Surviving a HIPAA Audit: What you need to know NOW So you can cope THEN. Jonathan Krasner

Surviving a HIPAA Audit:

What you need to know NOW

So you can cope THEN

Jonathan Krasner

www.beinetworks.com www.hipaasecurenow.com

Meaningful Use Incentives EHR / Technology Implementations 30+ Million Patient Records Breached Increased HIPAA Enforcement

Healthcare IT Landscape

HIPAA Violations

• Over 1200 HIPAA violations of 500+ records since 2009

• Violations occur for organizations of all sizes • Violations occur for lots of different reasons • Violations are increasing in size and scope

The complete list can be found at:

https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf

2015 HIPAA Audits

• Delayed

• 550-800 Covered Entities (CE) Contacted

• 350 Covered Entities Selected

• 50 Business Associates (BA) – Phase 2

• Utilize HHS / OCR Portal to Upload Information

• Letters Will Be Sent to CEs

• 2 Weeks to Respond / Upload Information

• Size, Location, Services, Other Information, BA

• Desk Audits and Onsite Audits

• Unlike Previous Audits, Fines are Expected to be Handed Out

Meaningful Use Audits

Meaningful Use Audits Are Occurring

• Audits targeted at up to 20% (1 in 5) of eligible providers • Organizations can be audited either pre or post payment of

incentive funds

• Failed audits may require an organization to repay a full year of incentive payments

• Incentive fund repayments average ~$10,000 per eligible provider • Failed audit for 1 year could trigger an audit in another year

• Incentive payments must be repaid within 30 days of MU audit failure notice

HIPAA Enforcement

HIPAA Regulations are enforced by HHS-OCR

Enforcement Activities

• 2015 Random Audit Program • Breach Investigations • Covered entities • Business Associates • Complaint Investigations • Dissatisfied patients • Disgruntled employees

Cost of Breaches

Ponemon 2013 Cost of Data Breach Study:

Estimate $233 per record

# of records Cost 1 $233 10 $2,330 100 $23,300 1000 $233,000 10000 $2,330,000

Cost of Breaches

Ponemon 2013 Cost of Data Breach Study:

Estimate $233 per record

Indirect Costs

1. Turnover of existing customers - Loss of customers / patients

2. Diminished customer acquisition - customers / patients not using a practice (Reputation is damaged)

Direct Costs

1. Detection and escalation costs - forensics investigative activities, crisis management activities

2. Notification costs - IT activities to create contact database, determination of regulatory requirements, postage, etc.

3. Post data breach costs - help desk activities, inbound communications from customers, identity protection services, etc.

Cost of Breaches

Ponemon 2013 Cost of Data Breach Study:

Estimate $233 per record

(Does not include HIPAA fines)

Damage to Reputation

Indirect Costs

1. Turnover of existing customers - Loss of customers / patients

2012 Breaches – Categories

2012 Largest Breaches / Categories of HIPAA Breaches

1. Laptops and portable media – 40% of all breaches

2. Inappropriate access to patient information - 30% of all breaches

3. Email – Sending PHI unencrypted - 10% of all breaches

4. Hacking – 10% of all breaches

Audit

An audit is the systematic examination of books, documents and other information of an

organization to ascertain whether they present a true and fair view of the subject matter. Audits

provide third party assurance to

various stakeholders that the subject matter is free from material misstatement.

How to survive an audit – Rule #1

To be compliant, you need to

• Appoint a privacy and security officer

• Perform an annual security risk assessment – Remediate gaps

• Have written policies and procedures

• Provide annual training to ALL employees

NOTE: This list is not exhaustive, but these are the major areas to focus on

How to survive an audit – Rule #2

How to document

• Be organized

• All documentation in one place Examples:

- Paper file - File share - Web portal

What to document

• Policies and procedures • Risk Assessment

• Work plan • Training

– Consider testing

• Business Associate agreements

– BA Compliance

• Disaster recovery plans • Media disposal log

HIPAA Compliance is an ongoing

process

• It is not “set it and forget it”

• But it does not have to be time consuming • The security officer needs to budget a little

HIPAA Compliance don’ts

• Don’t confuse having documentation with having good documentation

• Don’t buy a set of manuals on the Internet and think you are done

• Don’t perform a risk analysis via spreadsheet in 15 minutes

What to expect when you are audited

• Most audits request documentation via mail • You have 30 days to comply

• Don’t just blindly send all your documentation – Review it first

– Consult a professional

• Compliance consultant • Attorney

Audit Results

• Organizations with good documentation pass audits – HHS is not super picky. They are glad you have worked to comply

• If you have good documentation, but have suffered a breach, your penalties will be minimized

Audit Results

If you have a breach (and yes, it can happen to you)

AND

Your documentation is bad, they can throw the book at you!

We’re here to help

• MCMS endorsed HIPAA compliance program • 2,000 clients nationwide

• Have passed 50 CMS audits; no fails

Thank you and

have a compliant day!