HIPAA Compliance Audits: Your Newest Risk: Are You Prepared?

HIPAA Compliance Audits:

Your Newest Risk:

Are You Prepared?

Presented by:

Melissa (Lisa) Thompson, JD, MPH and

Speakers

Elizabeth Lamkin, MHA

CEO

PACE Healthcare Consulting, LLC

www.pacehcc.com

Melissa (Lisa) Thompson, JD, MPH

Partner

Adelman, Sheff & Smith, LLC

www.hospitallaw.com

This presentation is provided for informational purposes only and does not constitute legal advice.

• Panacea has prepared this seminar using official Centers for Medicare and Medicaid Services (CMS) documents and other pertinent regulatory and industry resources. It is designed to provide accurate and authoritative

information on the subject matter. Every reasonable effort has been made to ensure its accuracy. Nevertheless, the ultimate responsibility for correct use of the coding system and the publication lies with the user.

• Panacea, its employees, agents and staff make no representation, warranty or guarantee that this information is error-free or that the use of this material will prevent differences of opinion or disputes with payers. The company will bear no responsibility or liability for the results or consequences of the use of this material. The publication is provided “as is” without warranty of any kind, either expressed or implied, including, but not limited to, implied warranties or merchantability and fitness for a particular purpose.

• The information presented is based on the experience and interpretation of the publisher. Though all of the information has been carefully researched and checked for accuracy and completeness, the publisher does not accept any responsibility or liability with regard to errors, omissions, misuse or misinterpretation.

• Current Procedural Terminology (CPT ®_{) is copyright 2011 American Medical Association. All Rights Reserved. No}

fee schedules, basic units, relative values, or related listings are included in CPT. The AMA assumes no liability for the data contained herein. Applicable FARS/DFARS restrictions apply to government use.

• CPT® _{is a trademark of the American Medical Association.}

• Copyright © 2012 by Panacea. All rights reserved.

 No part of this presentation may be reproduced in any form whatsoever without written permission from the publisher

 Published by Panacea, 287 East Sixth Street, Suite 400, St. Paul, MN 55101

HIPAA Audits

•

Mandated by American Recovery and

Reinvestment Act of 2009 (ARRA) in the

HITECH Act

•

Rolled out by Office for Civil Rights (OCR) as

pilot program November 2011 using KPMG LLP

•

Covered entities audited first, business

associates to follow

•

Goals – conduct up to 150 audits and establish

HIPAA Audit Process

•

Notification letter

 Requesting production of documents and information

within 10 business days

•

Notice of onsite visit -- 30 to 90 business days

Onsite visits last between 3 to 10 business days

20 to 30 business days later, auditors submit draft

report to covered entity

•

10 business days allowed for the covered entity to

comment

•

30 business days later, the final audit report

Sample HIPAA Audit Letter from OCR

Source:

http://www.hhs.gov/ocr/privacy/ hipaa/enforcement/audit/sampl e-ocr_notification_ltr.pdf

•

Audits are primarily a compliance improvement

activity.

•

Generally, OCR will use the audit reports to

determine what types of technical assistance

should be developed, and what types of

corrective action are most effective.

•

Should an audit report indicate a serious

compliance issue, OCR may initiate a

compliance review to address the problem.

Enforcement and Liability

•

OCR typically tries to resolve using voluntary

compliance, corrective action and/or a Resolution

Agreement/monetary settlement

•

OCR can impose Civil Monetary Penalties (CMPs)

Referral to Department of Justice

 Criminal Penalties risk for entity/individuals (fines/prison)  “Knowingly” obtain or disclose PHI

 DOJ interprets “knowingly” as knowledge of the actions,

does not require knowing the actions are a violation of HIPAA

HIPAA Security Rule

•

National standards for security of electronic

Protected Health Information (ePHI)

•

Standards are stated as “implementation

specifications” that are either required or

addressable

 Note: caveat on “addressable” specifications

•

Enforced by the Office for Civil Rights (OCR)

“Addressable”

•

Addressable is not the same as optional!

Addressable means the entity must:

 Perform an assessment to determine whether the

implementation specification is a reasonable and appropriate safeguard for implementation in the entity’s environment

 Decide whether to implement the addressable

specification as-is, implement an equivalent alternative that still allows compliance, or not implement either one

Designated Security Official

•

Must have a “Designated Security Official”

This is required under Security Rule

•

Responsible for developing and implementing

Security Rule Policies and

Procedures

•

Security policies and procedures are required

Must be periodically reviewed and updated in

response to environmental or organizational

changes that affect security of ePHI.

•

6-year document retention requirement

 Written security policies and procedures

Are Existing Policies Sufficient?

•

Entities typically have some form of security

policies/procedures in place

 Usually IS/IT Department policies

 May be called “Standard Operating Procedures”

 Could be in place with vendor, if IS/IT department is

outsourced

•

Do they cover all of the HIPAA Security Rule

standards and implementation specifications?

Security Official works with Privacy

Officer and/or Legal

One approach does not fit all!

•

Look at existing policies in context of specific

Security Rule requirements -- are there any

holes?

•

How will the policies and procedures function

within the organization?

•

Do the policies need renaming or reorganizing?

Should there be one layer or more than one

layer? (e.g., Security policies and technical IS/IT

department SOPs)

Standard: Contingency Plan. Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic

protected health information.

Contingency Plan Standard has three “Required” and two

“Addressable” Implementation Specifications  _{Data Backup Plan (Required)}

 Disaster Recovery Plan (Required)

 Emergency Mode Operation Plan (Required)  Testing and Revision Procedures (Addressable)

 _{Applications and Data Criticality Analysis (Addressable)}

HIPAA Security Rule

Implementation Specifications Under

“Contingency Plan” Standard

• Data backup plan: Establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information.

• Disaster recovery plan: Establish (and implement as needed) procedures to restore any loss of data.

• Emergency mode operation plan: Establish (and implement as needed) procedures to enable continuation of critical business

processes for protection of the security of electronic protected health information while operating in emergency mode.

• Testing and revision procedures (Addressable): Implement procedures for periodic testing and revision of contingency plans

• _{Applications and data criticality analysis (Addressable): Assess} the relative criticality of specific applications and data in support of other contingency plan components.

HIPAA Security Rule

Implementation Specifications Example

Standard: Security Management Process

Implement policies and procedures to prevent, detect, contain, and correct security violations.

Security Management Process Standard has Four Required Implementation Specifications

1. Risk Analysis

2. Risk Management

3. Sanction Policy

Implementation Specifications Under

Security Management Process Standard

• Sanction policy: Apply appropriate sanctions against workforce

members who fail to comply with the security policies and procedures of the covered entity.

• Information system activity review: Implement procedures to

regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.

• Risk analysis: Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.

• _{Risk management: Implement security measures sufficient to reduce} risks and vulnerabilities to a reasonable and appropriate level to

Security Policies and Risk Analysis

•

Risk Analysis is a required Security Rule

implementation specification.

•

Depending on the results from the Risk Analysis

 Security controls may have to be added or adjusted

 Policies and procedures may need to be revised or

drafted

Risk Analysis

•

Required by the HIPAA Security Rule at 45 CFR

164.308(a)(1)

•

Also a CMS Stage 1 core objective measure to

achieve EHR meaningful use to qualify for EHR

incentive payments

•

Security risk analysis is an ongoing process

 Regular review of records to track access and detect

security incidents

 Periodic evaluation of effectiveness of security measures

in place

What is a Risk Analysis?

•

Assessment of potential risks and vulnerabilities

to confidentiality, integrity and availability of ePHI

in all forms of electronic media

•

Potential risk = the net mission impact

considering:

 Likelihood of particular threats occurring

1. Scope of the analysis – all ePHI created, received, maintained, or transmitted (all electronic media) 2. Data collection and documentation

3. Identify and document potential threats and vulnerabilities 4. Assess current security measures

5. Determine likelihood of threat occurrence

6. Determine potential impact of threat occurrence 7. Determine level of risk and corrective actions 8. Finalize documentation

9. Periodic review and updates to the Risk Analysis

Nine Essential Elements of Risk

Analysis

• Entities will need to determine a method to use

• A quantitative method could be used for the Likelihood, Potential Impact and/or Level of Risk sections

• Different descriptive levels could be used - for example Potential Impact could be low, medium, high and critical

• Other methods can be used instead

Example

Billing Department Servers

Threat Vulnerability Likelihood Estimate Potential Impact Risk Level Corrective Actions Flood waters impacting computer systems (Facility in flood zone)

Billing department servers are located on ground floor

Low High High The IS department will create redundancy offsite by [DATE]

Unauthorized access by former employees

Former employees’ access codes disabled 3 days after

termination

Medium High High The Billing department to develop a procedure to notify IS department of employee termination and IS will

Security Rule and Risk Analysis

Tools

No set requirements for tools or methods -- additional resources:

• _{Office for Civil Rights (OCR)}

Security Rule -- see website

http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/ind ex.html

Risk Analysis publication: Guidance on Risk Analysis Requirements under the HIPAA Security Rule

• _{National Institute of Standards and Technology (NIST)}

Guide to Technical Aspects of Performing Information Security Assessments

Information Security Handbook: A Guide for Managers (Chapter 10) An Introductory Resource Guide for Implementing the HIPAA

Security Rule (Part 3)

Managing Risk from Information Systems (draft) HIPAA Security Rule Toolkit

OCR Links: Stay on Top of Recent

Developments

Security Rule

http://www.hhs.gov/ocr/privacy/hipaa/administrative/securit yrule/index.html

Privacy Rule

http://www.hhs.gov/ocr/privacy/index.html

Sign up for the OCR Privacy and Security Listserv

http://www.hhs.gov/ocr/privacy/hipaa/understanding/covere dentities/listserv.html

One more thing . . . for hospitals

•

Enforcement authority for HIPAA was shifted

from CMS to OCR

 Privacy Rule http://www.hhs.gov/ocr/privacy/

•

BUT the latest news from CMS is:

 Revisions to the State Operations Manual

 More details in privacy/security survey instructions

 Link to new CMS guidance on privacy surveys:

http://www.cms.hhs.gov/Medicare/Provider-Enrollment-

and-Certification/SurveyCertificationGenInfo/Downloads/SC Letter12_18-.pdf

CoP: Patient’s Rights

Standard: Privacy and Safety

A-0143 OLD Survey Procedures:

Conduct observations to determine if patients are provided privacy during examinations, procedures, treatments,

surgery, personal hygiene activities and discussions about their health status/care and other appropriate situations. Are names posted in public view?

Is patient information posted in public view? Is the hospital promoting and protecting each patient’s right to privacy?

A-0143 New Survey Procedures §482.13(c)(1)

• Conduct observations/interview patients or their representatives to determine if patients are provided reasonable privacy during examinations or treatments, personal hygiene activities and discussions about their health status/care and other appropriate situations. • Review hospital policy and interview staff concerning their understanding of the use of patient information in the facility directory. Does the policy address the opportunity for the patient or patient’s representative to restrict or prohibit use of patient information in emergent and non-emergent situations?

• Review hospital policy and conduct observations/interview staff to determine if reasonable safeguards are used to reduce incidental disclosures of patient information.

• If audio and/or visual monitoring is utilized in the med/surg or ICU setting, conduct observations to determine that monitor screens and/or speakers are not readily visible or audible to visitors or the public.

CoP: Patient’s Rights Standard:

Confidentiality of Patient Records

A-0147 OLD Survey Procedures:

Observe care units. Is patient information posted where it can be viewed by visitors or other non-hospital staff? Are medical records accessible to people not involved with the patient’s care? Is it likely that unauthorized persons could read or remove the clinical record? Are patient clinical

information/records available and accessible at the bedside or in the patient’s room where people not involved in the

A-0147 Survey Procedures §482.13(d)(1)

• Verify that the hospital has policies and procedures addressing the protecting of information in patients’ medical record from unauthorized disclosures.

• Observe locations where medical records are stored to determine whether appropriate safeguards are in place to protect medical record information.

• Interview staff to determine their understanding of and compliance

with the hospital’s policies and procedures for protecting medical record information.

A-0441 OLD Survey Procedures §482.24(b)(3)

Verify that only authorized persons are permitted access to records maintained by the medical records department.

Verify that the hospital has a policy to grant patients direct access to his/her medical record if the responsible official (e.g., MD/DO

responsible for patient’s care) determines that direct access is not likely to have an adverse effect on the patient.

Verify that medical records and other confidential patient information are released only for patient care evaluation, utilization review,

treatment, quality assurance programs, in-house educational purposes, or in accordance with Federal or State law, court orders, or subpoenas.

CoP: Medical Record Services

A-0441 New Survey Procedures §482.24(b)(3)

• Verify that policies are in place that limit access to, and disclosure of, medical records to permitted users and uses, and that require written authorization for other disclosures. Are the policies consistent with the regulatory requirements?

• Observe whether patient records are secured from unauthorized access at all times and in all locations.

• Ask the hospital to demonstrate what precautions are taken to prevent physical or electronic altering of content previously entered into a patient record, or to prevent unauthorized disposal of patient records.

• Verify that patient medical record information is released only as permitted under the hospital’s

policies and procedures.

• Conduct observations and interview staff to determine what safeguards are in place or precautions are taken to prevent unauthorized persons from gaining physical access or electronic access to information in patient records.

• If the hospital uses electronic patient records, is access to patient records controlled through standard measures, such as business rules defining permitted access, passwords, etc.?

• Do the hospital’s policies and procedures provide that “original” medical records are retained, unless their release is mandated under Federal or State law, court order or subpoena? Interview staff

responsible for medical records to determine if they are aware of the limitations on release of “original” medical records.

So Why is This Important Now?

•

Prior to the HITECH Act, Section 1176(a) of the

Act, 42 U.S.C. 1320d-5(a) the Secretary of HHS

could impose civil monetary penalties:

 Any person who violates a provision of this part a

penalty of not more than $100 for each violation

 Except that the total amount for all violations of an

identical requirement of prohibition during a calendar year may not exceed $25,000

So Why is This Important Now?

•

Effective February 18, 2009 section 13410(d)

became effective to strengthen enforcement of

the HIPAA rules

 Modified Section 1176(a) establishes categories of

violations that reflect increasing levels of culpability, requires that a penalty determination be based on the nature and extent of the violation and the nature and extent of the harm resulting from the violation, and establishes tiers of increasing penalty amounts…

So Why is This Important Now?

•

Summary of tiers for each person –

Minimum

Penalties:

 (3)(A) $100 each violation capped at

$25,000/calendar year for identical violation

 (3)(B) $1,000 each violation capped at

$100,000/calendar year for identical violation

 (3)(C) $10,000 each violation capped at

$250,000/calendar year for identical violation

 (3)(D) $50,000 for each violation capped at

What are the penalties?

• Violation that the entity did not know and, by exercising

reasonable diligence, would not have known violated the law?

 $100 minimum up to $50,000 for each violation

• Violation due to reasonable cause but not willful neglect?

 $1,000 minimum up to $50,000 for each violation

• Willful neglect?

 If corrected within 30 days, $10,000 minimum up to $50,000 for each violation

 If not corrected within 30 days, $50,000 minimum per violation

• There is a $1.5 million annual aggregate cap for identical

Reasonable diligence is required to detect and correct violations within 30 days or monetary penalties apply.

What is reasonable diligence?

The business care and prudence expected from a person seeking to satisfy a legal requirement under similar circumstances.

Willful neglect results in mandatory penalties, higher if violations are not corrected within 30 days.

What is willful neglect?

Conscious, intentional failure or reckless indifference to the obligation to comply CFR 160.401

Secretary can waive monetary penalties if there is reasonable cause and payment would be excessive relating to the violation.

What is reasonable cause?

Circumstances that would make it unreasonable for the entity to comply, despite the exercise of ordinary business care and prudence

•

The Security Rule and the HITECH Act are

specific to safeguards to protect the

confidentiality, integrity and availability of

electronic protected health information.

•

The Privacy Rule sets standards for how

protected health information should be

controlled by setting forth what uses and

disclosures are authorized or required and what

rights patients have with respect to their health

information.

Source: Federal Register/Vol.68 No. 34

How are the Security Rule and the HITECH Act

Different from HIPAA Privacy Rule?

How Will This Affect Operations?

Training

•

Much of the training staff receives revolves around

HIPAA Privacy

•

Both Privacy and Security must be defined

separately

 Part of all staff orientation

 Can additionally be part of annual competency reviews

•

Designated Security Official must be current and

receive ongoing training

•

Training must include the entire workforce, not just

employees (e.g., trainees, volunteers, and all others

the entity has control over)

How Will This Affect Operations?

•

Develop Policies and Procedures (P&Ps)

•

Apply the Performance Improvement Process of

Measuring/Auditing to ensure Compliance with

P&PS

 Periodic audit of orientation/evaluations for proof of

training and understanding

 Audit through rounding by adding simple HIPAA Security

questions to existing rounding tools

 Develop questions directly from policies that relate to staff  For example:

o Have you changed your password according to policy? o Do you have administrative rights at your local computer?

o Observe privacy and security on the units – can you easily view patient names on screens, what do signs on the patient doors say . . . (look at the new CMS CoP guidance)

How Will This Affect Operations?

•

Develop Key Performance Indicators (KPIs) for

the Facility and each Department for HIPAA

Security

 Report KPIs on a regular, consistent basis

 Make part of compliance report to the the Compliance

Committee and Governing Board

Develop and implement ongoing risk assessment and risk management for security of PHI

Include self audits of HIPAA requirements, accreditation requirements, and CoPs (based on the new CMS

Sample

Checklist

This is small snapshot of 3+ page

assessment developed with Mulholland

Information Security, LLC

Summary

•

Get Prepared Now Before Audits are Expanded

Audit Yourself for Compliance and Act

Accordingly

•

Perform ongoing Risk Analysis and Risk

Management

•

Make a Part of Your Operations and

Measure

Compliance

THANK YOU FOR

ATTENDING