Amphion Medical Solutions Shaping the future of health document management PRESENTS Privacy and Security: OCR Announces New Audit Protocols Kelly McLendon,

Amphion Medical SolutionsShaping the future of health document management

PRESENTSPrivacy and Security: OCR Announces New

Audit ProtocolsKelly McLendon, RHIA, CHPS

Managing Director, CompliancePro Solutions

© 2012 Amphion Medical Solutions

Agenda About Amphion Today’s topic presented by Kelly

McLendon Presentation Q&A Wrap up by Amphion

2

Amphion Medical Solutions


National, privately owned company Over 200 integrated EHR/HIS

clients HQ in Madison, Wisconsin Healthcare technology leader

Cloud-based technology platform Speech Language Understanding

3



Core offerings Transcription services with CDA

technology Coding, quality and compliance Core measure outsourcing ICD-10 education and training

4



Operational Reduce costs Preserve capital Leverage

enterprise applications

Manage resources Improve

departmental and personnel satisfaction

5

Sharing of clinical data Systems

interoperability Interfaces/

integrations EHR

adoption/incentives Structured content

w/o sacrificing narrative

MU Stage 2

Trends and Challenges


6

Founder of CompliancePro Solutions which has developed a state-of-the-art privacy product called PrivacyPro™.

President of Health Information Xperts, a consultancy specializing in healthcare privacy, security and HIM automation.

Currently serves as an analyst for AHIMA on issues ranging from HITECH privacy to meaningful use.

Recently publishing a new book for AHIMA entitled The Legal Health Record: Regulations, Policies and Guidelines.

He has been recognized with numerous awards including the 2003 AHIMA Visionary Award and the 2008 FHIMA Distinguished Member, as well as many literary awards.

Kelly McLendon, RHIA, CPHS


By

Presentation for Amphion

Privacy and Security; OCR Announces New Audit

Protocols

Kelly McLendon, RHIA, CHPSManaging Director

8

ARRA / HITECH Overview No new Omnibus rule or updates for privacy yet

We expect an Omnibus rule or separate rules? Should be anytime.

Major changes will be laid out we expect, but what?

Enforcement will begin in earnest…

Nothing new expected for security except increased emphasis in Stage 2

HIPAA continues to expand, new AOD rules have been proposed

Breach Notification and other Final Rules expected soon, possibly by September

Meaningful Use requires Security Risk Analysis, promotes Privacy Risk Analysis too

State Attorney generals are now trained in HIPAA enforcement so watch out, state laws are tightening

Proactive monitors of audit logs and security systems being emphasized

KPMG gets contract working with Privacy Audits

Security and Privacy letters from OCR increasing

8

ARRA / HITECH Overview

The promised OCR / KPMG Audit Protocols have been released

I have prepared a document that summarizes the protocols, Privacy Breach and Security that are covered in the audit

77 and 88 protocols each are listed

Very comprehensive and detailed, they are meant to coincide with Security and Privacy Risk Analysis or Assessments

Security Risk Analysis has been published in the Federal Rules, Privacy never has, but still is crucial

I have built both types of Assessments for my company

9

HIPAA Privacy Rights Under HIPAA an individual (typically a patient) has a right to, with notable exceptions:

1. Right to confidential communications

2. Right to access, view and receive (electronic if requested) copies of their PHI (protected health information) contained within the Covered Entities DRS (Designated Record Set)

3. Right to request an amendment to their PHI

4. Right to restrictions on disclosure of their PHI for operational and payment reasons, not treatment

5. Right to control PHI use for marketing, sales and research

6. Right to be noticed of privacy breaches that potentially could cause them financial, reputational or other harm

7. Right to be noticed of the CE’s privacy practices

8. Right to receive an accounting of disclosures from their DRS

9. Right to file a complaint with OCR (Office for Civil Rights)

10. Proposed Right to receive a Access Report from their electronic DRS – Not Yet! Soon?

10

10

HITECH Privacy & Security Expansion Markedly expands concepts of ‘secured ‘and ‘unsecured’ PHI

Secured PHI is a very important concept

Penalties for unauthorized disclosures are very steep and will be enforced

Breach Notification is in effect NOW!

Business Associates directly covered, need to incorporate new ARRA provisions into Business Associate Agreements

Patients able to restrict disclosures for self paid services or items

Accounting of Disclosures and Access Reports Rules proposed

Privacy & Security Audits are here!

11

11

HIPAA Privacy Enforcement HIPAA’s criminal penalties now extends to individuals

◦ Fines of $50,000 to $250,000◦ 1 – 10 years in jail

Improved HIPAA enforcement, increases the amount of civil monetary penalties under HIPAA rules

Can impose violations even if CE or BA ‘Did Not know’ 30 days to cure, but very technical

In 2014 patient gets a cut

12

CATEGORIES OF VIOLATIONS AND RESPECTIVE PENALTY AMOUNTS AVAILABLE

(A) Did Not Know .................$100–$50,000 (each violation) up to $1,500,000

(B) Reasonable Cause .........$1,000–50,000 (each violation) up to $1,500,000

(C)(i) Willful Neglect—Corrected ...........$10,000–50,000 (each violation) up to $1,500,000

(C)(ii) Willful Neglect—Not Corrected .....$50,000 (each violation) up to $1,500,000

12

Privacy & Security Risk Analysis

Increasingly important to perform Privacy & Security Risk Analysis (Assessments) and to document your findings

Privacy & Security Officers should work these two analysis in tandem because there are multiple interdependencies and co-dependences and many times Security Events drive Privacy Incidents

All hospitals and ambulatory practices need to be performing Security and Privacy Risk Assessments

Many physicians are starting to become concerned with doing these assessments as their attestation for MU depends upon it

Tools now exist to perform the tremendously detailed hospital IT Risk Analysis as well as less detailed physician office Risk Assessments. They both have the same scope, but granularity and depth changes considerably depending upon the sophistication of the IT shop and volume of systems.

13

13

HIPAA Security

Two documents sum up HIPAA Security which is very complex, no new technologies have to be invented, rather existing technology applied

– 19006 Federal Register/Vol. 74, No. 79/Monday, April 27, 2009/Rules and Regulations. Guidance Specifying the Technologies and Methodologies That Render Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals for Purposes of the Breach Notification Requirements Under Section 13402 of Title XIII (Health Information Technology for Economic and Clinical Health Act) of the American Recovery and Reinvestment Act of 2009

– NIST Special Publication 800-66 Revision 1

14

14

NIST 800-66 Shows Where HIPAA Security Fits In

15

Security is Nothing New; But There is New Urgency

There have not been new HIPAA Security Rules issued; however there is a renewed emphasis

HIPAA Security Rule enforcement has been consolidated under the OCR (Office of Civil Rights); along with HIPAA Privacy Rule enforcement

HITECH Meaningful Use requires Security Risk Analysis for all participating CEs

Increase of penetration and percentage of PHI that is ePHI is dramatically increasing, as are threats, i.e. identity theft

Data exchange introduces new threats as well

16

HIPAA Security Awareness

Information security is defined as the preservation of confidentiality, integrity and availability of electronic patient information used for treatment, payment or healthcare operations

HIPAA Security is the domain of the Security Officer (who must be formally designated), Compliance, Legal and IT

However; HIM and workforce members need to have a general understanding of the areas covered by HIPAA and how your organization addresses them, at least at a high level

HIM owns many of the Privacy functions that relate to Security as well. Many HIM professionals are Privacy Officers

17

Proactive Audits and Monitors

Proactive auditing and monitoring for Privacy and Security events, especially with rules based audit log monitors is beginning to be driven by HHS, although not required directly.

Be very careful not to ignore proactive monitors as this could lead to Willful Neglect penalties

Automation is the only credible way to manage large volumes of data within multiple audit logs, although a site could write their own, this is typically not easy.

Being proactive is key to preventing events, detected events tend to go down after the workforce is notified that proactive monitors are in place

18

18

HIPAA Security Risk Analysis (Assessment)

We call it an Assessment, means the same thing as Analysis, the details of how you perform the Risk calculations are important to recognize, as differing tools, utilize differing algorithms to determine and report upon risk

A review of all current policies, procedures, plans and other documentation that support an organizations’ HIPAA information security plan

A detailed organizational assessment based on NIST SP 800 – 66, An Introductory Resource Guide for Implementing the HIPAA Security Rule

Document key data and compliance measurements, identify gaps, assess risk, and mutually define a mitigation plan based on risk

Risk = Threat + Vulnerability + Impact

19

Show theCompliancePro Solutions

SRA Sample

SRA Sample

20

HIPAA Security Risk Assessment Inventory of organizational IT assets

◦ Data, hardware, software, networks, facilities, users

Weakness or Vulnerabilities associated with those assets◦ Internal , external, BAs

Threats that can exploit the Vulnerabilities◦ Acts of nature, acts of man, internal, external, intentional,

unintentional

Resulting Impacts◦ Monetary, data corruption, penalties, fines, bad publicity, loss of

physical assets

New risk analysis required when processes change, infrastructure changes, newly identified threats, new regulatory requirements

21

HIPAA Privacy & Security Enforcement

OCR has now issued CMPs (Civil Monetary Penalties) for $4.3million and $1 million for wrongful disclosure and failure to produce medical records on request

UCLA fined $865,000 for unauthorized access from EHR based records. Source; complaint from two celebrities, investigation turned up more violations. ◦ Resolution agreement led to a 3 year Corrective Action Plan being imposed.

State Attorney Generals have been trained and can bring privacy based actions in Federal Court, this will mean more enforcement. This ups the stakes for all providers, especially if you are an on-going target of investigation

Texas has just signed a tough new law for privacy, Florida pre-occupied with pill mills and Medicaid reform, but privacy laws loom, no real downside and opportunity to raise revenue and enhance HIE and similar activities

Phoenix cardiology $100,000 a warning shot for ambulatory practices

22

22

Reasonable and Appropriate Used by OCR to determine liability for fines, corrective

actions

But also for the depth of some measures implemented

The concept of what is ‘reasonable and appropriate’ is subjective

◦ But since EHR criteria calls for encryption (NIST FIPS publication 140-2 for acceptable types) for ePHI created, maintained and exchanged shouldn’t encryption for data at rest and in transit be utilized?

Up to $1.5M per year fine for continuing violation if reasonable and acceptable not maintained – i.e. for not encrypting

◦ This represents a huge risk for healthcare providers

23

Contractor Named to Perform Privacy & Security Compliance Audits Formalized audit functions which can assess penalties has

been created

Language to be cognizant of (note HIM call out, not even in role as Privacy Officer):

◦ Site visits conducted as part of every audit would include interviews with leadership (e.g., CIO, Privacy Officer, legal counsel, health information management/medical records director)

◦ Examination of physical features and operations

◦ Consistency of process to policy- can we say ad hoc programs probably are not recommended

◦ Observation of compliance with regulatory requirements

24

24

OCR / KPMG Audit Security Protocols

Covers all parts of the Physical, Technical and Administrative Safeguards, along with Organizational Requirements and Policies, Procedures and Documentation

Must perform a HIPAA Security Risk Assessment §164.308(a)(1)(ii)(A)and be diligent about all aspects of your reviews and mitigations plans for areas found deficient

25

Show theOCR Audit Protocols

SRA Sample

26

OCR Audit ProtocolsWithin the Context of SRA (Security Risk Analysis or Assessment)

Let’s take a look at the OCR Security Audit protocols embedded within a SRA

Copies of these protocols embedded in a SRA have been provided, but this is only a snippet from a full SRA

27

Show theOCR Audit Protocols

Embedded Within a SRA

SRA Sample

28

Next Steps For You

Keep up with additional regulations and clarifications, and continue to learn about HIPAA – Watch for the Omnibus Privacy Rule

For Privacy be an advocate within your organization, start the dialogs now as these new regulations will be far reaching, especially AOD, breaches, notifications and postings

Understand and foster HIPAA Security compliance and analysis is also tied to Privacy compliance – be involved with Security Risk Analysis because your role in Privacy demands it

Consider getting credentialed with the CHPS (Certified in Healthcare Privacy and Security)…I am!

29

29

Employees Trained in security awareness upon hire. Required to sign a confidentiality agreement Security awareness refreshers are done

periodically throughout length of employment.

Audit and accountability All systems set by default to block all

incoming Internet traffic from unknown sources.

VPN, firewall, and application audit logs regularly monitored for suspicious behavior

Firewalls configured for notification upon intrusion attempts.

30

Amphion Commitment to Privacy and Security


Risk Assessment Continuous risk analysis to identify when updates are

needed Formal risk assessments performed by an outside vendor Findings reviewed and action plan is prepared to

implement any changes

System and information integrity Each transcriptionist setup with a unique user account Installed version of the application is authenticated during

each logon request using a private and public key combination

Reverse engineering prevention All ePHI data is in use by the end user of the local

workstation encrypted All encrypted files deleted from the local workstation.

31

Amphion Commitment to Privacy and Security


Q & A

32© 2012 Amphion Medical Solutions

Your trusted partner in the evolving health documentation environment

Free up valuable IT resources Innovative “right-sized” demand-based

pricing model Utilize our transcriptionists, yours or both Integrate with your ADT and EHR solutions CDA structured narrative, content

codification, clinical concept indexing and EHR data interoperability

33

Amphion Value Proposition


34

Request copies of this presentation and more information from

Email:

[email protected]

www.complianceprosolutions.com

321-268-0320

Copies and Contact information

Kelly McLendon, RHIA, CHPS

34

mailto:[email protected]


Also by Kelly McLendon, RHIA, CHPS

The Legal Health Record: Regulations, Policies, and Guidance

Also Check-out Kelly’s Privacy Information Management Software at

www.complianceprosolutions.com

Enjoyed Today’s Presenter?

35

Thank you for the opportunity

to speak with you today

For more information on Amphion’s solutions, contact Melinda Watman at

888-830-2644 x1456 or [email protected].



Amphion Medical Solutions Shaping the future of health document management PRESENTS Privacy and Security: OCR Announces New Audit Protocols Kelly McLendon,

Documents

amphion medical solutions

amphion kelly mclendon

privacy audits security

healthcare privacy

privacy breach

privacy risk analysis

privacy letters

hitech privacy