ocr audits are coming – is your organization prepared?
TRANSCRIPT
OCR Audits Are Coming—Is Your Organization Prepared?
Presented by: Jason T. Lundy, Lisa J. Acevedo, Kathleen D. Kenney
Agenda
Current HIPAA Enforcement Landscape Brief Overview of Phase I Audits What to Expect in Phase 2 The Importance of Up-To-Date Security Risk
Analysis and Policy/Procedure Documentation How to Build Your “HIPAA Audit Binder” Key Recommendations
Current Government Enforcement Landscape
Enforcement is on the rise!! – In 2015, OCR settled 6 cases ranging from $125,000 to $3.5
million per settlement– In 2016, OCR has already settled 5 cases and successfully
imposed civil monetary penalties in 1 case ranging from $25,000 to $3.9 million
OCR has taken heat in the past for its “toothless” enforcement efforts, but a whole new era has clearly arrived
Importance of Enforcement Actions to Audit Process
There are themes and trends in the underlying conduct– OCR will be looking for these vulnerabilities
when reviewing your documents– Even if you are not selected for a Phase 2 audit,
the lessons learned from these settlements are invaluable
• For future breach avoidance• For future audit preparation
Recent Settlements/Enforcement Actions
Feinstein Institute for Medical Research (March 2016)– Notified OCR of the theft of an unencrypted laptop from an
employee’s car – laptop contained ePHI of approximately 13,000 patients and research participants
– Agreed to pay $3.9 million and adopt a corrective action plan (CAP)
– Key compliance issues included: insufficient security management process; insufficient policies and procedures; and failure to implement safeguards to restrict access to unauthorized users
Recent Settlements/Enforcement Actions
Lahey Hospital and Medical Center (Nov. 2015)– Notified OCR of the theft of an unencrypted laptop that was
connected to a portable CT scanner; hard drive contained PHI of 599 individuals
– Lahey agreed to pay $850,000 and adopt a corrective action plan (CAP) to correct deficiencies in its HIPAA compliance program
– Key compliance issues included: failure to conduct risk analysis; failure to physically safeguard ePHI; lack of unique user name; failure to implement policies and procedures
Recent Settlements/Enforcement Actions
Triple-S Management Company (Nov 2015)– Insurance holding company– Agreed to pay $3.5 million and adopt a corrective action plan
(CAP) to correct deficiencies in its HIPAA compliance program– Deficiencies included failure to conduct risk analysis; failure to
implement sufficient security measures; disclosure of more PHI than was necessary to carry out mailings
Recent Settlements/Enforcement Actions
Raleigh Orthopedic Clinic, PA (Apr 2016) – Notified OCR of a breach after releasing x-ray films and
related PHI of 17,300 patients to a vendor to transfer the images to electronic media in exchange for harvesting the silver from the x-ray film
– OCR found that Raleigh Orthopedic Clinic failed to execute a business associate agreement with the vendor prior to turning over PHI
– agreed to pay $750,000 and adopt a corrective action plan (CAP) to correct deficiencies in its HIPAA compliance program
Breaches Involving Hacking Incidents Anthem
– Almost 80 million individuals affected – Cyber-attackers accessed social security numbers, medical ID numbers,
names, addresses and birth dates
Premera Blue Cross – 11 million individuals affected – Discovered in January 2015 that hackers had been accessing PHI since May
2014
Community Health Systems– Estimated 4.5 million individuals affected– Hacker in China bypassed CHS’ security measures and accessed patient
names, addresses, birthdates, telephone numbers and social security numbers
Overview of Phase 1 Audits
OCR contracted with KPMG to conduct audits ($9.2 million dollar contract)
OCR stratified CEs into 4 tiers – sought wide range of types and sizes
Phase 1 audits kitchen sink approach 115 audits conducted (47 health plans; 61
providers; 7 clearinghouses) all audits included on-site visits
Phase 1 Lessons Learned
Improve document collection process (from notification to document collection throughout audit)
Address timing and staffing issues (on-site audits ranged from 3-10 days)
Use representative sampling method Prioritize focus on high risk areas
identified
Phase 1 Audit Results
60%30%
Phase 1 Results: Areas of Noncompliance
The most common cause of noncompliance = covered entity was unaware of the requirement.
Phase I versus Phase II
Fci Federal contract awarded - $1million dollars Verifying contact information and learning
more about the CE on the front end Desk audits prior to on-site audits Phase 2 desk audits focus on specific areas
identified as high risk in Phase 1 Likely less leniency with respect to extensions,
etc.
Status of HIPAA Audit Program
Phase 2 Audits:– Notification of potential selection has begun
• Contact verification notification emails have been sent• Audit pre-screening questionnaire will follow
– Questions intended to identify whether the entity is a Covered Entity Health Care Provider, Health Plan or Health Care Clearinghouse or a Business Associate.
• Purpose of these communications is to create a diverse audit pool
Can I Avoid Being Chosen?
Entities that Fail to Respond May Still be Selected
• Failing to respond could create the opposite effect!Entities with Open Investigations Should not be Selected
• Note: we are aware of such entities receiving the initial notification communications
Past Compliance History
Impact of Past Compliance History– Unclear if/when/how OCR will take this into
account• Should not impact desk audit selection process• May impact whether an organization is selected for
an onsite audit– The under 500 breach report logs can be a source
of systemic compliance issues
Audit Structure
Scope of Auditees• Covered Entities and Business Associates
Type of Audit• “Desk” audits first
» Conducted via document requests• Onsite audits to follow
Focus of Phase 2 Audits
Areas of focus for desk audits• Likely to focus on…
1. Security risk analysis and risk management2. Notice of Privacy Practices 3. Breach Notification letters-content and timeliness4. Individual’s Right to Access PHI
– OCR Audit Protocol• Updated protocol published on OCR’s website
Areas of focus for onsite audits • Intended to be more comprehensive than desk audit
Audit Timeline Phase 2 Audits:
– Timeline • Desk audits 10 Days to Respond!
– Responsive documents must be submitted electronically via OCR secure portal
– Auditors will send draft findings and you have 10 days to provide written comments to the draft report
– Final report due back from auditors within 30 business days
– All Phase 2 desk audits are scheduled to be concluded by December 2016
Onsite Audit Timeline and Impact
To be Conducted Onsite over 3 to 5 Business Days
– Auditors will send draft findings and you have 10 days to provide written comments to the draft report
• Final report due back from auditors within 30 business days
Impact– OCR has reserved the right to initiate a compliance
review against an audited entity if the audit uncovers a serious compliance issue
Key Desk Audit Documents Up-to-Date Security Risk Analysis
– This is the foundation of your HIPAA Security Rule program
• Phase 1 identified significant non-compliance• Failure to do so was key contributing factor to many of
the large breaches and enforcement actions– Be prepared to demonstrate that risk analysis is
current – also possible that OCR will ask for documentation from years past
Key Desk Audit Documents
Risk Management Plan– Plan to address vulnerabilities found in risk
analysis– Review status of commitments made in this plan– Ensure all mitigation efforts have been
documented in a form/format that can be easily produced
Risk Analysis Documentation Tool
Critical to Review Your Documentation!– Ideally, the documentation should be easy for an
auditor to review, understand and map to the Security Rule requirements
• Examples of less effective documentation• Double check focus of reports created by third
parties We can Help!
– Polsinelli’s Risk Analysis tool
Key Desk Audit Documents
Policies, Procedures, Compliance Documents– Patient Right to Access
• Can you demonstrate timeliness?• Review recent OCR guidance
– If you are using HIPAA authorization forms for access requests, need to change that process
– Check your NPPs!
Key Desk Audit Documents
Breach Notification letters – ensure letters to affected individuals meet the content and timeliness requirements– Be prepared to submit samples
If you have not had an incident rise to the level of a reportable breach, you may want to be prepared to produce your 4 factor risk assessments for such incidents
Preparing for an Onsite Audit
More Comprehensive– Review the OCR Audit Protocol – be prepared to
produce representative samples to demonstrate compliance
– Prepare as if you will be selected for an onsite audit• Preparation is time-consuming• You do not want to have staff running around looking
for documents while the auditors are onsite• Build your HIPAA Audit Binder!
Building Your HIPAA Audit Binder
Organization is key – make it as easy as possible for OCR/contractor to review your documentation
Be prepared to produce policies and procedures but also key forms and possibly representative samples
Ensure updates to documentation are apparent (particularly with regard to risk analysis)
Key Takeaways/Recommendations
• Confirm with IT that you have recently performed and documented an accurate and thorough risk analysis and risk mitigation plan• Encrypt!! Especially mobile devices!! If PHI is not encrypted, ensure you
have the appropriate documentation in place specifying equivalent alternative measures in place.
• Review and organize your policies and procedures, BAAs, and other key documentation
• Train and re-train your employees Prepare for an onsite audit. • Valuable even if your organization is never selected. Will help decrease
risk of breaches and complaints• Learn from mistakes of other organizations and use as teaching
opportunities
Key Takeaways/Recommendations
***Keep in mind OCR Audit Program is a Permanent Program • If you are not selected for a Phase 2 audit, you should
still be evaluating your organization’s HIPAA compliance program to prepare for the next round of audits
• Preparation is ultimately worthwhile and cost effective because it will help improve your compliance program and decrease risk of costly breaches
We Can Help!
Polsinelli’s Audit Preparation Tool and Services– Phase 1:
• Off-site: Review of your organization’s HIPAA privacy and security materials (BAAs (for those that are business associates, your sub-contractor BAAs), NPPs, privacy and security policies and procedures, key forms, risk analyses, risk management plan, etc.)
• On-site: Mock OCR audit at your organization; interview employees and collect representative samples
Polsinelli’s Audit Preparation Services
Phase 2: – Analysis and findings from Phase 1
• We will identify any deficiencies, best practices, areas of risk, and make recommendations for changes and improvement
– Conference call with your compliance or legal team to discuss findings, recommendations, and to prepare for Phase 3
Polsinelli’s Audit Preparation Services
Phase 3: – Provide a formal report of audit findings and
recommendations. – Provide an educational in-service to your
compliance team relating to the audit, areas of risk, recommendations for improvement, etc.
• The educational in-service may be presented in person or as a webinar.
Questions?
Feel free to contact us for more information:– Jason Lundy [email protected]– Lisa Acevedo [email protected]– Katie Kenney: [email protected]
real challenges. real answers. sm
Polsinelli provides this material for informational purposes only. The material provided herein is general and is not intended to be legal advice. Nothing herein should be relied upon or used without consulting a lawyer to consider your specific circumstances, possible changes to applicable laws, rules and regulations and other legal issues. Receipt of this material does not establish an attorney-client relationship.
Polsinelli is very proud of the results we obtain for our clients, but you should know that past results do not guarantee future results; that every case is different and must be judged on its own merits; and that the choice of a lawyer is an important decision and should not be based solely upon advertisements.
© 2016 Polsinelli PC. In California, Polsinelli LLP. Polsinelli is a registered mark of Polsinelli PC