OCR Audits Are Coming—Is Your Organization Prepared?

Presented by: Jason T. Lundy, Lisa J. Acevedo, Kathleen D. Kenney

Agenda

Current HIPAA Enforcement Landscape Brief Overview of Phase I Audits What to Expect in Phase 2 The Importance of Up-To-Date Security Risk

Analysis and Policy/Procedure Documentation How to Build Your “HIPAA Audit Binder” Key Recommendations

Current Government Enforcement Landscape

Enforcement is on the rise!! – In 2015, OCR settled 6 cases ranging from $125,000 to $3.5

million per settlement– In 2016, OCR has already settled 5 cases and successfully

imposed civil monetary penalties in 1 case ranging from $25,000 to $3.9 million

OCR has taken heat in the past for its “toothless” enforcement efforts, but a whole new era has clearly arrived

Importance of Enforcement Actions to Audit Process

There are themes and trends in the underlying conduct– OCR will be looking for these vulnerabilities

when reviewing your documents– Even if you are not selected for a Phase 2 audit,

the lessons learned from these settlements are invaluable

• For future breach avoidance• For future audit preparation

Recent Settlements/Enforcement Actions

Feinstein Institute for Medical Research (March 2016)– Notified OCR of the theft of an unencrypted laptop from an

employee’s car – laptop contained ePHI of approximately 13,000 patients and research participants

– Agreed to pay $3.9 million and adopt a corrective action plan (CAP)

– Key compliance issues included: insufficient security management process; insufficient policies and procedures; and failure to implement safeguards to restrict access to unauthorized users

Recent Settlements/Enforcement Actions

Lahey Hospital and Medical Center (Nov. 2015)– Notified OCR of the theft of an unencrypted laptop that was

connected to a portable CT scanner; hard drive contained PHI of 599 individuals

– Lahey agreed to pay $850,000 and adopt a corrective action plan (CAP) to correct deficiencies in its HIPAA compliance program

– Key compliance issues included: failure to conduct risk analysis; failure to physically safeguard ePHI; lack of unique user name; failure to implement policies and procedures

Recent Settlements/Enforcement Actions

Triple-S Management Company (Nov 2015)– Insurance holding company– Agreed to pay $3.5 million and adopt a corrective action plan

(CAP) to correct deficiencies in its HIPAA compliance program– Deficiencies included failure to conduct risk analysis; failure to

implement sufficient security measures; disclosure of more PHI than was necessary to carry out mailings

Recent Settlements/Enforcement Actions

Raleigh Orthopedic Clinic, PA (Apr 2016) – Notified OCR of a breach after releasing x-ray films and

related PHI of 17,300 patients to a vendor to transfer the images to electronic media in exchange for harvesting the silver from the x-ray film

– OCR found that Raleigh Orthopedic Clinic failed to execute a business associate agreement with the vendor prior to turning over PHI

– agreed to pay $750,000 and adopt a corrective action plan (CAP) to correct deficiencies in its HIPAA compliance program

Breaches Involving Hacking Incidents Anthem

– Almost 80 million individuals affected – Cyber-attackers accessed social security numbers, medical ID numbers,

names, addresses and birth dates

Premera Blue Cross – 11 million individuals affected – Discovered in January 2015 that hackers had been accessing PHI since May

2014

Community Health Systems– Estimated 4.5 million individuals affected– Hacker in China bypassed CHS’ security measures and accessed patient

names, addresses, birthdates, telephone numbers and social security numbers

Overview of Phase 1 Audits

OCR contracted with KPMG to conduct audits ($9.2 million dollar contract)

OCR stratified CEs into 4 tiers – sought wide range of types and sizes

Phase 1 audits kitchen sink approach 115 audits conducted (47 health plans; 61

providers; 7 clearinghouses) all audits included on-site visits

Phase 1 Lessons Learned

Improve document collection process (from notification to document collection throughout audit)

Address timing and staffing issues (on-site audits ranged from 3-10 days)

Use representative sampling method Prioritize focus on high risk areas

identified

Phase 1 Audit Results

60%30%

Phase 1 Results: Areas of Noncompliance

The most common cause of noncompliance = covered entity was unaware of the requirement.

Phase I versus Phase II

Fci Federal contract awarded - $1million dollars Verifying contact information and learning

more about the CE on the front end Desk audits prior to on-site audits Phase 2 desk audits focus on specific areas

identified as high risk in Phase 1 Likely less leniency with respect to extensions,

etc.

Status of HIPAA Audit Program

Phase 2 Audits:– Notification of potential selection has begun

• Contact verification notification emails have been sent• Audit pre-screening questionnaire will follow

– Questions intended to identify whether the entity is a Covered Entity Health Care Provider, Health Plan or Health Care Clearinghouse or a Business Associate.

• Purpose of these communications is to create a diverse audit pool

Can I Avoid Being Chosen?

Entities that Fail to Respond May Still be Selected

• Failing to respond could create the opposite effect!Entities with Open Investigations Should not be Selected

• Note: we are aware of such entities receiving the initial notification communications

Past Compliance History

Impact of Past Compliance History– Unclear if/when/how OCR will take this into

account• Should not impact desk audit selection process• May impact whether an organization is selected for

an onsite audit– The under 500 breach report logs can be a source

of systemic compliance issues

Audit Structure

Scope of Auditees• Covered Entities and Business Associates

Type of Audit• “Desk” audits first

» Conducted via document requests• Onsite audits to follow

Focus of Phase 2 Audits

Areas of focus for desk audits• Likely to focus on…

1. Security risk analysis and risk management2. Notice of Privacy Practices 3. Breach Notification letters-content and timeliness4. Individual’s Right to Access PHI

– OCR Audit Protocol• Updated protocol published on OCR’s website

Areas of focus for onsite audits • Intended to be more comprehensive than desk audit

Audit Timeline Phase 2 Audits:

– Timeline • Desk audits 10 Days to Respond!

– Responsive documents must be submitted electronically via OCR secure portal

– Auditors will send draft findings and you have 10 days to provide written comments to the draft report

– Final report due back from auditors within 30 business days

– All Phase 2 desk audits are scheduled to be concluded by December 2016

Onsite Audit Timeline and Impact

To be Conducted Onsite over 3 to 5 Business Days

– Auditors will send draft findings and you have 10 days to provide written comments to the draft report

• Final report due back from auditors within 30 business days

Impact– OCR has reserved the right to initiate a compliance

review against an audited entity if the audit uncovers a serious compliance issue

Key Desk Audit Documents Up-to-Date Security Risk Analysis

– This is the foundation of your HIPAA Security Rule program

• Phase 1 identified significant non-compliance• Failure to do so was key contributing factor to many of

the large breaches and enforcement actions– Be prepared to demonstrate that risk analysis is

current – also possible that OCR will ask for documentation from years past

Key Desk Audit Documents

Risk Management Plan– Plan to address vulnerabilities found in risk

analysis– Review status of commitments made in this plan– Ensure all mitigation efforts have been

documented in a form/format that can be easily produced

Risk Analysis Documentation Tool

Critical to Review Your Documentation!– Ideally, the documentation should be easy for an

auditor to review, understand and map to the Security Rule requirements

• Examples of less effective documentation• Double check focus of reports created by third

parties We can Help!

– Polsinelli’s Risk Analysis tool

Key Desk Audit Documents

Policies, Procedures, Compliance Documents– Patient Right to Access

• Can you demonstrate timeliness?• Review recent OCR guidance

– If you are using HIPAA authorization forms for access requests, need to change that process

– Check your NPPs!

Key Desk Audit Documents

Breach Notification letters – ensure letters to affected individuals meet the content and timeliness requirements– Be prepared to submit samples

If you have not had an incident rise to the level of a reportable breach, you may want to be prepared to produce your 4 factor risk assessments for such incidents

Preparing for an Onsite Audit

More Comprehensive– Review the OCR Audit Protocol – be prepared to

produce representative samples to demonstrate compliance

– Prepare as if you will be selected for an onsite audit• Preparation is time-consuming• You do not want to have staff running around looking

for documents while the auditors are onsite• Build your HIPAA Audit Binder!

Building Your HIPAA Audit Binder

Organization is key – make it as easy as possible for OCR/contractor to review your documentation

Be prepared to produce policies and procedures but also key forms and possibly representative samples

Ensure updates to documentation are apparent (particularly with regard to risk analysis)

Key Takeaways/Recommendations

• Confirm with IT that you have recently performed and documented an accurate and thorough risk analysis and risk mitigation plan• Encrypt!! Especially mobile devices!! If PHI is not encrypted, ensure you

have the appropriate documentation in place specifying equivalent alternative measures in place.

• Review and organize your policies and procedures, BAAs, and other key documentation

• Train and re-train your employees Prepare for an onsite audit. • Valuable even if your organization is never selected. Will help decrease

risk of breaches and complaints• Learn from mistakes of other organizations and use as teaching

opportunities

Key Takeaways/Recommendations

***Keep in mind OCR Audit Program is a Permanent Program • If you are not selected for a Phase 2 audit, you should

still be evaluating your organization’s HIPAA compliance program to prepare for the next round of audits

• Preparation is ultimately worthwhile and cost effective because it will help improve your compliance program and decrease risk of costly breaches

We Can Help!

Polsinelli’s Audit Preparation Tool and Services– Phase 1:

• Off-site: Review of your organization’s HIPAA privacy and security materials (BAAs (for those that are business associates, your sub-contractor BAAs), NPPs, privacy and security policies and procedures, key forms, risk analyses, risk management plan, etc.)

• On-site: Mock OCR audit at your organization; interview employees and collect representative samples

Polsinelli’s Audit Preparation Services

Phase 2: – Analysis and findings from Phase 1

• We will identify any deficiencies, best practices, areas of risk, and make recommendations for changes and improvement

– Conference call with your compliance or legal team to discuss findings, recommendations, and to prepare for Phase 3

Polsinelli’s Audit Preparation Services

Phase 3: – Provide a formal report of audit findings and

recommendations. – Provide an educational in-service to your

compliance team relating to the audit, areas of risk, recommendations for improvement, etc.

• The educational in-service may be presented in person or as a webinar.

Questions?

Feel free to contact us for more information:– Jason Lundy jlundy@polsinelli.com– Lisa Acevedo lacevedo@polsinelli.com– Katie Kenney: kdkenney@polsinelli.com

real challenges. real answers. sm

Polsinelli provides this material for informational purposes only. The material provided herein is general and is not intended to be legal advice. Nothing herein should be relied upon or used without consulting a lawyer to consider your specific circumstances, possible changes to applicable laws, rules and regulations and other legal issues. Receipt of this material does not establish an attorney-client relationship.

Polsinelli is very proud of the results we obtain for our clients, but you should know that past results do not guarantee future results; that every case is different and must be judged on its own merits; and that the choice of a lawyer is an important decision and should not be based solely upon advertisements.

© 2016 Polsinelli PC. In California, Polsinelli LLP. Polsinelli is a registered mark of Polsinelli PC