HIPAA Compliance Audits:
Your Newest Risk:
Are You Prepared?
Presented by:
Melissa (Lisa) Thompson, JD, MPH and
Speakers
Elizabeth Lamkin, MHA
CEO
PACE Healthcare Consulting, LLC
www.pacehcc.com
Melissa (Lisa) Thompson, JD, MPH
Partner
Adelman, Sheff & Smith, LLC
www.hospitallaw.com
This presentation is provided for informational purposes only and does not constitute legal advice.
• Panacea has prepared this seminar using official Centers for Medicare and Medicaid Services (CMS) documents and other pertinent regulatory and industry resources. It is designed to provide accurate and authoritative
information on the subject matter. Every reasonable effort has been made to ensure its accuracy. Nevertheless, the ultimate responsibility for correct use of the coding system and the publication lies with the user.
• Panacea, its employees, agents and staff make no representation, warranty or guarantee that this information is error-free or that the use of this material will prevent differences of opinion or disputes with payers. The company will bear no responsibility or liability for the results or consequences of the use of this material. The publication is provided “as is” without warranty of any kind, either expressed or implied, including, but not limited to, implied warranties or merchantability and fitness for a particular purpose.
• The information presented is based on the experience and interpretation of the publisher. Though all of the information has been carefully researched and checked for accuracy and completeness, the publisher does not accept any responsibility or liability with regard to errors, omissions, misuse or misinterpretation.
• Current Procedural Terminology (CPT ®) is copyright 2011 American Medical Association. All Rights Reserved. No
fee schedules, basic units, relative values, or related listings are included in CPT. The AMA assumes no liability for the data contained herein. Applicable FARS/DFARS restrictions apply to government use.
• CPT® is a trademark of the American Medical Association.
• Copyright © 2012 by Panacea. All rights reserved.
No part of this presentation may be reproduced in any form whatsoever without written permission from the publisher
Published by Panacea, 287 East Sixth Street, Suite 400, St. Paul, MN 55101
HIPAA Audits
•
Mandated by American Recovery and
Reinvestment Act of 2009 (ARRA) in the
HITECH Act
•
Rolled out by Office for Civil Rights (OCR) as
pilot program November 2011 using KPMG LLP
•
Covered entities audited first, business
associates to follow
•
Goals – conduct up to 150 audits and establish
HIPAA Audit Process
•
Notification letter
Requesting production of documents and information
within 10 business days
•
Notice of onsite visit -- 30 to 90 business days
•Onsite visits last between 3 to 10 business days
•20 to 30 business days later, auditors submit draft
report to covered entity
•
10 business days allowed for the covered entity to
comment
•
30 business days later, the final audit report
Sample HIPAA Audit Letter from OCR
Source:
http://www.hhs.gov/ocr/privacy/ hipaa/enforcement/audit/sampl e-ocr_notification_ltr.pdf
•
Audits are primarily a compliance improvement
activity.
•
Generally, OCR will use the audit reports to
determine what types of technical assistance
should be developed, and what types of
corrective action are most effective.
•
Should an audit report indicate a serious
compliance issue, OCR may initiate a
compliance review to address the problem.
Enforcement and Liability
•
OCR typically tries to resolve using voluntary
compliance, corrective action and/or a Resolution
Agreement/monetary settlement
•
OCR can impose Civil Monetary Penalties (CMPs)
•Referral to Department of Justice
Criminal Penalties risk for entity/individuals (fines/prison) “Knowingly” obtain or disclose PHI
DOJ interprets “knowingly” as knowledge of the actions,
does not require knowing the actions are a violation of HIPAA
HIPAA Security Rule
•
National standards for security of electronic
Protected Health Information (ePHI)
•
Standards are stated as “implementation
specifications” that are either required or
addressable
Note: caveat on “addressable” specifications
•
Enforced by the Office for Civil Rights (OCR)
“Addressable”
•
Addressable is not the same as optional!
•Addressable means the entity must:
Perform an assessment to determine whether the
implementation specification is a reasonable and appropriate safeguard for implementation in the entity’s environment
Decide whether to implement the addressable
specification as-is, implement an equivalent alternative that still allows compliance, or not implement either one
Designated Security Official
•
Must have a “Designated Security Official”
•This is required under Security Rule
•
Responsible for developing and implementing
Security Rule Policies and
Procedures
•
Security policies and procedures are required
•Must be periodically reviewed and updated in
response to environmental or organizational
changes that affect security of ePHI.
•
6-year document retention requirement
Written security policies and procedures
Are Existing Policies Sufficient?
•
Entities typically have some form of security
policies/procedures in place
Usually IS/IT Department policies
May be called “Standard Operating Procedures”
Could be in place with vendor, if IS/IT department is
outsourced
•
Do they cover all of the HIPAA Security Rule
standards and implementation specifications?
Security Official works with Privacy
Officer and/or Legal
One approach does not fit all!
•
Look at existing policies in context of specific
Security Rule requirements -- are there any
holes?
•
How will the policies and procedures function
within the organization?
•
Do the policies need renaming or reorganizing?
•Should there be one layer or more than one
layer? (e.g., Security policies and technical IS/IT
department SOPs)
Standard: Contingency Plan. Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic
protected health information.
Contingency Plan Standard has three “Required” and two
“Addressable” Implementation Specifications Data Backup Plan (Required)
Disaster Recovery Plan (Required)
Emergency Mode Operation Plan (Required) Testing and Revision Procedures (Addressable)
Applications and Data Criticality Analysis (Addressable)
HIPAA Security Rule
Implementation Specifications Under
“Contingency Plan” Standard
• Data backup plan: Establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information.
• Disaster recovery plan: Establish (and implement as needed) procedures to restore any loss of data.
• Emergency mode operation plan: Establish (and implement as needed) procedures to enable continuation of critical business
processes for protection of the security of electronic protected health information while operating in emergency mode.
• Testing and revision procedures (Addressable): Implement procedures for periodic testing and revision of contingency plans
• Applications and data criticality analysis (Addressable): Assess the relative criticality of specific applications and data in support of other contingency plan components.
HIPAA Security Rule
Implementation Specifications Example
Standard: Security Management Process
Implement policies and procedures to prevent, detect, contain, and correct security violations.
Security Management Process Standard has Four Required Implementation Specifications
1. Risk Analysis
2. Risk Management
3. Sanction Policy
Implementation Specifications Under
Security Management Process Standard
• Sanction policy: Apply appropriate sanctions against workforce
members who fail to comply with the security policies and procedures of the covered entity.
• Information system activity review: Implement procedures to
regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.
• Risk analysis: Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.
• Risk management: Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to
Security Policies and Risk Analysis
•
Risk Analysis is a required Security Rule
implementation specification.
•
Depending on the results from the Risk Analysis
Security controls may have to be added or adjusted
Policies and procedures may need to be revised or
drafted
Risk Analysis
•
Required by the HIPAA Security Rule at 45 CFR
164.308(a)(1)
•
Also a CMS Stage 1 core objective measure to
achieve EHR meaningful use to qualify for EHR
incentive payments
•
Security risk analysis is an ongoing process
Regular review of records to track access and detect
security incidents
Periodic evaluation of effectiveness of security measures
in place
What is a Risk Analysis?
•
Assessment of potential risks and vulnerabilities
to confidentiality, integrity and availability of ePHI
in all forms of electronic media
•
Potential risk = the net mission impact
considering:
Likelihood of particular threats occurring
1. Scope of the analysis – all ePHI created, received, maintained, or transmitted (all electronic media) 2. Data collection and documentation
3. Identify and document potential threats and vulnerabilities 4. Assess current security measures
5. Determine likelihood of threat occurrence
6. Determine potential impact of threat occurrence 7. Determine level of risk and corrective actions 8. Finalize documentation
9. Periodic review and updates to the Risk Analysis
Nine Essential Elements of Risk
Analysis
• Entities will need to determine a method to use
• A quantitative method could be used for the Likelihood, Potential Impact and/or Level of Risk sections
• Different descriptive levels could be used - for example Potential Impact could be low, medium, high and critical
• Other methods can be used instead
Example
Billing Department Servers
Threat Vulnerability Likelihood Estimate Potential Impact Risk Level Corrective Actions Flood waters impacting computer systems (Facility in flood zone)
Billing department servers are located on ground floor
Low High High The IS department will create redundancy offsite by [DATE]
Unauthorized access by former employees
Former employees’ access codes disabled 3 days after
termination
Medium High High The Billing department to develop a procedure to notify IS department of employee termination and IS will
Security Rule and Risk Analysis
Tools
No set requirements for tools or methods -- additional resources:
• Office for Civil Rights (OCR)
Security Rule -- see website
http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/ind ex.html
Risk Analysis publication: Guidance on Risk Analysis Requirements under the HIPAA Security Rule
• National Institute of Standards and Technology (NIST)
Guide to Technical Aspects of Performing Information Security Assessments
Information Security Handbook: A Guide for Managers (Chapter 10) An Introductory Resource Guide for Implementing the HIPAA
Security Rule (Part 3)
Managing Risk from Information Systems (draft) HIPAA Security Rule Toolkit
OCR Links: Stay on Top of Recent
Developments
Security Rule
http://www.hhs.gov/ocr/privacy/hipaa/administrative/securit yrule/index.html
Privacy Rule
http://www.hhs.gov/ocr/privacy/index.html
Sign up for the OCR Privacy and Security Listserv
http://www.hhs.gov/ocr/privacy/hipaa/understanding/covere dentities/listserv.html
One more thing . . . for hospitals
•
Enforcement authority for HIPAA was shifted
from CMS to OCR
Privacy Rule http://www.hhs.gov/ocr/privacy/
•
BUT the latest news from CMS is:
Revisions to the State Operations Manual
More details in privacy/security survey instructions
Link to new CMS guidance on privacy surveys:
http://www.cms.hhs.gov/Medicare/Provider-Enrollment-
and-Certification/SurveyCertificationGenInfo/Downloads/SC Letter12_18-.pdf
CoP: Patient’s Rights
Standard: Privacy and Safety
A-0143 OLD Survey Procedures:
Conduct observations to determine if patients are provided privacy during examinations, procedures, treatments,
surgery, personal hygiene activities and discussions about their health status/care and other appropriate situations. Are names posted in public view?
Is patient information posted in public view? Is the hospital promoting and protecting each patient’s right to privacy?
A-0143 New Survey Procedures §482.13(c)(1)
• Conduct observations/interview patients or their representatives to determine if patients are provided reasonable privacy during examinations or treatments, personal hygiene activities and discussions about their health status/care and other appropriate situations. • Review hospital policy and interview staff concerning their understanding of the use of patient information in the facility directory. Does the policy address the opportunity for the patient or patient’s representative to restrict or prohibit use of patient information in emergent and non-emergent situations?
• Review hospital policy and conduct observations/interview staff to determine if reasonable safeguards are used to reduce incidental disclosures of patient information.
• If audio and/or visual monitoring is utilized in the med/surg or ICU setting, conduct observations to determine that monitor screens and/or speakers are not readily visible or audible to visitors or the public.
CoP: Patient’s Rights Standard:
Confidentiality of Patient Records
A-0147 OLD Survey Procedures:
Observe care units. Is patient information posted where it can be viewed by visitors or other non-hospital staff? Are medical records accessible to people not involved with the patient’s care? Is it likely that unauthorized persons could read or remove the clinical record? Are patient clinical
information/records available and accessible at the bedside or in the patient’s room where people not involved in the
A-0147 Survey Procedures §482.13(d)(1)
• Verify that the hospital has policies and procedures addressing the protecting of information in patients’ medical record from unauthorized disclosures.
• Observe locations where medical records are stored to determine whether appropriate safeguards are in place to protect medical record information.
• Interview staff to determine their understanding of and compliance
with the hospital’s policies and procedures for protecting medical record information.
A-0441 OLD Survey Procedures §482.24(b)(3)
Verify that only authorized persons are permitted access to records maintained by the medical records department.
Verify that the hospital has a policy to grant patients direct access to his/her medical record if the responsible official (e.g., MD/DO
responsible for patient’s care) determines that direct access is not likely to have an adverse effect on the patient.
Verify that medical records and other confidential patient information are released only for patient care evaluation, utilization review,
treatment, quality assurance programs, in-house educational purposes, or in accordance with Federal or State law, court orders, or subpoenas.
CoP: Medical Record Services
A-0441 New Survey Procedures §482.24(b)(3)
• Verify that policies are in place that limit access to, and disclosure of, medical records to permitted users and uses, and that require written authorization for other disclosures. Are the policies consistent with the regulatory requirements?
• Observe whether patient records are secured from unauthorized access at all times and in all locations.
• Ask the hospital to demonstrate what precautions are taken to prevent physical or electronic altering of content previously entered into a patient record, or to prevent unauthorized disposal of patient records.
• Verify that patient medical record information is released only as permitted under the hospital’s
policies and procedures.
• Conduct observations and interview staff to determine what safeguards are in place or precautions are taken to prevent unauthorized persons from gaining physical access or electronic access to information in patient records.
• If the hospital uses electronic patient records, is access to patient records controlled through standard measures, such as business rules defining permitted access, passwords, etc.?
• Do the hospital’s policies and procedures provide that “original” medical records are retained, unless their release is mandated under Federal or State law, court order or subpoena? Interview staff
responsible for medical records to determine if they are aware of the limitations on release of “original” medical records.
So Why is This Important Now?
•
Prior to the HITECH Act, Section 1176(a) of the
Act, 42 U.S.C. 1320d-5(a) the Secretary of HHS
could impose civil monetary penalties:
Any person who violates a provision of this part a
penalty of not more than $100 for each violation
Except that the total amount for all violations of an
identical requirement of prohibition during a calendar year may not exceed $25,000
So Why is This Important Now?
•
Effective February 18, 2009 section 13410(d)
became effective to strengthen enforcement of
the HIPAA rules
Modified Section 1176(a) establishes categories of
violations that reflect increasing levels of culpability, requires that a penalty determination be based on the nature and extent of the violation and the nature and extent of the harm resulting from the violation, and establishes tiers of increasing penalty amounts…
So Why is This Important Now?
•
Summary of tiers for each person –
Minimum
Penalties:
(3)(A) $100 each violation capped at
$25,000/calendar year for identical violation
(3)(B) $1,000 each violation capped at
$100,000/calendar year for identical violation
(3)(C) $10,000 each violation capped at
$250,000/calendar year for identical violation
(3)(D) $50,000 for each violation capped at
What are the penalties?
• Violation that the entity did not know and, by exercising
reasonable diligence, would not have known violated the law?
$100 minimum up to $50,000 for each violation
• Violation due to reasonable cause but not willful neglect?
$1,000 minimum up to $50,000 for each violation
• Willful neglect?
If corrected within 30 days, $10,000 minimum up to $50,000 for each violation
If not corrected within 30 days, $50,000 minimum per violation
• There is a $1.5 million annual aggregate cap for identical
Reasonable diligence is required to detect and correct violations within 30 days or monetary penalties apply.
What is reasonable diligence?
The business care and prudence expected from a person seeking to satisfy a legal requirement under similar circumstances.
Willful neglect results in mandatory penalties, higher if violations are not corrected within 30 days.
What is willful neglect?
Conscious, intentional failure or reckless indifference to the obligation to comply CFR 160.401
Secretary can waive monetary penalties if there is reasonable cause and payment would be excessive relating to the violation.
What is reasonable cause?
Circumstances that would make it unreasonable for the entity to comply, despite the exercise of ordinary business care and prudence
•
The Security Rule and the HITECH Act are
specific to safeguards to protect the
confidentiality, integrity and availability of
electronic protected health information.
•
The Privacy Rule sets standards for how
protected health information should be
controlled by setting forth what uses and
disclosures are authorized or required and what
rights patients have with respect to their health
information.
Source: Federal Register/Vol.68 No. 34
How are the Security Rule and the HITECH Act
Different from HIPAA Privacy Rule?
How Will This Affect Operations?
Training
•
Much of the training staff receives revolves around
HIPAA Privacy
•
Both Privacy and Security must be defined
separately
Part of all staff orientation
Can additionally be part of annual competency reviews
•
Designated Security Official must be current and
receive ongoing training
•
Training must include the entire workforce, not just
employees (e.g., trainees, volunteers, and all others
the entity has control over)
How Will This Affect Operations?
•
Develop Policies and Procedures (P&Ps)
•
Apply the Performance Improvement Process of
Measuring/Auditing to ensure Compliance with
P&PS
Periodic audit of orientation/evaluations for proof of
training and understanding
Audit through rounding by adding simple HIPAA Security
questions to existing rounding tools
Develop questions directly from policies that relate to staff For example:
o Have you changed your password according to policy? o Do you have administrative rights at your local computer?
o Observe privacy and security on the units – can you easily view patient names on screens, what do signs on the patient doors say . . . (look at the new CMS CoP guidance)
How Will This Affect Operations?
•
Develop Key Performance Indicators (KPIs) for
the Facility and each Department for HIPAA
Security
Report KPIs on a regular, consistent basis
Make part of compliance report to the the Compliance
Committee and Governing Board
Develop and implement ongoing risk assessment and risk management for security of PHI
Include self audits of HIPAA requirements, accreditation requirements, and CoPs (based on the new CMS
Sample
Checklist
This is small snapshot of 3+ page
assessment developed with Mulholland
Information Security, LLC
Summary
•
Get Prepared Now Before Audits are Expanded
•Audit Yourself for Compliance and Act
Accordingly
•
Perform ongoing Risk Analysis and Risk
Management
•