HIPAA Audits Are Here to Stay – Key Preparation Strategies for Business Associates and Covered Entities

HIPAA Audits Are Here to Stay – Key Preparation Strategies for Business Associates and Covered Entities

Lisa Acevedo | Shareholder, Polsinelli PC

Erin Fleming Dunlap | Shareholder, Polsinelli PC

Katie Kenney | Associate, Polsinelli PC

David Holtzman | Vice President, CynergisTek, Inc.

Agenda

Current HIPAA Enforcement Landscape

OCR Audit Structure and Status Update

OCR Document Request List: Areas of Focus

The Importance of Up-To-Date Security Risk Analysis

How to Build Your "HIPAA Audit Binder"

Audit Scope for Security Rule Compliance

How to Prepare for Security Rule Component of the OCR Audit

Key Takeaways/Recommendations

Current Government Enforcement Landscape

Enforcement is on the rise!! – In 2015, OCR settled 6 cases ranging from $125,000 to $3.5

million per settlement

– In 2016, OCR has already settled 9 cases and successfully imposed civil monetary penalties in 1 case ranging from $25,000 to $5.55 million

OCR has taken heat in the past for its “toothless” enforcement efforts, but a whole new era has clearly arrived

Importance of Enforcement Actions to Audit Process

There are themes and trends in the underlying conduct

– OCR will be looking for these vulnerabilities when reviewing your documents

– Even if you have not been selected for a Phase 2 audit, the lessons learned from these settlements are invaluable

• For future breach avoidance

• For future audit preparation

Recent Settlements/Enforcement Actions

Advocate Health Care – August 2016

Largest settlement to date – $5.55 million; involved multiple violations OCR uncovered while investigating 3 separate breach incidents Advocate submitted in 2013

The combined breaches affected approximately 4 million individuals

Key issues included but are not limited to failure to: conduct an accurate and thorough Risk Analysis; implement policies and procedures and facility access controls; and obtain satisfactory assurances through a BAA


University of Mississippi Medical Center (UMMC) – July 2016

Agreed to settle with OCR for $2.75 million; involved multiple violations of HIPAA that OCR uncovered while investigating a breach involving a missing, unencrypted laptop

OCR noted that during the investigation the agency discovered that UMMC was aware of risks and vulnerabilities to its systems as far back as 2005 but no significant risk management plan was implemented


Oregon Health & Science University (OHSU) – July 2016

Agreed to settle with OCR for $2.7 million; OHSU submitted multiple breach reports affecting thousands of individuals, including two reports involving unencrypted laptops and another large breach involving a stolen unencrypted thumb drive

During the investigation, OCR uncovered, among other issues, that OHSU stored sensitive patient information in the cloud without a BAA in place


Raleigh Orthopedic Clinic, PA (Apr 2016) – Notified OCR of a breach after releasing x-ray films and

related PHI of 17,300 patients to a vendor to transfer the images to electronic media in exchange for harvesting the silver from the x-ray film

– OCR found that Raleigh Orthopedic Clinic failed to execute a business associate agreement with the vendor prior to turning over PHI

– agreed to pay $750,000 and adopt a corrective action plan (CAP) to correct deficiencies in its HIPAA compliance program


Feinstein Institute for Medical Research (March 2016)

– Notified OCR of the theft of an unencrypted laptop from an employee’s car – laptop contained ePHI of approximately 13,000 patients and research participants

– Agreed to pay $3.9 million and adopt a corrective action plan (CAP)

– Key compliance issues included: insufficient security management process; insufficient policies and procedures; and failure to implement safeguards to restrict access to unauthorized users

Breaches Involving Hacking Incidents

Anthem – Almost 80 million individuals affected

– Cyber-attackers accessed social security numbers, medical ID numbers, names, addresses and birth dates

Premera Blue Cross – 11 million individuals affected

– Discovered in January 2015 that hackers had been accessing PHI since May 2014

Community Health Systems – Estimated 4.5 million individuals affected

– Hacker in China bypassed CHS’ security measures and accessed patient names, addresses, birthdates, telephone numbers and social security numbers

OCR HIPAA Audit Structure

Scope of Auditees • Covered Entities and Business Associates

Type of Audit • “Desk” audits first

» Conducted via document requests

• Onsite audits to follow

Status of HIPAA Audit Program

Phase 2 Audits:

– Desk audits of Covered Entities have already begun

– Desk audits of Business Associates will begin in the fall

• OCR has submitted the document request list to Covered Entity auditees – http://www.hhs.gov/sites/default/files/2016HIPAADeskAuditAudit

eeGuidance.pdf

http://www.hhs.gov/sites/default/files/2016HIPAADeskAuditAuditeeGuidance.pdf



Focus of Phase 2 Audits

Areas of focus for desk audits • Covered Entity Document Request List:

1. Security risk analysis and risk management

2. Notice of Privacy Practices

3. Breach Notification letters-content and timeliness

4. Individual’s Right to Access PHI

– OCR Audit Protocol • Updated protocol published on OCR’s website

Areas of focus for onsite audits • Intended to be more comprehensive than desk audit

Audit Timeline

Phase 2 Audits:

– Timeline

• Desk audits 10 Days to Respond!

– Responsive documents must be submitted electronically via OCR secure portal

– Auditors will send draft findings and you have 10 days to provide written comments to the draft report

– Final report due back from auditors within 30 business days

– All Phase 2 desk audits are scheduled to be concluded by December 2016

Onsite Audit Timeline and Impact

To be Conducted Onsite over 3 to 5 Business Days

– Auditors will send draft findings and you have 10 days to provide written comments to the draft report

• Final report due back from auditors within 30 business days

Impact

– OCR has reserved the right to initiate a compliance review against an audited entity if the audit uncovers a serious compliance issue

Key Desk Audit Documents

Up-to-Date Security Risk Analysis

– This is the foundation of your HIPAA Security Rule program

• Phase 1 identified significant non-compliance

• Failure to do so was key contributing factor to many of the large breaches and enforcement actions

– OCR is requesting specific documents, not just policies and procedures

• Key FAQs


Risk Management Plan

– This is your plan to address vulnerabilities found in risk analysis

• OCR is requesting specific documents, not just policies and procedures – Key FAQs

Risk Analysis Documentation Tool

Critical to Review Your Documentation!

– Ideally, the documentation should be easy for an auditor to review, understand and map to the Security Rule requirements

• Examples of less effective documentation

• Double check focus of reports created by third parties

We can help!


Patient Right to Access

• OCR is requesting policies and procedures, PLUS:

– Documentation related to 5 access requests and documentation related to 5 access requests where the time to respond was extended

– Template access request form » If you are using HIPAA authorization forms for access

requests, need to change that process

» Key FAQs


Notice of Privacy Practices

– Check NPPs to verify that they contain all required elements

– Make sure that your website prominently posts the NPP

– Documentation requested related to electronic provision of the NPP

• Key FAQs


Breach Notification

– Ensure letters to affected individuals meet the content and timeliness requirements

– Must produce documentation related to notification of 5 breaches involving under 500 and 5 breaches involving 500 or more affected patients

• Key FAQs

Preparing for an Onsite Audit

More Comprehensive – Review the OCR Audit Protocol – be prepared to

produce representative samples to demonstrate compliance

– Prepare as if you will be selected for an onsite audit

• Preparation is time-consuming

• You do not want to have staff running around looking for documents while the auditors are onsite

• Build your HIPAA Audit Binder!

Building Your HIPAA Audit Binder

Organization is key – make it as easy as possible for OCR/contractor to review your documentation

Be prepared to produce policies and procedures but also key forms and representative samples

Ensure updates to documentation are apparent (particularly with regard to risk analysis)


• Confirm with IT that you have recently performed and documented an accurate and thorough risk analysis and risk mitigation plan • Encrypt!! Especially mobile devices!! If PHI is not encrypted, ensure you

have the appropriate documentation in place specifying equivalent alternative measures in place.

• Review and organize your policies and procedures, BAAs, and other key documentation

• Train and re-train your employees Prepare for an onsite audit. • Valuable even if your organization is never selected. Will help decrease

risk of breaches and complaints

• Learn from mistakes of other organizations and use as teaching opportunities


***Keep in mind OCR Audit Program is a Permanent Program

• Not being selected this year, allows you some time to conduct a comprehensive evaluation of your organization’s HIPAA compliance program to prepare for the next round of audits

• Preparation is ultimately worthwhile and cost effective because it will help improve your compliance program and decrease risk of costly breaches

Questions?

Feel free to contact us for more information:

– Lisa Acevedo [email protected]

– Erin Fleming Dunlap [email protected]

– Katie Kenney: [email protected]

mailto:[email protected]





real challenges. real answers. sm

Polsinelli provides this material for informational purposes only. The material provided herein is general and is not intended to be legal advice. Nothing herein should be relied upon or used without consulting a lawyer to consider your specific circumstances, possible changes to applicable laws, rules and regulations and other legal issues. Receipt of this material does not establish an attorney-client relationship. Polsinelli is very proud of the results we obtain for our clients, but you should know that past results do not guarantee future results; that every case is different and must be judged on its own merits; and that the choice of a lawyer is an important decision and should not be based solely upon advertisements. © 2016 Polsinelli PC. In California, Polsinelli LLP. Polsinelli is a registered mark of Polsinelli PC

CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com @CynergisTek

OCR HIPAA Audit Program: What You Need to Know Now Presented by: David Holtzman VP, Compliance Strategies


Synergistic The name “CynergisTek” came from the

synergy realized by combining the

expertise of the two co-founders –

building scalable, mature information

security programs and architecting

enterprise technical solutions.

Founded in 2004 CynergisTek has been providing services

to our clients since 2004, but many

of our clients have been with one or

both of the founders since well before

the company was founded.

29

Securing the Mission of Care CynergisTek Services are specifically

geared to address the needs of the

healthcare community including

providers, payers, and their business

associates who provide services into

those entities.

Consulting Services CynergisTek provides consulting services

and solutions around information

security, privacy, IT architecture, and

audit with specific focus on regulatory

compliance in healthcare.

CynergisTek, Inc.

CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com @CynergisTek 30

Today’s Presenter

• Vice President of Compliance Strategies, CynergisTek, Inc.

• Subject matter expert in health information privacy policy and compliance issues involving the HIPAA Privacy, Security and Breach Notification Rules

• Experienced in developing, implementing and evaluating health information privacy and security compliance programs

• Former senior advisor for health information technology and the HIPAA Security Rule, Office for Civil Rights

David Holtzman CynergisTek, Inc.


Audit Scope for Security

Rule Compliance

31


What Are OCR Audits Reviewing?

• Security Management Process Standard

• Policies and performance of Information Security Risk Analysis

• Policies and performance of Information Security Risk Management Plan Desk Audits

• Device and media controls

• Transmission security

• Encryption of data at rest

• Facility access controls

Onsite Audits

• Administrative and physical safeguards

• Workforce training to HIPAA policies & procedures

• High risk areas identified through:

• Pilot Audit Program performed in 2012

• Breach reports submitted to OCR

Other Areas


• Copy of current information security risk analysis and a prior risk analysis.

• Documentation related to the implementation of the risk analysis and security

review process; how it is available to the workforce members who are

responsible for carrying out the risk analysis; and, that the procedures are

periodically reviewed and updated when needed.

• Documentation demonstrating that policies and procedures related to

implementation of risk analysis for the prior 6 years.

• Documentation demonstrating the security measures implemented to reduce

the risks as a result of the current risk analysis or assessment ; and the prior

calendar year

• Documentation from 2015 demonstrating the implementation of the risk

management process; how it is available to the workforce members who are

responsible for carrying out the risk management process; and, that the

procedures are periodically reviewed and updated when needed.

OCR Desk Audit Document Request


Documentation Requested What Should be Submitted

Upload documentation of current risk analysis results.

Provide the report of the most recent Risk Analysis performed by the organization.

Upload documentation demonstrating that policies and procedures related to implementation of risk analysis are in place and any revisions for the prior 6 years.

Provide copies of current and prior versions of risk analysis policies and procedures from 2010 to 2016. Ensure that the policies and procedures support an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of e-PHI the organization creates, receives, maintains or transmits.

Upload policies and procedures regarding the entity’s risk analysis process.

Provide the current policy and procedure on how the risk analysis is performed.

Upload documentation of the risk analysis and the most recently conducted prior risk analysis.

Provide the risk analysis completed prior to the 2015 Risk Analysis as well as accompanying documentation of an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of e-PHI the organization. creates, receives, maintains or transmits.

Desk Audit Protocol Risk Analysis


Documentation Requested What Should be Submitted

Upload documentation demonstrating the security measures implemented to reduce the risks as a result of the current risk analysis or assessment

Provide documentation that the organization has implemented or has plans to implement administrative, physical or technical controls to reduce risks and vulnerabilities identified in the current risk analysis.

Upload documentation demonstrating that policies and procedures related to implementing risk management processes have been in place and in force for the prior 6 years.

Provide documentation of current and prior versions of risk management policies and procedures from 2010 to 2016. These policies and procedures should identify how risk is managed, what the organization considers an acceptable level of risk in its management program, the frequency of reviewing ongoing risks, and identify the workforce members who are assigned a role in the risk management process.

Upload documentation demonstrating the efforts used to manage risks from the previous calendar year.

Provide documentation for the 2015 calendar year of the actions the organization took, or had plans to take, to implement administrative, physical or technical controls to reduce risks and vulnerabilities identified in its risk analysis.

Desk Audit Protocol Risk Management


Preparing for an OCR

Audit

36


Where Do We Start? Risk Assessment…

Credit: http://dilbert.com/strips/comic/1997-11-08/


• An assessment of threats and vulnerabilities to

information systems that handle e-PHI.

• This provides the starting point for determining what is

‘appropriate’and ‘reasonable’.

• Organizations determine their own technology and

administrative choices to mitigate their risks.

• The risk analysis process should be ongoing and

repeated as needed when the organization experiences

changes in technology or operating environment.

Information Security Risk Assessment


Performing a Risk Analysis

Gather Information

Analyze Information

Develop Remedial

Plans

• Prepare inventory lists of information assets-data, hardware and software. • Determine potential threats to information assets. • Identify organizational and information system vulnerabilities. • Document existing security controls and processes.

• Evaluate and measure risks associated with information assets. • Rank information assets based on asset criticality and business value. • Develop and analyze multiple potential threat scenarios.

• Prioritize potential threats based on importance and criticality. • Develop remedial plans to combat potential threat scenarios. • Repeat risk analysis to evaluate success of remediation and when there are

changes in technology or operating environment.


• Prepare a plan to perform mock audits

• Use OCR’s 2016 Phase 2 HIPAA Audit Protocol

• Replicate what documentation would be required

under audit conditions and the timelines for

production

• Use the results from your audit to develop a work

plan for policies and processes that should be

reviewed or updated

Build an Audit Tool Kit


• Requirements for listing

business associates

– http://www.hhs.gov/hipa

a/for-

professionals/compliance

-

enforcement/audit/bate

mplate/index.html

• OCR’s 2016 Audit

Protocol

– http://www.hhs.gov/hipa

a/for-

professionals/compliance

-

enforcement/audit/proto

col-current/index.html

Prepare for OCR Audit

12

http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/batemplate/index.html







http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/protocol-current/index.html










• Desk Audit Protocol &

Document Request List

http://www.hhs.gov/sit

es/default/files/2016HI

PAADeskAuditAuditeeG

uidance.pdf

• OCR Desk Audit

Introduction Webinar

http://www.hhs.gov/sit

es/default/files/OCRDes

kAuditOpeningMeeting

Webinar.pdf

Use OCR Desk Audit Protocol As Guide

13





http://www.hhs.gov/sites/default/files/OCRDeskAuditOpeningMeetingWebinar.pdf





Section/Key Activity Established Performance

Criteria Audit Inquiry

§164.308(a)(1)(ii)(A) Security Management Process-Risk Analysis

A covered entity or business associate must

in accordance with 164.306:

(1)(i) Implement policies and procedures

to prevent, detect, contain, and correct security violations

Does the entity have written policies and procedures in place to prevent, detect, contain and correct security violations? Does the entity prevent, detect, contain and correction security violations? Obtain and review policies and procedures related to security violations. Evaluate the content relative to the specified performance criteria for countermeasures or safeguards implemented to prevent, detect, contain and correct security violations. Obtain and review documentation demonstrating that policies and procedures have been implemented to prevent, detect, contain, correct security violations. Evaluate and determine if the process used is in accordance with related policies and procedures. Obtain and review documentation of security violations and remediation actions. Evaluate and determine if security violations where handled in accordance with the related policies and procedures; safeguards or countermeasures to prevent violations from occurring; identify and characterize violations as they happen; limit the extent of any damages caused by violations; have corrective action plan in place to manage risk.

Example: Security Management Process


Key Activity Established

Performance Criteria Audit Inquiry

§164.312(a)(2)(iv) Access Control -- Encryption and Decryption(A)

Implement a mechanism to encrypt and decrypt electronic

protected health information

Does the entity have policies and procedures in place to encrypt and decrypt ePHI including processes regarding the use and management of the confidential process or key used to encrypt and decrypt ePHI? Does the entity encrypt and decrypt ePHI including processes regarding the use and management of the confidential process or key used to encrypt and decrypt ePHI? Obtain and review the policies and procedures regarding the encryption and decryption of ePHI. Evaluate the content relative to the specified criteria to determine that the implementation and use of encryption appropriately protects ePHI. Obtain and review documentation demonstrating ePHI being encrypted and decrypted. Evaluate and determine if ePHI is encrypted and decrypted in accordance with related policies and procedures. Has the entity chosen to implement an alternative measure? If yes, obtain and review entity documentation of why it has determined that the implementation specification is not a reasonable and appropriate safeguard and what equivalent alternative measure has been implemented instead. Evaluate documentation and assess whether the alternative measure implemented is equivalent to the protections afforded by the implementation specification.

Example: Encryption and Decryption


Questions?

David Holtzman

[email protected]

512.405.8550 x7020

@HITPrivacy

Questions?

?

Law

HIPAA Audits Are Here to Stay – Key Preparation Strategies for Business Associates and Covered Entities