HIPAA Audits: Are You Ready For the Next Wave? Karen D. Smith, Esq. Partner Bricker & Eckler LLP 100 S. Third Street Columbus, OH 43215 [email protected] (614) 227-2313
Dec 15, 2015
HIPAA Audits: Are You Ready For the Next Wave?
Karen D. Smith, Esq.Partner
Bricker & Eckler LLP100 S. Third Street
Columbus, OH [email protected]
(614) 227-2313
3
HITECH Enforcement
Increased enforcement under HITECH Increased penalties State AG enforcement Public records of breach notifications BAs directly subject to penalties HHS audits
Background
4
HITECH Enforcement
HITECH Act requires HHS to conduct HIPAA audits (42 USC §17490) “The Secretary shall provide for periodic audits to
ensure that covered entities and business associates that are subject to the requirements of this subtitle and subparts C and E of part 164 of title 45, Code of Federal Regulations, as such provisions are in effect as of the date of enactment of this Act, comply with such requirements.”
Background
5
OCR sought a comprehensive and flexible process for analyzing entity efforts to provide regulatory protections and individual rights
Identify (1) best practices and (2) uncover risks not identified through other enforcement tools
Encourage consistent attention to compliance activities
Phase 1PROGRAM OPPORTUNITY
6
Audits Performed
115 performance audits conducted through December 2012 Initial 20 audits to test original audit protocol Final 95 audits using modified audit protocol
Phase 1
7
Overall Cause AnalysisPhase 1
For every finding cited in the audit reports, audit identified a “cause”
Most common across all entities: entity unaware of requirement. 30% (289 of 980 findings)
• 39% (115 of 293) of Privacy• 27% (163 of 593) of Security• 12% (11) of Breach Notification
Most of these related to elements of the Rules that stated what a covered entity had to do to comply
Other causes, included but not limited to: Lack of application of sufficient resources Incomplete implementation Complete disregard
8
Unaware of the Requirement Privacy
notice of privacy practices access of individuals minimum necessary authorizations
Security risk analysis media movement and disposal audit controls and monitoring
Phase 1 Cause Analysis: Top Elements
9
Recommendations for the Audit Program
Implement a risk-based approach would allow OCR to determine areas of the Rules that
require implementation of controls, which, if not implemented effectively, would pose the greatest risk to the protection of PHI
OCR should consider a multi-tiered audit approach that can be tailored based on entity type, area or a hybrid
Phase 1
10
Who Can Be Audited?
Any covered entity Health plans of all types Health care clearinghouses Individual and organizational providers of all sizes
Any business associate Selection through covered entities’ identification of their
business associates
Phase 2
11
Covered Entity Pool Have selected a pool of covered entities eligible for audit Used resources developed through Booz Allen Hamilton
contract Health care providers selected through NPI database Clearinghouses & Health Plans from external databases (e.g., AHIP)
Random selection used when possible within types Wide range (e.g., group health plans, physicians and
group practices, behavioral health, dental, hospitals, laboratories)
Phase 2
12
Pre-Audit Survey Available entity databases lack data for entity stratification Survey currently being processed through Paperwork Reduction Act
clearance Questions address
size measures location services best contacts
OCR will conduct address verification with entities this spring Entities will receive link to online screening “pre-survey” this
summer; Expect to contact 550-800 entities OCR will use results of survey to select a projected 350
covered entities to audit
Phase 2
13
Audit Approach Primarily internally staffed Selected entities will receive notification and data requests in fall
2014 Entities will be asked to identify their business associates and
provide their current contact information Will select business associate audit subjects for 2015 first wave
from among the BAs identified by covered entities Desk audits of selected provisions Comprehensive on-site audits as resources allow
Phase 2
14
TimingPeriod Activity
Spring 2014 CE address verification
Summer 2014 Pre-audit surveys link sent to covered entity pool
Fall 2014 Notification and data request letters to selected entities
Two weeks Period for entity response
October 2014 - June 2015
CE audit reviews
2015 Business associate audits
Phase 2
15
Desk Audit Expectations Data request will specify:
content and file organization file names any other document submission requirements
Requested data will only be assessed if it is submitted on time
Documentation must be current as of request date
Phase 2
16
Desk Audit Expectations
Documents must accurately reflect the program Auditors will NOT have the opportunity to contact the entity for
clarifications, or to seek out additional information Do not submit extraneous information: OCR says it may
increase difficulty for auditor to find and assess required items
Failing to respond to requests may lead to referral for regional compliance review
Phase 2
17
On-site Audit Expectations
Very little detail provided by HHS “Comprehensive on-site audits as resources allow” Interviews with key personnel Observations of processes and operations 3-10 days (in round 1) Length of audit depends on complexity of CE
Phase 2
18
Protocol Criteria Auditors will assess entity efforts via an updated protocol
New criteria will reflect the omnibus rule changes, more specific test procedures
Sampling methodology will be used in many provisions to assess compliance efforts
Provisions that resulted in a high quantity of compliance failures in the pilot audits will be targeted through the desk audits
The website will include the updated protocol for the entities’ use
Phase 2
19
Audit Focus
2014 Covered Entities
Security: Risk analysis and risk management Breach: Content and timeliness of notifications Privacy: Notice and access
Phase 2
20
Audit Focus
2015 Round 1: Business Associates
Security: Risk analysis and risk management Breach: Breach reporting to CE
Round 2: Covered Entities (Projected) Security: Device and media controls, transmission security Privacy: Safeguards, training
Phase 2
21
Audit Focus
2016 Projected
Security: • Encryption and decryption• Facility access control (physical)• Other areas of high risk as identified by 2014 audits, breach
reports and complaints
Phase 2
22
Recommendations – Focus Areas
Risk Analysis Review most recent Risk Analysis Consider conducting new Risk Analysis Consider obtaining third-party review of Risk Analysis
Business Associates Review and update BA list Review template BAA Amend BAAs for Omnibus Rule compliance by Sept. 23 Engage BAs in dialogue on compliance (e.g., BAs should
conduct own risk analyses)
Phase 2
23
Recommendations – Focus Areas
Breach Documentation Review breach log Review template notice and timeliness of past notices Review files associated with breaches Per OCR, files should include:
• Documentation of root cause of breach• Documentation of compliance gap resulting in breach• Documentation that root cause was addressed
Phase 2
24
Recommendations – Focus Areas
Notice of Privacy Practices Review for Omnibus Rule compliance Confirm distribution/posting requirements are being met
Patient Access Review policy and procedure Review related documentation
Security Rule Review policies and procedures on transmission security,
devices (focus on mobile devices), and facility access control OCR recommends reviewing mobile device policy “at least
annually”
Phase 2
25
Recommendations - General Policies and Procedures
Review policies against current OCR protocol (and new protocol once available)
Confirm that Omnibus Rule changes have been incorporated as applicable
Supporting Documentation Confirm that documentation required by policies is actually being
kept on file Review documentation against current OCR protocol (and new
protocol once available)
Phase 2
26
Recommendations - General Audits
Conduct self audit Obtain third party mock audit
Training Review and update training program as necessary Review documentation of training Provide annual training and remedial training
Phase 2