The HIPAA Omnibus Final Rule

WHITE PAPER

The HIPAA Omnibus Final Rule

Four risk exposure events that can uncover compliance issues

leading to investigations, potential fines, and damage to your

organization’s reputation.

By Virginia B. Sizemore, CHC, CIA, MBA

August 2014

The HIPAA Omnibus Final Rule

Four risk exposure events that can uncover compliance issues leading to

investigations, potential fines, and damage to your organization’s reputation

Background

According to global consulting firm, PricewaterhouseCoopers (PwC), “Of the 11 million people affected by a data breach since September 2009, 55 percent were affected by a data breach involving business associates.”

With regulatory agencies placing a renewed focus on security and compliance, it’s worth noting that the total cost of managing a data breach can be very significant

—including potentially large fines, class-action lawsuits, wasted staff and executive time, as well as long-term damage to the hospital’s reputation with patients, bond- holders, self-insured companies and the general public. It is the hospital who suffers the damage to their reputation, even if a BA or one of the BA’s subcontractors was entirely responsible for the data breach.

Further compounding the problem, hospitals and their BAs are increasingly targets of criminal cyber-attacks because of the high value information health records contain, which can include everything from Social Security numbers and birthdates to personal payment information to health insurance identification numbers. According to the 2014 Healthcare Information Security Today survey of approximately 200 respondents from healthcare organizations, 11 percent reported having a hacker-related breach in 2013.

One of the major challenges hospitals face is simply identifying all of their vendors who are actually BAs. Since the Omnibus Rule greatly expands the definition of companies that qualify as BAs, it’s easy for a medium to large sized hospital to miss a large number of vendors who should be classified as a BA and have the required Business Associate Agreement (BAA) in place.

Many hospitals are not able to identify and vet all of their vendors because there isn’t a single all-inclusive file containing their entire vendor population. Instead there are separate unique vendor files across the organization. There are also many new vendors that qualify as a BA due to the expanded BA definition and because of advancements in product and service technology that changes the electronic Protected Health Information (ePHI) relationship. As a result, hospitals typically miss hundreds, sometimes thousands of vendors who are actually BAs.

Also commonly overlooked are physician practices and other providers owned by the hospital. They typically have a separate vendor list that must also be assessed for BA risk. Without some automated way of identifying, querying and tracking a hospital’s entire vendor list – and conducting automated follow up – a typical hospital system might “miss”

approximately 30 percent to 40 percent of vendors who are actually BAs. The consequences of not identifying all BAs can be devastating for a hospital if one of those vendors is ultimately found to be responsible for a HIPAA violation.

New HIPAA rules get serious about data security and business

associate (BA) oversight; what you can do now to ensure compliance

A 2013 study authored by

the Ponemon Institute,

titled “The Economic and

Productivity Impact of IT

Security on Healthcare”

noted that “Sixty-three

percent of survey

respondents say their

organization experienced a

data breach which required

notification in the past 24

months. Other data from

Ponemon suggests that the

cost of one data breach,

with just a few thousand

records compromised can

have an economic impact

of $404,200.”

Impact of the HIPAA Omnibus Final Rule

In a recent article in Becker’s Hospital Review, titled ”HIPAA Omnibus Rule Demands Attention by Hospital Compliance and Supply Chain Leaders,” industry expert Mike Paris notes,

“Oversight is required with real demonstration of a comprehensive process including the documentation of the oversight policy and the actions taken.”

The Final Rule expanded the definition of “business associate” to include not only those who “create, receive, maintain or transmit”

PHI, but also anyone who “maintains” PHI on behalf of a covered entity, as well as subcontractors of business associates who have access to PHI. Hospital executives must now identify and document their BAs under this new definition, and business associates must do the same for their subcontractors. BAs are now responsible for complying with the rules governing the use and disclosure of PHI, breach notification policies, providing PHI upon request and responding to requests by the department of Health and Human Services (HHS) regarding investigations and new security provisions.

BAs must create their own set of policies and procedures for their subcontractors in order to comply with these rules.

Four Risk Exposure Events

There are four significant risk exposure events that hospitals and health systems need to be aware of and actively plan for. These include audits by three federal agencies, the Office for Civil Rights (OCR), Office for Inspector General (OIG) and Center for Medicare & Medicaid Services (CMS). In addition, hospitals have to be concerned about the increasing number of data breaches which will trigger an OCR investigation and – depending on the size and nature of the breach – can lead to significant financial penalties and further investigation by both federal and state agencies.

1. 2014 OCR AUDITS

The 2014 OCR audits will primarily focus on whether covered entities and BAs have conducted timely and thorough security risk assessments. Hospitals must have complete and accurate documentation showing that their BAs both understand and have implemented a range of risk assessment and analysis procedures, administrative safeguards, physical safeguards, technical safeguards as well as other data breach policies, such as those dealing with training programs and breach notification procedures. The OCR has indicated that audits will place considerable scrutiny on BAs for compliance. As previously noted, all subcontractors of BAs who deal with PHI must also follow HIPAA security rules. Provider organizations must ensure that appropriate agreements are in place between BAs and their subcontractors and are updated as necessary.

The overall auditing process will be revised to reflect the Final Omnibus Rule changes that went into effect in September of 2013 and September 2014. The OCR will be assessing more civil penalties during the 2014 audit series because it has approval to collect financial penalties that will be used for upcoming auditing and breach analysis – meaning hospitals and business associates should be ready and prepared for these audits to avoid OCR enforcement fines and penalties.

“Covered entities (healthcare providers,

health systems and clearing houses)

need to examine their vendor

relationships and take the necessary

steps to guarantee that their business

partners are doing everything they

can to protect PHI. This includes not

only completing a business associate

agreement, but requesting and

obtaining the HIPAA training policy,

proof of employee training, HIPAA

breach policy, HIPAA data and materials

destruction policy and other relevant

policies and procedures.”

– Mike Paris

The OIG will conduct

audits of cloud-based

service providers and

other downstream service

providers to assure

compliance with regulatory

and contractual agreements.

Inadequately protecting

HIPAA data from potential

breach or failure to conduct

appropriate security risk

analysis are two of the

primary reasons hospitals

fail audits according to

preliminary data from CMS.

2. THE 2014 OIG WORK PLAN AND CMS AUDITS, TWO RISK EXPOSURE EVENTS ad The 2014 OIG Work Plan includes Meaningful Use (MU)

Stage 1 incentive payment audits and auditing of HIPAA data security. CMS will also conduct essentially the same MU audits. The MU audit focuses on HIPAA data privacy and security risk analysis of certified EHR technology including oversight of business associates. The OIG will

also be evaluating security measures taken to protect the growing number of electronic patient records, noting that business associate subcontractors are playing an increasing role in transmitting, storing, and processing of electronic medical records.

If a business associate subcontracts all or part of its function requiring access or use of PHI to another

organization, that subcontractor is also subject to HIPAA. There must be a HIPAA compliant BAA that

specifically addresses security issues between the business associate and its subcontractor. CMS has

issued the following guidance regarding MU:

•

Protect electronic health information created or maintained by the certified EHR technology

through the implementation of appropriate technical capabilities.

•

Conduct or review a security risk analysis in accordance with the requirements under 45 CFR

164.308(a) (1) and implement security updates as necessary and correct identified security

deficiencies as part of its risk management process.

Under the HIPAA Security Rule, you are required to implement policies and procedures to prevent,

detect, contain, and correct security violations (45 CFR 164.308).

OCR, CMS compliance audits increasing in frequency

and can be extremely demanding

One of the most common problem areas has been

noncompliance with the requirement that providers regularly

perform and fully document risk assessments for HIPAA

compliance. Hospitals should conduct risk assessments and

evaluate their current compliance with the HIPAA regulations.

A system-wide analysis should be undertaken to identify any

areas that might be out of compliance. The analysis should

focus on ensuring proper and complete documentation of

policies and procedures as well as employee training. Based

on the results of the internal risk assessment, a detailed

mitigation plan and strategy should be developed to address

all the areas of risk identified within the organization. It

should be noted that all providers receiving incentive funds

are subject to audit and that a single deficiency in meeting a

required MU measure will result in a finding of noncompliance,

and CMS will move to recoup the entire incentive payment.

3. A HIPAA DATA BREACH A HIPAA data breach, which must be reported to OCR may result in an investigation based on the size of breach and/or circumstances.

That investigation will typically occur with only 20 days’ notice.

The same is true if a patient files a complaint which will trigger an investigation, however in this case the covered entity is unaware of the breach report until notified by OCR and has even less time to prepare.

4. OCR FINANCIAL PENALTIES CAN BE SIGNIFICANT

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) initiated its investigation of New York and Presbyterian Hospital (NYP) and Columbia University (CU) following their submission of a joint breach report, dated September 27, 2010, regarding the disclosure of the e-PHI of 6,800 individuals, including patient status, vital signs, medications, and laboratory results. The monetary penalty of $4.8 million includes the largest HIPAA settlement to date.

“When entities participate in joint compliance arrangements, they share the burden of addressing the risks to protected health information,” said Christina Heide, Acting Deputy Director of Health Information Privacy for OCR. “Our cases against NYP and CU should remind health care organizations of the need to make data security central to how they manage their information systems.”

NYP has paid OCR a monetary settlement of $3.3 million and CU $1.5 million, with both entities agreeing to a substantive Corrective Action Plan (CAP), which includes undertaking a risk analysis, developing a risk management plan, revising policies and procedures, training staff, and providing monthly progress reports to the OCR.

The HHS “Wall of Shame”

A total of 1,026 breaches that affected 500 or more individuals are now posted on the Department of Health and Human Services’ “wall of shame” website. A total of 32 million patient records have been affected not including the 116,000 breaches involving the records of fewer than 500 individuals.

The Ponemon Institute’s Fourth Annual Benchmark Study on Patient Privacy and

Data Security notes that “Healthcare organizations are increasingly reliant on business

associates for IT services, claims processing, benefits management and other services,

yet 40 percent of the organizations surveyed are not confident that their business

associates would be able to properly detect and report a data breach, and only 30 percent

of organizations are confident their business associates are appropriately safeguarding

patient data as required under the HIPAA.”

What Healthcare Executives Can Do Now to Avoid Risk Exposure Events

It is virtually impossible to be ready for an audit if policies and procedures have not been updated to be in compliance. Start preparing now.

Focus on creating alignment across organizational functions such as clinical and IT, accounts payable, supply chain, legal and compliance in preparation for HIPAA regulatory initiatives. Put in place systems to maintain visibility of contracts throughout the approval process and vendor validation, effectively managing negotiations and document workflow. Develop one source of vendor data for all downstream processes and authenticate all vendors for OIG compliance. This gives organizations the ability to identify and manage BAs as required by HIPAA and to source potential vendors from a pre-screened population. With a comprehensive vendor management program, policies can be enforced such that BAs are not paid and contracts are not renewed unless BAA compliance can be confirmed.

• Simplifying the process for vendors to submit required company data, documents, and correct contacts by topic and responsibility will expedite the process to respond to BA assessments and oversight surveys.

• Establishing and maintaining a single all-inclusive vendor master file to feed downstream workflow and systems.

• Capturing accounts payable (AP) onboarding data including BA designation.

• Organizing and making all vendor documents accessible to cross-functional staff.

• Determining which vendors are BAs then updating policies and procedures to reflect the new, high-risk landscape of the HIPAA Omnibus Final Rule. This process includes gaining “satisfactory assurances”

from business associates regarding oversight and compliance of themselves and their sub-contractors.

There are multiple modifications and clarifications that are critical in defining who qualifies as a business associate.

• Assessing all BAs for risk. The new definition of business associates now includes many more

categories of vendors and because of technology advancements some are higher risk BAs. The BA agreement should clearly define how a business associate will report and respond to a data breach, including data breaches caused by a BA’s subcontractors.

• Ensuring BAAs require a business associate to document how it will respond to an OCR investigation or audit.

• BAAs that were in place before January 25, 2013 need reviewing and amending by September 24, 2014 to be in compliance.

• Implementing a well-defined and thorough process for vetting vendors. Best practices in vendor management include having a system to register and authenticate vendors for OIG sanction checks and BA risk assessment. This aspect of vendor management not only adds appropriate controls but also impacts many other activities downstream.

• Implementing their own security audit of the BA. BAs should be monitored on a regular basis to ensure proper data and risk management.

Meeting the new requirements demands cross-functional vendor management processes and systems. A software solution that provides screening, tracking and cross-department collaboration can greatly speed up the process of achieving HIPAA compliance.

Complying with the HIPAA Omnibus Final Rule will present a financial and IT resource challenge for many hospitals. However, with the increasing likelihood of audits, the higher costs related to data breaches and the potential damage to an organization’s reputation, the investments in compliance and security will far outweigh the extremely high cost of inaction. In an odd dichotomy, while technology may be part of the problem, it can also be leveraged as part of the solution.

Software solutions can greatly facilitate the speed, effectiveness and collaboration required to identify, manage, track, verify and communicate with large numbers of BAs and all of their subcontractor relationships. Healthcare executives that take a strategic, cross-functional planning approach and leverage existing software solutions for compliance and streamlined vendor management will ultimately lower costs and protect the integrity of their organization’s reputation.

About the Author

Virginia Sizemore is a healthcare administration professional with over 26 years of experience in the field. She has served in a variety of roles, including regulatory compliance, internal audit, training and development, financial planning, revenue cycle, data analytics and cost accounting. Ms. Sizemore holds a Bachelor of Science in Accounting degree from Christopher Newport University and a Master of Business Administration degree from Valdosta State University. She is currently a doctoral candidate pursuing a Doctor of Public Administration degree with a concentration in Healthcare Policy from Valdosta State University. Ms. Sizemore is certified in Healthcare Compliance (CHC) and is a Certified Internal Auditor (CIA).

Cross functional alignment facilitates the oversight of tasks across the entire duration of managing and optimizing the BA management process by:

Since most hospitals have hundreds, if not thousands of business associates, it makes sense to

seek out a single software platform to help identify those BAs and enable all of these tasks.

About Vendormate

Founded in 2005, Vendormate helps healthcare providers and suppliers form and optimize

their business relationships with simplified and streamlined processes. Vendormate’s

unique relationship with more than 2,000 healthcare facilities and 68,000 vendors across

the U.S. creates a vast vendor information network that integrates with all Vendormate

services. Vendormate’s Procurement Cycle Management platform offers providers a

holistic approach to vendor management with solutions for sourcing, contracting, on-

boarding, business associate management and representative credentialing. Our solutions

for healthcare suppliers simplify compliance to provider requirements with reporting,

document management and consulting services. In addition, suppliers can improve the

effectiveness of sales and marketing dollars utilizing our sourcing solution to attract more

customers in less time.

© 2015 Vendormate, Incorporated. All rights reserved. Vendormate is a registered service mark of Vendormate, Incorporated.

Designated service marks, trademarks and brands are the property of Vendormate, Incorporated. E–MKT–002–0515