hipaa audits are you ready for the next wave n.
Skip this Video
Loading SlideShow in 5 Seconds..
HIPAA Audits: Are You Ready For the Next Wave? PowerPoint Presentation
Download Presentation
HIPAA Audits: Are You Ready For the Next Wave?

Loading in 2 Seconds...

play fullscreen
1 / 27

HIPAA Audits: Are You Ready For the Next Wave? - PowerPoint PPT Presentation

  • Uploaded on

HIPAA Audits: Are You Ready For the Next Wave?. Karen D. Smith, Esq. Partner Bricker & Eckler LLP 100 S. Third Street Columbus, OH 43215 ksmith@bricker.com (614) 227-2313. Today’s Agenda. HITECH Background Phase 1 review Phase 2 preview Recommendations. Background.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'HIPAA Audits: Are You Ready For the Next Wave?' - vonda

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
hipaa audits are you ready for the next wave

HIPAA Audits: Are You Ready For the Next Wave?

Karen D. Smith, Esq.Partner

Bricker & Eckler LLP

100 S. Third Street

Columbus, OH 43215


(614) 227-2313

today s agenda
Today’s Agenda
  • HITECH Background
  • Phase 1 review
  • Phase 2 preview
    • Recommendations
hitech enforcement


HITECH Enforcement
  • Increased enforcement under HITECH
    • Increased penalties
    • State AG enforcement
    • Public records of breach notifications
    • BAs directly subject to penalties
    • HHS audits
hitech enforcement1


HITECH Enforcement
  • HITECH Act requires HHS to conduct HIPAA audits (42 USC §17490)
    • “The Secretary shall provide for periodic audits to ensure that covered entities and business associates that are subject to the requirements of this subtitle and subparts C and E of part 164 of title 45, Code of Federal Regulations, as such provisions are in effect as of the date of enactment of this Act, comply with such requirements.”
phase 1 program opportunity
  • OCR sought a comprehensive and flexible process for analyzing entity efforts to provide regulatory protections and individual rights
  • Identify
    • (1) best practices and
    • (2) uncover risks
    • not identified through other enforcement tools
  • Encourage consistent attention to compliance activities
audits performed

Phase 1

Audits Performed
  • 115 performance audits conducted through December 2012
    • Initial 20 audits to test original audit protocol
    • Final 95 audits using modified audit protocol
overall cause analysis

Phase 1

Overall Cause Analysis
  • For every finding cited in the audit reports, audit identified a “cause”
  • Most common across all entities: entity unaware of requirement.
    • 30% (289 of 980 findings)
      • 39% (115 of 293) of Privacy
      • 27% (163 of 593) of Security
      • 12% (11) of Breach Notification
    • Most of these related to elements of the Rules that stated what a covered entity had to do to comply
  • Other causes, included but not limited to:
    • Lack of application of sufficient resources
    • Incomplete implementation
    • Complete disregard
unaware of the requirement

Phase 1 Cause Analysis: Top Elements

Unaware of the Requirement
  • Privacy
    • notice of privacy practices
    • access of individuals
    • minimum necessary
    • authorizations
  • Security
    • risk analysis
    • media movement and disposal
    • audit controls and monitoring
recommendations for the audit program

Phase 1

Recommendations for the Audit Program
  • Implement a risk-based approach
    • would allow OCR to determine areas of the Rules that require implementation of controls, which, if not implemented effectively, would pose the greatest risk to the protection of PHI
    • OCR should consider a multi-tiered audit approach that can be tailored based on entity type, area or a hybrid
who can be audited

Phase 2

Who Can Be Audited?
  • Any covered entity
    • Health plans of all types
    • Health care clearinghouses
    • Individual and organizational providers of all sizes
  • Any business associate
    • Selection through covered entities’ identification of their business associates
covered entity pool

Phase 2

Covered Entity Pool
  • Have selected a pool of covered entities eligible for audit
  • Used resources developed through Booz Allen Hamilton contract
    • Health care providers selected through NPI database
    • Clearinghouses & Health Plans from external databases (e.g., AHIP)
  • Random selection used when possible within types
  • Wide range (e.g., group health plans, physicians and group practices, behavioral health, dental, hospitals, laboratories)
pre audit survey

Phase 2

Pre-Audit Survey
  • Available entity databases lack data for entity stratification
  • Survey currently being processed through Paperwork Reduction Act clearance
  • Questions address
    • size measures
    • location
    • services
    • best contacts
  • OCR will conduct address verification with entities this spring
  • Entities will receive link to online screening “pre-survey” this summer; Expect to contact 550-800 entities
  • OCR will use results of survey to select a projected 350 covered entities to audit
audit approach

Phase 2

Audit Approach

Primarily internally staffed

Selected entities will receive notification and data requests in fall 2014

Entities will be asked to identify their business associates and provide their current contact information

Will select business associate audit subjects for 2015 first wave from among the BAs identified by covered entities

Desk audits of selected provisions

Comprehensive on-site audits as resources allow

desk audit expectations

Phase 2

Desk Audit Expectations
  • Data request will specify:
    • content and file organization
    • file names
    • any other document submission requirements
  • Requested data will only be assessed if it is submitted on time
  • Documentation must be current as of request date
desk audit expectations1

Phase 2

Desk Audit Expectations
  • Documents must accurately reflect the program
    • Auditors will NOT have the opportunity to contact the entity for clarifications, or to seek out additional information
  • Do not submit extraneous information: OCR says it may increase difficulty for auditor to find and assess required items
  • Failing to respond to requests may lead to referral for regional compliance review
on site audit expectations

Phase 2

On-site Audit Expectations

Very little detail provided by HHS

“Comprehensive on-site audits as resources allow”

Interviews with key personnel

Observations of processes and operations

3-10 days (in round 1)

Length of audit depends on complexity of CE

protocol criteria

Phase 2

Protocol Criteria
  • Auditors will assess entity efforts via an updated protocol
    • New criteria will reflect the omnibus rule changes, more specific test procedures
  • Sampling methodology will be used in many provisions to assess compliance efforts
  • Provisions that resulted in a high quantity of compliance failures in the pilot audits will be targeted through the desk audits
  • The website will include the updated protocol for the entities’ use
audit focus

Phase 2

Audit Focus


  • Covered Entities
    • Security: Risk analysis and risk management
    • Breach: Content and timeliness of notifications
    • Privacy: Notice and access
audit focus1

Phase 2

Audit Focus


  • Round 1: Business Associates
    • Security: Risk analysis and risk management
    • Breach: Breach reporting to CE
  • Round 2: Covered Entities (Projected)
    • Security: Device and media controls, transmission security
    • Privacy: Safeguards, training
audit focus2

Phase 2

Audit Focus


  • Projected
    • Security:
      • Encryption and decryption
      • Facility access control (physical)
      • Other areas of high risk as identified by 2014 audits, breach reports and complaints
recommendations focus areas

Phase 2

Recommendations – Focus Areas
  • Risk Analysis
    • Review most recent Risk Analysis
    • Consider conducting new Risk Analysis
    • Consider obtaining third-party review of Risk Analysis
  • Business Associates
    • Review and update BA list
    • Review template BAA
    • Amend BAAs for Omnibus Rule compliance by Sept. 23
    • Engage BAs in dialogue on compliance (e.g., BAs should conduct own risk analyses)
recommendations focus areas1

Phase 2

Recommendations – Focus Areas
  • Breach Documentation
    • Review breach log
    • Review template notice and timeliness of past notices
    • Review files associated with breaches
    • Per OCR, files should include:
      • Documentation of root cause of breach
      • Documentation of compliance gap resulting in breach
      • Documentation that root cause was addressed
recommendations focus areas2

Phase 2

Recommendations – Focus Areas
  • Notice of Privacy Practices
    • Review for Omnibus Rule compliance
    • Confirm distribution/posting requirements are being met
  • Patient Access
    • Review policy and procedure
    • Review related documentation
  • Security Rule
    • Review policies and procedures on transmission security, devices (focus on mobile devices), and facility access control
    • OCR recommends reviewing mobile device policy “at least annually”
recommendations general

Phase 2

Recommendations - General
  • Policies and Procedures
    • Review policies against current OCR protocol (and new protocol once available)
    • Confirm that Omnibus Rule changes have been incorporated as applicable
  • Supporting Documentation
    • Confirm that documentation required by policies is actually being kept on file
    • Review documentation against current OCR protocol (and new protocol once available)
recommendations general1

Phase 2

Recommendations - General
  • Audits
    • Conduct self audit
    • Obtain third party mock audit
  • Training
    • Review and update training program as necessary
    • Review documentation of training
    • Provide annual training and remedial training
Bricker & Eckler100 South Third StreetColumbus, Ohio 43215Karen Smith: (614) 227-2313ksmith@bricker.com