1
CHIEF AUDIT EXECUTIVE (CAE) PANEL DISCUSSION
AHIA 31st Annual Conference – August 26-29, 2012 – Philadelphia PAwww.ahia.org
Panel – Discussion Topics and Leadersp
Leveraging and Aligning Internal Audit Resources 2
Dan Pantera, Vice President, Audit, Compliance & PrivacyThe Methodist Hospital System, Houston Texas
Types of Risks & Readiness Assessments Types of Risks & Readiness AssessmentsDeborah Mendel, Vice President, Internal AuditMedstar Health, Baltimore Maryland
Value Added IT and HIPAA Security AuditsRon Skillens, Vice President, Compliance & Internal AuditChildren’s Medical Center, Dallas Texas
Internal Audits – Attorney-Client Privilege ConsiderationsDebi Weatherford, Executive Director Internal Audit Piedmont Healthcare Atlanta GeorgiaPiedmont Healthcare, Atlanta Georgia
3
CAE PANEL DISCUSSIONC C C C CCDANIEL W. PANTERA, CPA, CIA, CHC, MACC
VICE PRESIDENT, INTERNAL AUDIT, COMPLIANCE & PRIVACYTHE METHODIST HOSPITAL SYSTEM
Leveraging Internal Audit Resources
AHIA 31st Annual Conference – August 26-29, 2012 – Philadelphia PAwww.ahia.org
The Methodist Hospital Systemp y
About Methodist
4
A leading Academic Medical Center located in the Texas Medical Center.
Si e of Methodist Operations Size of Methodist Operations 5 Hospitals
$2.4B Net Revenue
13,867 employees
Scope of my responsibilitiesI l A di Internal Audit
Corporate Compliance
HIPAA Privacy
What has changed?g5
“Even on top of significant p gimplications of healthcare reform, your organization is challenged by economic pressures increasedby economic pressures, increased regulatory requirements, and constantly advancing information
d h land communication technologies. Is your Internal Audit function positioned to see your p yorganization through this transition?”
Source: Deloitte 2011 Vital Signs: Leveraging Internal Audit to monitor, and succeed in the changing healthcare environment.
Why Align? – Stakeholder Expectationsy g p6
PWC 2012 S f hPWC 2012: State of the Internal Audit Profession
Where should Internal Audit be leveraged?g7
Regulatory Compliance Regulatory Compliance Meaningful Use ICD-10 ICD 10
Data Privacy & Security Physician Arrangements Physician Arrangements Cost Controls
I f ti T h l Information Technology Enterprise Risk Management
Deloitte 2011 Whitepaper:L i I t l A dit tLeveraging Internal Audit to monitor, and succeed in, the changing healthcare industry
Meaningful Use – Internal Audit’s Roleg
Steering Committee8
g
Attestation Readiness –independent verifier
AA S HIPAA Security Risk Assessment
OIG Audit Preparation Document retention
2012 AHIA & PWC Whitepaper:Meaningful Use Risks – Internal gAudit Assessment and Response
Patient Privacy & Security y y9
Encryption Encryption Access Controls Business Associates Business Associates Health Information Exchange
M bil D i
PWC 2012: State of the Internal Audit Profession
Mobile Devices KPMG Audit Readiness
Physician Arrangementsy g
Contract Management & Compliance
10
Contract Management & Compliance Employment agreements Bonus calculations
Private Physician Payments written agreement FMV determination
Non-monetary Compensation Stark Log Reporting ($373) Incidental Benefits (< $31)
Conflicts of Interest
Cost Control
Contract Audits11
Construction Audits
Accounts Payabley
Supply Chainpp y
Labor productivity & benchmarkingp y g
References12
PWC 2012 State of the Internal Audit Professionhttp://www.pwc.com/en_US/us/risk-assurance-services/internal-audit/publications/assets/pwc-2012-state-of-internal-audit-survey.pdf
Deloitte 2011 Leveraging Internal Audit to monitor, and succeed in the changing healthcare industry
AHIA & PWC J 2012 M i f l U Ri k I t l A dit AHIA & PWC June 2012 Meaningful Use Risks – Internal Audit Assessment and Responsehttp://www.ahia.org/audit_library/resources/MeaningfulUseWhitePaper05302012FINAL.pdf
PWC 2012 Old data learns new tricks: Managing patient security and privacy on a new data-sharing playgroundhttp://pwchealth.com/cgi-local/hregister.cgi/reg/old-data-learns-new-tricks.pdf
13
CAE PANEL DISCUSSIONDEBORAH L. MENDEL, CPA, CIA, CHFP, CICA, CRMAVICE PRESIDENT, INTERNAL AUDITMEDSTAR HEALTH
Types of Risk and Readiness Assessments
AHIA 31st Annual Conference – August 26-29, 2012 – Philadelphia PAwww.ahia.org
MedStar Health
About MedStar
14
Largest regional healthcare system in the Maryland and Washington DC area.
Si e of MedStar Operations Size of MedStar Operations 9 Hospitals
20 Other Health-Related Businesses
$4.0B+ Net Operating Revenue
27,000+ Employees
S f ibiliti Scope of my responsibilities Internal Audit
Enterprise Risk Management Coordination
Types of Risk/Readiness Assessmentsyp
Annual Assessment to Establish Audit Plan
15
Annual Assessment to Establish Audit Plan Risk-Based Audit Approach Enterprise Risk Management Enterprise Risk Management HIPAA Security
P C d I d Payment Card Industry 340B Drug Enforcement Meaningful Use ICD-10
Annual Risk Assessment
Purpose16
Establish risk-based plan to determine the priorities of Internal Audit consistent with the organization's goals
Key Sources/Areas to Consider Organization’s goals, strategies and tactical initiatives External and Regulatory Risksg y Enterprise Risk Management Activities – “Organization's Risk Universe” Information Technology Risks Fraud Risks Fraud Risks Compliance/OIG Work Plan Input from Senior Management and the Board/Audit Committee
Risk‐Based Audit Approachpp
Purpose17
Establish audit objective and scope based on the assessment of risk for the department/process to be reviewed.
Focus on areas that are relevant and of value to your client.
Key Sources/Areas to Consider Department/function’s goals and objectives and related risk p / g j
awareness Processes and control activities Monitoring activitiesg Information Technology Risks Fraud Risks
Enterprise Risk Management Risk Assessment
Purpose
18
Conduct a thorough assessment of the risks that face the operations of the Internal Audit, and to develop management plans to mitigate those risks.
Used a framework developed by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) for Internal Organizations of the Treadway Commission (COSO) for Internal Environment.
Key Sources/Areas to Consider y / Situation Analysis Risks Gapsp Mitigation Strategies Reporting Monitoring Monitoring
HIPAA Security Readiness Assessmenty
Purpose
19
Assess if IS Management has properly prepared to meet their HIPAA compliance responsibility according to the criteria established by the Department of Health established by the Department of Health and Human Services’ (HHS) Office of Civil Rights (OCR) .
Key Sources/Areas to Consider Key Sources/Areas to Consider
Risk Assessment
User Access Provisioning
User Activity Monitoring
Authentication/Integrity
Incident Response
Contingency Planning
Media Reuse and Destruction
Physical Access Controls
OCR Audit Approach: http://ocrnotifications.hhs.gov/hipaa.html
Encryption
HIPAA Security Readiness Assessmenty
HIPAA Security Audit Readiness Worksheet
20
HIPAA S it R l F ti l A dit SHIPAA Security RuleStandards Detail
Functional Audit ScopeHow to Audit the Standards
Business Associate Contracts and Other Arrangements (§ 164.308(b)(1)), (§ 164.314(a)(1))
Business Associate OversightIdentification of Critical Vendors, Vendor Due Diligence, and Documentation Review
Contingency Plan (§ 164.308(a)(7)) Access Control (§ 164.312(a)(1))
Business ContinuityData Backup, Disaster Recovery, and Business Impact Analysis
Information Access Management (§ 164.308(a)(4)) Device and Media Controls (§ 164.310(d)(1)) Integrity (§ 164.312(c)(1))
Data SecurityEPHI Disposal, Storage, and Transmission
Security Management Process (§ 164.308(a)(1)) Assigned Security Responsibility (§ 164.308(a)(2)) Security Incident Procedures (§ 164.308(a)(6))
E l ti (§ 164 308( )(8))
Information Security ProgramRisk Management and Incident Detection and Response
Evaluation (§ 164.308(a)(8)) Audit Controls (§ 164.312(b)) Policies and Procedures (§ 164.316(a)) Documentation (§ 164.316(b)(1))
Access Control (§ 164.312(a)(1)) Audit Controls (§ 164.312(b))
Network AnalysisArchitecture, Access Control, Device Management,
Integrity (§ 164.312(c)(1)) Transmission Security (§ 164.312(e)(1))
and Event Management
Workforce Security (§ 164.308(a)(3)) Security Awareness and Training (§ 164.308(a)(5))
Personnel SecurityHiring Processes, Security Awareness, and Security Training
Facility Access Controls (§ 164.310(a)(1)) Workstation Use (§ 164.310(b))
W k t ti S it ( 164 310( ))
Physical SecurityData Center, Facilities, and Environmental Concerns
Workstation Security (§ 164.310(c)) Access Control (§ 164.312(a)(1)) Audit Controls (§ 164.312(b)) Integrity (§ 164.312(c)(1)) Person or Entity Authentication (§ 164.312(d))
Systems AnalysisPatching, System Hardening, Anti-Virus, Upgrade
Procedures, System Access, Logging, Password Policies,and Account Lockouts
Payment Card Industry Readiness Assessment
Purpose
21
Assess the receipt of credit card payments and associated controls that align with the 12 PCI DSS requirements.
O ll R i t D i ti f R i tOverall Requirement Description of Requirement
Build and Maintain a Secure Network A firewall configuration to protect cardholder data is installed and maintained.
Vendor-supplied defaults for system passwords and other security parameters are not used.
Protect Cardholder Data Stored cardholder data is protected.
Encrypted transmission of cardholder data across open, public networks.
Maintain a Vulnerability Management Program
Updated anti-virus software is used and regularly updated
Secure systems and applications are developed and maintained.
Implement Strong Access Control Access to cardholder data is restricted by business need-to- know.Implement Strong Access Control Measures
Access to cardholder data is restricted by business need to know.
A unique ID is assigned to each person with computer access.
Physical access to cardholder data is restricted.
Regularly Monitor and Test Networks All access to network resources and cardholder data is tracked and monitored.
Security systems and processes are regularly testedSecurity systems and processes are regularly tested.
Maintain an Information Security Policy A policy that addresses information security is maintained.
Payment Card Industry Readiness Assessment
Key Sources/Areas to Consider
22
Requires both IS and Operational ownership and accountability
Need inventory of front-end operational processes that employ cardholder datadata
Need inventory of all applications and systems that transmit and/or store cardholder data
S d l d d h dd PCI System-wide policies and procedures that address PCI requirements
Requirement Description
Examples of Required Controls or
Controls and Processes Identified by IA
Risk Ranking
IA Recommendation
Documentation
Protect stored cardholder data
Primary Account Numbers are masked if stored.
Payment Card Industry Readiness Assessment
Practical Tips: What You Can Do Better
23
Practical Tips: What You Can Do Better Store less data Understand the flow of data Encrypt data Address application and network vulnerabilities Improve security awareness and training Monitor systems for intrusions and anomalies Segment and control access to credit card networks
340B Drug Program Enforcementg g
Why is this a HOT TOPICHOT TOPIC?
24
y September 2011 GAO report concluded that Health
Resources and Services Administration’s (HRSA) oversight f h 340B i d id of the 340B program was inadequate to provide
reasonable assurance that covered entities and drug manufacturers are in compliance with program requirements
Congressional concern Audits began February 2012February 2012
340B Drug Program Enforcementg g25
Background Pharmaceutical manufacturers agree to provide front-end discounts on
covered outpatient drugs purchased by specified government-supported facilities, called "covered entities," that serve the nation's most vulnerable patient populations. p p p
“Covered entities" include disproportionate share hospitals (DSH) with a DSH adjustment percentage greater than 11.75%.
Purpose Assess the entity's eligibility to participate in the 340B program; Assess whether the participant has sold or diverted 340B covered drugs
h li ibl i dto persons who are not eligible patients; and Assess whether participants have the proper controls in place to prevent
and detect instances of diversion and duplicate discounts.
340B Drug Program Enforcementg g
Key Sources/Areas to Consider
26
y / Initial and continued eligibility of entity Eligibility of patients, drugs and drug purchases Documentation of 340B drug dispensation Record retention Reconciliation of quantities ordered to quantities used by 340B
patients R l t d li i d d Related policies and procedures Staff training and education
Meaningful Use Readiness AssessmentCore and Menu ObjectivesCore and Menu Objectives
Purpose
27
p Assess workflows to attain core
and select menu set objectives.
Key Sources/Areas to Consider Interpretation for each measure Workflow redesign S t biliti System capabilities Training and education Reporting Reporting
Meaningful Use Readiness AssessmentCore and Menu ObjectivesCore and Menu Objectives
Core and Menu Set Risk Assessment Template
28
Core and Menu Set Risk Assessment Template
Hospital Objective Risk Rating
Core Objectives
Computerized physician order entry Low
Drug and drug-allergy interaction checks Moderate
Maintain active medication list High
ICD‐10 Readiness Assessment
Purpose
29
p Assess if the organization is properly preparing to meet ICD-10
compliance.
Key Sources/Areas to Consider Project Governance Training S t R di ti System Remediation Staffing Communication Communication Project Plan
ICD‐10 Project Teamj30
ICD-10 Executive Steering Committee
Physician Advisors
ICD-10 Program Director
Hospital Billing, Payor Readiness,
Patient Access Adoption Workgroup
Physician/Clinician
Adoption WorkgroupIT and Integration Education &
TrainingHIM & Coding
Practice &Specialty Billing
Finance, Reimbursement, Managed Care,
Compliance
EMR
33
CAE PANEL DISCUSSIONRON SKILLENSRON SKILLENSVICE PRESIDENT, COMPLIANCE AND INTERNAL AUDITCHILDREN’S MEDICAL CENTER DALLAS
Value Added IT & HIPAA Security audits
AHIA 31st Annual Conference – August 26-29, 2012 – Philadelphia PAwww.ahia.org
Children’s Medical Center Dallas
About Children’s
34
A leading pediatric academic medical center located in the Dallas Medical DistrictDistrict
Size of Children’s Operations 2 Hospitals, Surgical Center, 9 Primary
C Cl 2 Ph CCare Clinics, 2 Physician Corporations
$1B+ Net Operating Revenue
5000+ Employees
Scope of my responsibilities Internal Audit
Corporate Compliance
HIPAA Privacy & Security
Strategic Project Selections…
Contracts and Vendor Management Monitoring
g j37
g g Mergers , Acquisitions and Divestitures (M&A) Business Expansions & Contractions Business Expansions & Contractions Technology P&L reviews
Technology Fixed Asset Reviews Technology Fixed Asset Reviews IT Organizational Structure
O i C id i Outsourcing Considerations Major Application Development Efforts
Insightful Scope Determinations…
Penetration Testing
g p38
g Computer Operations Phone Bill Reviews Phone Bill Reviews Data Center Reviews
Application Security Reviews Application Security Reviews Change Management Reviews
Di R R i Disaster Recovery Review End User Assets (HW & SW) Policy Reviews
And never failing to communicate.
Market the Internal Audit function to IT
g39
Communicate plans, risks, projects, status, results, etc. Ask to participate in standing IT meetings Ask to participate in standing IT meetings Have a monthly/quarterly update with your CIO
Are you secure with HIPAA?
HIPAA Security Considerations
y40
y OCR Audit Protocol Risk AssessmentRisk Assessment Encryption of email and mobile devices Centralized Logging Centralized Logging Social Networking Patch Management Patch Management Access Control
OCR Security Pilot Findingsy g
• 65% of findings relate to security
41
g y• Top security findings included user/activity monitoring,
contingency planning, authentication/integrity, and media /d ireuse/destruction
• Many findings with small providers but large entities had security findingssecurity findings
• OCR recommends:• Conducting robust reviews and risk assessmentsg• Map the flow of PHI internally and externally• Identify/Find all of your PHI• See guidance on OCR website
Source: Health and Human Services Office of Civil Rights presentation titled 2012 HIPAA Privacy and Security Audits by Linda Sanches, OCR Senior Advisor
42
CAE PANEL DISCUSSIONDEBI WEATHERFORDDEBI WEATHERFORDEXECUTIVE DIRECTOR, INTERNAL AUDITPIEDMONT HEALTHCARE
Attorney Client Privilege (ACP) Considerations
AHIA 31st Annual Conference – August 26-29, 2012 – Philadelphia PAwww.ahia.org
About Piedmont Healthcare
1.6 billion dollar health system
43
1.6 billion dollar health system 5 hospitals Physician clinics Physician clinics Heart Institute
Phil h Philanthropy Insurance company
ACP Policy & Procedure Considerationsy
Invoking the attorney-client privilege
44
Invoking the attorney client privilege Notification of appropriate personnel Communication protocols Communication protocols E-mail guidelines
D id li Document guidelines Working paper documentation Reporting
ACP Policy & Procedure Considerations (continued)(continued)
Granting access to engagement records
45
Granting access to engagement records Education of board and management
*** Review IIA Practice Advisory 2330.A1-2
ACP Auditing Challengesg g
Audit work conducted before ACP invoked
46
Audit work conducted before ACP invoked Audit work conducted under ACP Coordinated effort between Compliance Legal and Coordinated effort between Compliance, Legal and
Internal Audit Concurrent versus retrospective reviews Concurrent versus retrospective reviews Sampling
47
Thank You!
Dan Pantera, Vice President, Audit, Compliance & PrivacyThe Methodist Hospital System, Houston [email protected]
Deborah Mendel, Vice President, Internal AuditMedstar Health Baltimore MarylandMedstar Health, Baltimore [email protected]
Ron Skillens, Vice President, Compliance & Internal AuditChildren’s Medical Center Dallas TexasChildren s Medical Center, Dallas [email protected]
Debi Weatherford, Executive Director Internal Audit Piedmont Healthcare, Atlanta [email protected]
AHIA 31st Annual Conference – August 26-29, 2012 – Philadelphia PAwww.ahia.org