AHLA
B. HIPAA Compliance
Audits
Marti ArvinChief Compliance Officer
UCLA Health System and David Geffen School of Medicine Los Angeles, CA
Anna C. Watterson
Davis Wright Tremaine LLP Washington, DC
HIPAA
Compliance Audits
Marti Arvin, Chief Compliance Officer, UCLA Health System and David Geffen School of Medicine Anna Watterson, Associate, Davis Wright Tremaine Brief overview of the Pilot Audit Program Program implementation, protocols and compliance gaps What to expect in 2015 Onsite and offsite audits for covered entities and business associates Continuing challenges to preparing for an OCR audit, onsite versus offsite Tips for evaluating your HIPAA compliance program and making sure you can demonstrate complianceAgenda
HITECH Act requires OCR to conduct periodic HIPAA compliance audits of covered entities and business associates OCR launched its audit program in 2010 and conducted 115 audits in 2011 and 2012 Pilot audits were onsite and evaluated compliance with specific components of the HIPAA Privacy, Security and Breach Notification Rules against set protocols posted on OCR website Why are the pilot audits important?
Pilot Audits – Recap
Pilot Audits – Key Findings
The pilot audits shed light on the most problematic areas for HIPAA compliance Widespread Issues •Only 11% of the audited entities did not have a finding or observation •Only 2 of these entities were providers Security Compliance •Covered entities struggled the most with Security Rule compliance Health care Providers • Health care providers had more findings and observations than health plans or health care clearinghouses Small organizations • Small organizations, regardless of type of organization, had the most findings and observationsNearly all providers had at least one finding or observation Approximately 80% of providers and nearly 57% of health plans did not have a complete or accurate risk analysis Findings included: • Risk Analysis • Access Management • Security Incident Procedures • Contingency Planning and Backups • Workstation Security • Media Movement and Destruction • Encryption • Audit Controls and Monitoring • Integrity Controls
Pilot Audits –
Security Rule Findings
Pilot Audits – Privacy and
Breach
Privacy Rule findings included:
Notice of Privacy Practices Right to Request Privacy
Protections
Individual Access Administrative
Requirements
Uses and Disclosures
Breach Notification Rule findings included: Methods of Individual Notification Burden of Proof Timeliness of Notification Notification to Individuals
Demonstrating compliance means more than having policies and procedures – Can you demonstrate breach notifications were provided to individuals through an acceptable method (including substitute notification) for any breach? 59% of covered entities were not aware of the audit program prior to receiving the notification letter 56% became aware of additional HIPAA requirement as a result of the audits
Pilot Audits – Key
Takeaways
Now is the time to assess HIPAA compliance – after you receive a notification letter might be too late. OCR will conduct comprehensive onsite audits of both covered entities and business associates – both on a resource dependent basis OCR will conduct approximately 200 offsite audits (paper review only) of limited scope (targeting areas of high compliance failures, including risk analysis) Timeline: Delayed due to OCR updating technology for surveys, document submissions and data analyticsUpcoming Audits –
2015 ‐ 2016
OCR Verification • OCR began contacting covered entities in the spring to confirm contact information. OCR recently confirmed it is still completing this process. Survey • OCR will send a pre‐audit surveys to entities in the selection pool. OCR is currently developing a portal for survey responses. OCR will use this information, in part, to select auditees. Notification and Data Request • OCR projected that it would start sending notifications and data requests in October 2014. This has been delayed – no update from OCR on timing.
Upcoming Audits –
Audit Process
Additional funding has allowed for more onsite audits than previously planned OCR will conduct an unknown number of comprehensive onsite audits in the next round Covered entites should expect onsite audits to include a review of all three rules, including Security Rule risk analysis, individual access under the Privacy Rule and notifications under the Breach Notification Rule OCR will be looking to see if covered entities are following their policies If you have a sanctions policy, can you demonstrate that you are actually sanctioning employees in accordance with your policy?Upcoming Audits –
Covered Entity Onsite Audits
Projected offsite audits for approximately 200 CEs, with a heavier focus on providers Offsite audits will have a limited focus
Upcoming Audits –
Covered Entity Offsite Audits
2014 focus: • Risk analysis and risk management • Content and timeliness of breach notifications • Notice and Access 2015 focus: • Device and media controls; transmission security • Privacy safeguards, training to policies and procedures 2016 focus (projected): • Encryption and decryption, facility access control (physical security), high risk areas as identified in earlier audits, breach reports and complaints Covered entities will be asked to provide a complete list of all business associates with contact information and the services they provide What does this mean for BAs? If you are a CE, now is the time to look at your vendor management process BA audits expected to start in 2015 – unclear if this is still on schedule Focus will be Security Rule and IT‐based BAs, but others will be includedUpcoming Audits –
Business Associates
Business Associate Audit Focus ‐ 2015 • Risk Analysis and Risk Management • Breach reporting to CEOffsite
Can you demonstrate compliance based on a paper review only? Have you updated all P&P, BAAs, etc. since the Omnibus Rule compliance date? Documentation is keyOnsite
Are you prepared for government officials to come onsite to evaluate your compliance? Do your practices match your policies? Conduct a mock audit (consider privilege issues)Onsite Audits vs. Offsite Audits
Who will OCR contact?
Will staff recognize and escalate a phone call or email from OCR? Who will be involved?
Ensure collaboration between different departments Who will be the lead?
Identify the persons in advance Understand everyone’s rolePreparing for an Audit – Basics
Know where your data resides Risk Analysis Must be documented Risk Analysis ≠ Gap Analysis Risk Analysis: Update at least every 3 years (best practice is every year); update every time there is an environmental or operational change Risk Management Documented, reasonable plan to reduce risks and vulnerabilities Implementation Specifications: Required vs. Addressable Evaluate administrative, physical and technical safeguards
Preparing for an Audit –
Security Rule
Who does this at your organization?
Compliance Information Technology How involved is compliance?
Do you know the status of your risk
mitigation process?
If you have identified a risk mitigation strategy and timeline, is anyone monitoring this? o Are you mitigating the risks? o Are you on time? o If not, why not? OCR is not likely to take the lack of resources as a basis for failing to mitigate risksRisk Analysis
What was your process for determining how to prioritize risks? Did you look at recent breaches? Did you have a pre‐defined list of questions? Who determined what you were going to look at? What else is at risk if you did not do an adequate risk analysis? Meaningful use and the security rule risk assessment
Risk Analysis
Notice of Privacy Practices – has it been updated per Omnibus Rule? Review policies and procedures and ask: Are they compliant on paper? Are they followed in practice? Can you document sanctions? Training? (especially important after a breach) Documentation is keyPreparing for an Audit –
Privacy Rule
Do you have breach policies and procedures? Do they comply with HIPAA and state law, if applicable? For each incident can you show: Documentation of completed breach risk assessment (or documentation supporting applicability of an exception) or Documentation of notifications (to individuals (including substitute notice), HHS, and the media, if applicable) Do notifications to individuals include all content requirements? Were there any law enforcement delays? Do you have documentation?
Preparing for an Audit –
Breach Notification Rule
Can you identify all policies and procedures? How will your employees answer an auditor’s questions? Do they know your policies and procedures (e.g., do they know how to properly escalate a HIPAA breach)? Do you have documentation for all incidents?Conducting a Mock Audit
1. Be responsive Provide all documentation needed to demonstrate compliance (you might not get a second chance), but don’t provide extraneous information
2. Be organized Submit files in the manner OCR requests (file type, file name, etc.)
3. Be timely OCR will NOT provide entities the opportunity to clarify or submit additional documents 4. Clarify any documents that are unclear on their face OCR has stated auditors will not likely contact entities to clarify or ask questions for offsite audits – failure to submit complete documentation of compliance may lead to referral for enforcement action
Responding to an OCR Data Request
How is this different from a
complaint or breach
investigation?
What happens if you fail an
audit?
Audits vs. Compliance Reviews
Audits may not result in enforcement action BUT If substantial issues are identified in an audit that could result in referral for further assessment by OCR We have had over eight years to get this right and OCR expects that we have most of it right OCR enforcement has increased recently with nearly $8 million in settlements for 2014
OCR Enforcement Action
HITECH gave state Attorneys General authority to bring actions on behalf of state residents We have seen 6 AG settlements since HITECH, with 3 in Massachusetts More state attorneys general are getting involved Notice to the AG may be required in some states if you have a data breach The FTC is very active in data security and privacy related enforcement actions under section 5 of the FTC Act You really don’t want the FTC to become involved in your data security and privacy issuesState Attorney General actions
and FTC actions
Stanford settlement $4 million Sutter Health Ultimately dismissed but at what cost? Started as 11 class actions University of Miami $191,000 Community Health Systems AvMed
Recent Class Actions
If you fail a Meaningful Use audit,
you risk losing incentive payments
Ensure you have documented an
accurate, complete, enterprise‐wide risk
analysis
Meaningful Use Audits
OCR Protocol – not updated per Omnibus Rule http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/proto col.html HHS Security Risk Assessment http://www.healthit.gov/providers‐professionals/security‐risk‐ assessment National Institute of Standards and Technology: 800 Series http://csrc.nist.gov/publications/PubsSPs.html OCR Security Risk Analysis Guidance: http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityr ule/rafinalguidancepdf.pdf