• No results found

2/9/ HIPAA Privacy and Security Audit Readiness. Table of contents

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "2/9/ HIPAA Privacy and Security Audit Readiness. Table of contents"

Copied!
10
0
0

Loading.... (view fulltext now)

Download now ( 10 Page )

Full text

(1)

2012 HIPAA Privacy and

Security Audit Readiness

Mark M. Johnson

National HIPAA Services Director

Table of contents

Page

„ Background 2

„ Regulatory Background and HITECH Impacts 3

„ Office of Civil Rights (OCR) HIPAA audit program 6

„ Meaningful Use Requirements 13

„ None Compliance Risks and Next Steps 14

„ Contact information 17

(2)

© 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent

member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 38075WDC 2

Background

„ The American Recovery and Reinvestment Act – HITECH Act §13411(2009): Requires

Health & Human Services (HHS) to provide for periodic audits to ensure that covered entities

and business associates comply with HIPAA Privacy and Security Rules and Breach

Notification standards.

„ HHS – Office of Civil Rights (OCR) awards two audit contracts (2011)

– $180,000 contract with Booz Allen Hamilton

„ Identify audit candidates

„ Provide background and recommendations for audit program

– $9.2 million contract with KPMG

„ Develop an audit protocol

„ Assess compliance with HIPAA privacy and security regulations

„ Conduct pilot audit program for up to 150 audits of covered entities.

– Business Associates in subsequent years

– Identification is based upon Unique Identifiers for Covered Entities

Regulatory Background - Five Key Areas of Privacy Standards

Boundaries

• Administrative,

technical, and

physical

mechanisms to

keep information

private, confidential

and secure within

internal operating

systems and

external

communications

Safeguards

• Informed consent

to use information

• Right to access

and amend

information

• Authorization for

disclosures

• Record of

disclosures

Consumer

Control

• Federal penalties

for violations

• Effective

compliance

activities to deter,

identify, and punish

violations

Accountability

• Process for

disclosing

information for

public health,

research & legal

purposes

Public

Responsibility

•What information is covered by the final rule?

The final rule covers all Individually Identifiable Health Information (IIHI)

regardless of media (electronic, written or oral).

Frequently Asked Questions (FAQs)

• Information used

only for intended

purpose and only

as much

information as

required for the

intended purpose

• Consumer use and

disclosure

statement

(3)

© 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent

member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 38075WDC 4

Regulatory Background - Security Rule Standards

Administrative

Procedures

„

Security Management Process

„

Assigned Security Responsibility

„

Workforce Security

„

Information Access Management

„

Security Awareness and Training

„

Security Incident Procedures

„

Contingency Plan

„

Evaluation

„

Business Associate Contracts and

Other Arrangements

Physical

Safeguards

„

Facility Access Controls

Disaster recovery

Emergency Mode

Equipment transfers

Facility security plan

Access Authorization process

(physical access)

Maintenance records

Need to know access

Sign in and escort visitors

Testing and revision

„

Workstation Use

„

Workstation Security

„

Device and Media controls over

hardware and software

Technical Standards

and Mechanisms

(Data at rest & data in transit)

„

Access and Authorization controls

Context based, role based, or user

based

Encryption

„

Audit controls (suspect access

attempts)

„

Integrity

Data authentication

„

Personal and Entity Authentication

Unique User ID

Authentication Technique

PIN

Token

Biometric

Call Back

Automatic Logoff

„

Transmission Controls

Access Controls

Audit Trail

Encryption

HITECH Act Impact

HITECH Act (Subcomponent of American Recovery and

Reinvestment Act) of 2009

Though outside of HIPAA title II, this is additional & direct legislation to

improve the original HIPAA title II requirements and to define and

tighten some open gaps

„ Establishes Breach requirement for Privacy Rule Violation

Effective date was September 23, 2009

Establishes Scope and Timeline

Clarifies definition of Breach

Likelihood of harm must be determines/assessed

„ Establishes New Penalty Levels

Uncorrected willful neglect $1.5 million to Unknowing $25K

„ Establishes compliance requirements for all PHI and PHR, whether

included in a BA agreement or not.

„ Enforcement Broadened to include State A.G.’s and Local Law enforcement

(4)

© 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent

member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 38075WDC 6

HITECH Oversight & DHHS Activities

„ Enforcement responsibility has been delegated to the Office of Civil

(OCR) rights for both Privacy (as of April 13, 2003) and Security (as of

July 27, 2009)

„ HITECH mandates the creation of a pilot program to assess compliance

of Covered Entities with HIPAA.

„ Plans by OCR are to conduct up to 150 assessments a year with external

service providers and a newly formed examination group.

„ States have been additionally involved in privacy exposures and have

levied fines in addition to federal guidelines, mostly leveraging State PII

laws with HIPAA Title II requirements.

„ DHHS’s OIG office reviewed 7 hospitals, independent of CMS and OCR

for compliance with HIPAA’s regulations and found 154 findings with

compliance.

„ OIG also sighted OCR for lack of enforcement and compliance activities,

which led to Congress’s mandate in the HITECH Act and OCR’s recent

Penalty activity.

OCR HIPAA audit program

OCR HIPAA Pilot Audits

„ Initial Test Audits

– Audit protocol developed to assess compliance with the HIPAA Privacy & Security Rules

will be tested on the first 20 covered entities selected

– Selection period began September 2011

– Entities were notified during November – December 2011

– Site visits scheduled for January 2012

– Audit protocol will be reviewed and refined for remaining pilot audits

– Audit protocol will be made public after the completion of the first 20 pilot audits

„ Remainder of the Audits

– Selection period potentially scheduled for 1 st Qtr 2012

– Auditee notification period likely in late 1 st Qtr or early 2 nd Qtr 2012

(5)

© 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent

member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 38075WDC 8

OCR HIPAA audit program (continued)

OCR HIPAA Audit Objective & Scope

„ Program Objective

– Examine mechanisms for compliance

– Identify best practices

– Discover risks and vulnerabilities

– Encourage renewed attention to

compliance activities

„ Initial Test Audits Protocol provide

assessment

– Policies

– Practices

– Operations

OCR HIPAA audit pilot program

OCR selected 20 Covered Entities to audit for the initial pilot phase

„ The pool of covered entities include:

– Health plans of all sizes

– Health care clearinghouses

– Individual and organizational providers

– Business Associates will not be included in pilot phase

„ Selection Criteria include:

– Public versus Private

– Entity’s size

– Geographic location

– Type of entity and relationship to patient care

– Affiliation with other health care organization

(6)

© 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent

member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 38075WDC 10

OCR HIPAA audit pilot program (continued)

First 20 Covered Entities grouped into 4 categories

Level 1 Entities

„ Large Provider/Payer

„ Extensive use of HIT – complicated HIT

enabled clinical/business work streams

„ Revenues and or assets greater than $1 billion

Level 2 Entities

„ Large regional hospital system

(3 – 10 hospitals/region)/Regional Insurance

Company

„ Paper and HIT enabled work flows

„ Revenues and or assets between $300 million

and $1 billion

Level 3 Entities

„ Community hospitals, outpatient surgery,

regional pharmacy/All Self-Insured entities that

don’t adjudicate their claims

„ Some but not extensive use of HIT – mostly

paper based workflows

„ Revenues between $50 Million and

$300 million

Level 4 Entities

„ Small Providers (10 to 50 Provider Practices,

Community or rural pharmacy)

„ Little to no use of HIT – almost exclusively

paper based workflows

„ Revenues less than $50 million

Test of Initial 20 Audits

Overview of HIPAA Audit Project

July Aug Sept Oct Nov Dec Jan Feb Apr May – Dec.

Initial Protocol

Development

Auditee

Selection

Test of

Protocol

Audit Execution –

Remaining Audits

Period of

Review/

Adjustment

of Protocols

2011 2012

Auditee

Notification

(7)

© 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent

member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 38075WDC 12

Audit Timeline

Meaningful use: Core set 15 requirements

„ Objective:

– Protect electronic health information created or maintained by the certified eHR technology

through the implementation of appropriate technical capabilities.

„ Measure:

– Conduct or review a security risk and implement updates as necessary and correct

identified security deficiencies as part of the Eligible Provider’s, Eligible Hospital’s, or

Critical Access Hospital’s risk management process per HIPAA Security

Rule 45 CFR 164.308(a)(1)

„ Perform HIPAA Security Risk Assessment for 3 sets Controls:

– Application Layer:

– Infrastructure Layer:

– Enterprise Controls:

„ Evidence of Compliance with Security Rule:

– Design evidence

– Operational evidence

(8)

© 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent

member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 38075WDC 14

Loss of Contracts

Criminal and Civil investigation

Federal and State fines

Public Harm and Reputational Risk

Fines and Penalties

Legal Costs

Cost of Notification

Non-Compliance Risks

Conduct a robust Assessment with an Annual or

Bi-Annual reassessment for compliance

Determine Lines of Business affected by HIPAA

Consider internal employee information in

evaluation

Map/Flow PHI movement within your organization,

as well as flows to/from third parties

Perform Data discovery to find all of your PHI

Establish effective technical safeguards over PHI

(encryption, access management, restriction for

required use only)

Next Steps to Consider

(9)

© 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent

member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 38075WDC 16

Next Steps to Consider

Increase your Monitoring program, establish an

effective ERM program as well as GRC services

Leverage GRC to do exception reporting on incidence,

security protection and access monitoring

Don’t forget your third party vendors in assessment

Establish an incident response team

Train affected employees annually

Plan ahead for impact of HIPAA across the organization

• Determine possible common responsibilities and oversight of IT,

Information Security, and Internal Audit

• Assess overlap between controls oversight and management

Determine control and safeguard catalogue for HIPAA prior to

remediation – know what you’re going after

Engage impacted departments (IT, HR, Business, IA) early in the

planning

Assess your ability to combine HIPAA compliance activities with other

compliance activities like PCI, (Unified Compliance), to increase the

effectiveness & efficiency of your compliance programs

Conclusions & Final Thoughts

(10)

© 2012 KPMG LLP, a Delaware limited liability

partnership and the U.S. member firm of the KPMG

network of independent member firms affiliated with

KPMG International Cooperative (“KPMG

International”), a Swiss entity. All rights reserved.

38075WDC

The KPMG name, logo and “cutting through

complexity” are registered trademarks or trademarks

of KPMG International.

Mark M. Johnson

mmjohnson@kpmg.com

References

Download now ( PDF - 10 Page - 433.58 KB )

Related documents

2 & 3 Sector 144, Noida

Disclaimer: There may be minor variations in this unit plan or its mirror image due to structural and architectural adjustments in the final layout. The decision of the architect

Infusing Technology: A Study of the Influence of Professional Development on How Teachers Use Technology

This study examined whether a quality professional development course, Infusing Technology, influenced teachers‘ integration of technology, their knowledge of digital tools

RoSPA s Evidence to the Transport Safety Commission Inquiry UK Transport Safety

Co-ordination with the priorities and work of government departments (especially, Transport, Health, Education, Home Office and Justice), and between the Scottish Government, Welsh

Fraud Detection in Online Banking Using HMM

In “credit card fraud detection with a neural network” paper, Using data from a credit card issuer, a neural network based fraud detection system was trained on a large sample

How To Make A Profit From A Factory

Cesoie Punzonatrici idrauliche Linee automatiche a CNC di punzonatura, foratura e taglio termico Linee automatiche a CNC di punzonatura e foratura Linee automatiche a

Examining the complex relationship of customer satisfaction and loyalty within the Australian retail banking market: A multigroup analysis between high and low-involvement product types

Hinchcliff, Mercedez, Examining the complex relationship of customer satisfaction and loyalty within the Australian retail banking market: A multigroup analysis between high

Innovations in Monetary Policy

By modelling reserves as demand determined, conditioned on the prevalent interest rates in the economy and allowing the central bank to set the interest rate and then provide

Identification of p62 as interaction partner of ARTD9: is ARTD9 degraded by autophagy?

Protein complexes from GST macro domain 9Tm and mD2 pull-downs with LPS treated RAW- 264.7 extracts were analyzed by western blot in order to validate the interaction partners identi