impact of hipaa changes – are youare you prepared? webcast slide … · • omnibus update with...
TRANSCRIPT
Welcome to the Healthcare & Life Sciences Institute Webcast
Impact of HIPAA Changes Are YouChanges – Are You Prepared?
Monday, March 25, 2013 2:00 – 3:00 p.m. ETHelp Desk Hotline: 1-877-398-1471(Outside the U.S.: +1-954-969-3342)
Administrative
Today’s Presentation – Go to “Supporting Materials” link on screen: Download a copy of today’s presentation in color or black & white
CPE regulations require that online participants take part in online questions Must respond to a minimum of 4 questions per 50 minutes
Polling questions will appear on your media player
Results will be reviewed in the aggregate; no responses will be tracked back to any individual or organizationto a y d dua o o ga at o
Do not view the presentation on slide show mode – polling questions will not appear
To ask a question use the “Ask A Question” icon on your media playerTo ask a question, use the “Ask A Question” icon on your media player –type question – click “submit”Help Desk: 1-877-398-1471 or outside the United States at1-954-969-3342
© 2013 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 160179_NSS
1
1-954-969-3342
With Us Today
Michael EbertPartner KPMG LLP
Jutta Williams, Director, Corporate Compliance Privacy OfficeKPMG LLPIntermountain Healthcare
© 2013 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 160179_NSS
2
Today’s Discussion
• Where we are today
• HIPAA Privacy, Security and Breach Notification
• Omnibus Update with impacts and actions to your organization
• A year of OCR Compliance Audits – Lessons Learned & Impacts these lessons have on compliance to HIPAA and the Omnibus provisionslessons have on compliance to HIPAA and the Omnibus provisions
• Industry View – Intermountain Healthcare dealing with HIPAA and the Omnibus
• Summary
• Action Steps
• Q&A
© 2013 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 160179_NSS
3
Summary – Where We Are To Date / How We Got There
HIPAA Privacy and Security rolls out starting in 1998 over an 8 year period and gains new teeth from 2009 to 2013. Immediate rush to compliance with little to no enforcement in the beginning Immediate rush to compliance with little to no enforcement in the beginning
Congress steps up heat on HHS on enforcement of privacy rights
Congress passes HiTech and fixes holes in HIPAA
Health and Human Services (HHS) responds by moving Security from CMS to Office for Civil Rights (OCR)
Breach Notification Rules are producedeac ot cat o u es a e p oduced
OCR Compliance Audit Program is rolled out
Omnibus rule updating HIPAA is published
Activities to date New Director of OCR with strong track record for enforcement
OCR with the power of the Breach Rule increases enforcement
© 2013 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 160179_NSS
4
OCR, with the power of the Breach Rule, increases enforcement
HIPAA Privacy, Security and Breach Notification
Omnibus Impacts
The Omnibus – Summary
Adds a great deal of complexity to Privacy Management
Renewed emphasis on your training programs
Understanding and applying all of the new opt-out and rights to restrict use of Protected Health Information (PHI) provisions for fund raising, marketing, research and disclosure of PHI to Health Plans (self pay).g ( p y)
Request for medical records by an individual in ANY form they choose, provided PHI is “readily producible” in that form.
Presumption by OCR that your existing systems and processes can support the above as well as other requirements for permitted uses and disclosures.
Multi-opt ins/outs will require a different presentation of your Notice of Privacy Practices (NPP), including a better effort of communication of individual rights to a patient.
© 2013 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 160179_NSS
6
The Omnibus – Summary – Business Associates
Business Associates (BA) Need to modify your BA agreements no later than Sept 2014, but you may want to put forth
the effort to move them all to an updated BAA by September 2013 (grandfathered).
Definition of BA changed: create, receive, maintain or transmit protected health information in the course of performing functions on behalf of a covered entity.
Business Associates need to comply with ALL of the Security Rule and use or disclosure limitations of the Privacy rule as well as extended requirements in the Breach Notificationlimitations of the Privacy rule as well as extended requirements in the Breach Notification Rule.
If a relationship is deemed to be an agency relationship, Covered Entities (CE) increases responsibility for BA and a Breach.
D t i k li bilit i d Down stream risk liability imposed
– Subcontractors of a BA are now defined as a BA
Third Party risk programs should be adopted by ALL CEs: must gain documented “satisfactory assurances ”satisfactory assurances.
Contracting with BA’s will be more complex as BA’s push to defined limitation of PHI exchange and true responsibility in the management of any elements of PHI.
De-identification or partial de-identification will be and should be a part of all BA di i
© 2013 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 160179_NSS
7
discussions.
Breach and Notifications
Eliminated the “harm threshold” “Significant risks of reputational, financial or other harm” is no longer the
measurement for breach reportingmeasurement for breach reporting
Now, impermissible use/disclosure of (unsecured) PHI presumed to require notification, unless a covered entity can demonstrate a low risk of harm using a risk analysisharm using a risk analysis
The Risk analysis must now include:
– The nature and extent of PHI involved
– The unauthorized person who used the PHI or had access
– Whether PHI was actually acquired or viewed
– The extent risk has been mitigated
This is a much lower threshold and in fact OCR will consider any loss to be viewed thus increasing your responsibility to report breaches.
© 2013 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 160179_NSS
8
g y p y p
Activities and Enforcement
Enforcement Expectations – Complaint Investigation and Resolution
TOTAL (since 2003)
Complaints Filed
( )
77,200Cases Investigated 27,500Cases with Corrective Action
Civil Monetary Penalties &
18,600
(As of December 31, 2012)
yResolution Agreements (since 2008) $14.9 million
© 2013 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 160179_NSS
10
A Year of Audits: Lesson Learned
Preliminary Analysis From the Audits
• Policies and Procedures exist but are outdated or not implemented
• HIPAA compliance programs were not a priority
• Small providers have broad failures across the Rules
• Larger entities continue to have security challenges
• Entities are not conducting regular Risk Assessments
• Entities are not managing third party risks
• Privacy challenges are widely dispersed throughout the protocol – no clear trends by entity type or size
© 2013 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 160179_NSS
12
Overall Audit Results Analysis – Findings and Observations
• 64% of the selected audit protocol pertained to Privacy, 28% pertained to Security and 8% pertained to Breach Notification.
60% f th fi di d b ti i th dit d S it– 60% of the findings and observations were in the audited Security protocol
• Due to the specific activities of the covered entity not all of the p yPrivacy protocol in its entirety applied to all of the entities.
• No clear trends in the Privacy findings and observations; the challenges were wide-spreadchallenges were wide spread.
• Providers had more findings and observations than Health Plans and Clearinghouses.
• Details are on the subsequent slides…
© 2013 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 160179_NSS
13
Overall Audit Results Analysis – Findings and Observations
There are several overarching trends in the audit results noted in the 115 entities audited.
Th 979 dit fi di d b ti ll titi There were 979 audit findings and observations across all entities:
– 293 Privacy audit findings and observations;
592 Security audit findings and observations; and– 592 Security audit findings and observations; and,
– 94 Breach Notification audit findings and observations.
58 of 59 providers had at least one finding or observation in HIPAA 58 of 59 providers had at least one finding or observation in HIPAA Security.
47 of 59 providers, 20 out of 35 health plans and 2 out of 7 clearingho ses did not ha e a complete and acc rate risk assessmentclearinghouses did not have a complete and accurate risk assessment.
© 2013 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 160179_NSS
14
Overall Audit Results Analysis Cause Analysis –Unaware of the Requirement39% (115 of 293) of Privacy audit findings and observations the entities said they were39% (115 of 293) of Privacy audit findings and observations the entities said they were unaware of the requirement.
75% (86 of the 115) were on areas of the audit protocol where the performance criteria was derived directly from the HIPAA Privacy Rule.
Top Privacy areas with this cause:– Notice of Privacy Practices;– Access of Individuals;– Minimum Necessary; and,Minimum Necessary; and,– Authorizations.
27% (163 of 593) of Security audit findings and observations the entities said they were unaware of the requirement.
94% (153 of 163) were on areas of the audit protocol where the criteria was derived directly from the HIPAA Security Rule.
Top Security areas with this cause:– Risk Analysis;Risk Analysis;– Media movement and disposal; and,– Audit controls and monitoring.
12% (11) of the Breach Notification audit findings and observations. All 11 findings were f th dit t l h th it i d i d di tl f th B h
© 2013 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 160179_NSS
15
on areas of the audit protocol where the criteria was derived directly from the Breach Notification Rule.
HIPAA Privacy, Security and Breach Notification –Audit Findings and Observations
Audit Findings and Observations by Rule Audit Findings and Observations by LevelAudit Findings and Observations by Rule Audit Findings and Observations by Level
Audit Findings and Observations by Type of Covered Entity
© 2013 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 160179_NSS
16
HIPAA Privacy, Security and Breach Notification –Audit Findings and Observations
Audit Findings and Observations Distribution
© 2013 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 160179_NSS
17
Industry View on Dealingwith the Omnibus andHIPAA – IntermountainHIPAA – Intermountain Healthcare
Industry View – Intermountain
• Prior to delivery of the Omnibus Rule, Intermountain completed a review of HIPAA and HITECH privacy and security controls and engaged KPMG to perform a comprehensive risk assessment of both programs.
• The risk assessment evaluated current posture against industry leading practices.
• Given the clear focus on oversight and management of Business Associates in the proposed rule, Intermountain requested specific analysis of existing 3rd party data release processes.
• Post risk assessment, Intermountain identified two projects that would improve existing contract management practices and prepare us for the final rule.
• Lifecycle Management of Privacy Agreements
• Tiered Risk Management Approach for Attestation and Audit of BA compliance with HIPAA and HITECH
© 2013 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 160179_NSS
19
compliance with HIPAA and HITECH.
Industry View – Intermountain
• In addition to BAA management projects, Intermountain identified a number of other projects based on the Omnibus rule and associated commentary:
• Accounting of Disclosures: • Exceptions for “Required by Law” were not granted as proposed, therefore improved
solutions for automated collection of State and Federal reporting disclosures will be implemented.
• Updates to and Redistribution of the Notice of Privacy Practices: • For health delivery notice: update breach notification language, update restriction
information, and modify appointment reminder and marketing opt-out language.
• For payer notice: add language restricting the use of genetic information and update breach notification language.breach notification language.
• Disclosure of PHI:• The final rule permits the disclosure of immunization information to schools with the
consent of the individual/personal representative. Updates may be needed to our t t d t b l t f l f i i ti d tcurrent processes to document verbal consents for release of immunization data.
• Update policies, procedures and forms with regard to restriction to payers, when requested by a patient, for services paid in full by patients.
• In accordance with Meaningful Use technical means for delivering of patient records
© 2013 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 160179_NSS
20
In accordance with Meaningful Use, technical means for delivering of patient records in a more timely manner has already been implemented; modify existing policies, procedures and education to reflect new delivery requirements under HIPAA.
Industry View – Intermountain
• New Operational Requirements Continued:• Disclosure of PHI
• Sale of PHI provisions were more restrictive than anticipated. As part of lifecycle p p p ymanagement efforts, all data projects that include remuneration will need to document compliance with provisions. New policies, procedures and education will need to be delivered to workforce members conducting research and new methods for tracking costs will need to be established to prove remuneration was equal to cost of services delivered.
• Use of PHI
• Marketing provisions require updated policies, procedures and education for g p q p p , pworkforce members on communications related to 3rd party products with specific education for retail/specialty pharmacy and payer functions on changes to new reminder and refill communication allowances.
• The Final Rule expands the amount of PHI available for use in fundraising• The Final Rule expands the amount of PHI available for use in fundraising activities but also requires a CE to provide an individual with an opportunity to opt out of fundraising communications. To comply, we will update fundraising definitions in existing policies and procedures determine if opt out processes are sufficiently robust to meet the requirements of the rule
© 2013 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 160179_NSS
21
sufficiently robust to meet the requirements of the rule.
Industry View – Intermountain
• New Operational Requirements Continued:• New Operational Requirements Continued:• Breach Assessment and Reporting
• Update policies, procedures and education to modify the definition of a “breach” to eliminate the risk of harm standard and add a legal presumption that any acquisition, access, use or g p p y q , ,disclosure of PHI in violation of the privacy rule is a breach.
• Refine breach notification assessment processes to evaluate new criteria in accordance with the “probability of compromise” standard. Update program effectiveness metrics and reporting to reflect this new assessment methodology.
• Research
• Re- interpretation of the existing rule now allows for future, unspecified research on data, which was previously disallowed under the interpretation that such future research was not clearly specified in an authorization.
• Research authorization must be updated to include description of remuneration for data projects, and calculation of the cost based fee for PHI to prove it is not represent a profit.
• Final Rule allows the combination of conditioned and unconditioned authorizations in the same document; develop new, simplified standard consent/authorization wording.; p , p g
• De-identification
• Policies, procedures and education for those engaged in 3rd party data uses and disclosures to explain November 2012 de-identification guidelines. Understanding of which is critical to meeting new BA Management Research and Sale of PHI provisions in the Omnibus rule
© 2013 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 160179_NSS
22
meeting new BA Management, Research and Sale of PHI provisions in the Omnibus rule.
Summary
• HIPAA is here to stay• Beyond the Omnibus, pay attention to emerging standards for
Healthcare privacy and securityHealthcare privacy and security• Meaningful Use Standards
• HIE requirementsq
• Federal Research Grants
• Business Associates: Invest in building a privacy and security program equal to your CE counterparts If you are an HIE or HIO youprogram equal to your CE counterparts. If you are an HIE or HIO, you are likely not exempt from these requirements.
• Covered Entities: Build an action plan and design implementation timelines in accordance with the September enforcement deadlinetimelines in accordance with the September enforcement deadline.
• BA agreements signed after January 25th need to reflect new requirements by March 25th or plan to renegotiate again prior to September 26th
© 2013 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 160179_NSS
23
September 26th.
Actions Steps – What You Should Be Doing
• Conduct a robust assessment with an annual reassessment for compliance
M /fl PHI t ithi i ti ll fl• Map/flow PHI movement within your organization, as well as flows to/from third parties
• Perform data discovery to find all of your PHIy y
• Establish effective technical safeguards over PHI (encryption, access management, restriction for required use only)
• Develop a third party risk management program
• Review vendor contracts and update BA agreements
© 2013 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 160179_NSS
24
KPMG Contacts
Michael D. [email protected]
Rich E. [email protected]
Jaime [email protected]
Mark M. [email protected]
© 2013 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 160179_NSS
25
Q&A
Thank You
© 2013 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
The KPMG name, logo and “cutting through complexity” are registered trademarks or trademarks co p e ty a e eg ste ed t ade a s o t ade a sof KPMG International.