assessment Tool • Information Security Policy Template • Breach notification guidance • Privacy and Security Checklist (HIPAA & HITECH) • OCR • Audit Protocol: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/protocol.html • NIST • HIPAA Security Rule Toolkit • http://scap.nist.gov/hipaa/ • Special Publications (800 Series) • http://csrc.nist.gov/publications/PubsSPs.html

  13. Tools (cont.) • HIMSS • HIMSS Privacy and Security Toolkit for Small Providers • http://www.himss.org/asp/topics_PS_SmallProviders.asp • More Privacy & Security Toolkits • http://www.himss.org/asp/topics_pstoolkitsDirectory.asp?faid=568&tid=111 • Risk Assessment Toolkit • Mobile Security Toolkit • Cloud Security Toolkit

  14. Lessons Learned • Audit Reason: Complaint • Organization: Cignet • Lessons: • Process in place for patients’ request for copies of their medical records • Cooperate with OCR! hhs.gov

  15. Lessons Learned • Audit Reason: Breach • Organization: DHSS (Alaska) • Incident: Stolen USB Drive • Lessons: • Policies & Procedures • Risk analysis / risk management • Workforce training • Device & media controls • Encryption • Corrective Action Plan (valuable!)http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/alaska-agreement.html hhs.gov

  16. Lessons Learned • Audit Reason: Random Audits • HIPAA: OCR / KPMGMU: CMS • Lessons: • Review any audit reports released • Monitor progress of the audit program • Learn from findings discovered hhs.gov

  17. Lessons Learned • Audit Reason: Complaint • Organization: Phoenix CardiacSurgery • Incident: Publicly postedclinical and surgical appt. • Lessons: • No practice is too small toexperience a breach • Security risk assessment needstoo include ALL locations of PHI • Documentation! • Review corrective action plan hhs.gov

  18. Lessons Learned • Phoenix Cardiac Surgery Resolution Agreement & Corrective Action Plan

  19. Meaningful Use • CMS EHR Incentive Program • All providers attesting to receive an EHR incentive payment • Medicare or Medicaid EHR Incentive Programs • Retain ALL relevant supporting documentation (in either paper or electronic format used in the completion of the Attestation Module) Documentation to support the attestation should be retained for six years post-attestation • Medicare and dually-eligible (Medicare and Medicaid) • Audits performed by CMS, and its contractors • Medicaid • Audits performed by states, and their contractors

  20. Meaningful Use • Audit Contract • Figliozzi and Co., Garden City, NY (accounting firm) • Medicare recipients and hospitals that received incentive payments from both Medicare and Medicaid • Note: States and their individual contractors will audit incentive program participants who received bonuses from Medicaid alone

  21. How to Prepare (MU) • Documentation • Proof that the EHR system used to meet meaningful use requirements is certified. • Supporting documentation proving that core objectives were met. • Supporting documentation that menu objectives were met.

  22. Tools • CMS • Attestation FAQ’s (overview, preparing, and details of an audit) • https://www.cms.gov/Regulations-and-Guidance/Legislation/EHRIncentivePrograms/Attestation.html#10 • REC • Security Risk Assessment Tool • Information Security Policy Template • Breach notification guidance • Privacy and Security Checklist (HIPAA & HITECH)

  23. Summary • Assume you’ll be audited • Prepare • Keep documentation updated • Understand & document where all PHI is stored & transmitted • Reasonable and appropriate security controls • Based on security risk assessment

  24. Resources • OCR (hhs.gov) • Audit Pilot Program • http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/auditpilotprogram.html • Sample Notification Letter • http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/sample-ocr_notification_ltr.pdf • Audit Protocol • http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/protocol.html • CMS • FAQ’s • https://www.cms.gov/Regulations-and-Guidance/Legislation/EHRIncentivePrograms/Attestation.html#10 • NIST • Security Rule Toolkit • http://scap.nist.gov/hipaa/ • GAO Report • http://www.gao.gov/assets/600/590538.pdf • OCR Documentation List • http://cynergistek.files.wordpress.com/2012/04/ocr-audit-documentation-request-list.pdf

  25. Have a question, comment, or suggestion? • Contact Nathan Gibson at: • ngibson@wvmi.org • 304-346-9864 ext. 2236

More Related