Agenda 31-10-2013 Responsibilities of the HIPAA Privacy and Security Officer - Managing and
Transcription
Agenda 31-10-2013 Responsibilities of the HIPAA Privacy and Security Officer - Managing and
31-10-2013 Welcome to Compliance2go Live Web Seminar Responsibilities of the HIPAA Privacy and Security Officer - Managing and Documenting HIPAA Compliance Jim Sheldon-Dean © Copyright 2013 www.compliance2go.com 1 Agenda • • Learn about being a HIPAA Privacy and Security Officer Responsibilities of the HIPAA Officer • Privacy Rule: Patient Rights and Controls on Entities • Security Rule: Having a Security Management Process • Breach Notification: Sooner or later… • Find out about the new, higher enforcement penalties • • Discuss what is required to be in compliance and show it Learn about being prepared for a HIPAA Compliance Audit • Q&A session • Disclaimer: I am not a lawyer and this is not legal advice – I am only providing information and resources © Copyright 2013 www.compliance2go.com 2 My Background • • • • • • • BSCE (Civil Engineering) from UVM, MST (Transportation) from MIT Three decades in consulting, information systems, and software development Process, problem-solving oriented 8 years as Vermont EMT, crew chief 12 years specializing in HIPAA and health information privacy and security regulatory compliance Involved in WEDI, HIMSS, frequent speaker about HIPAA and information privacy and security See www.lewiscreeksystems.com for more details, resources, information security compliance news, etc. © Copyright 2013 www.compliance2go.com 3 1 31-10-2013 Who is the HIPAA Privacy and Security Officer? • The person responsible for making sure – All the right policies and procedures are in place – Application of policies and procedures is documented – Compliance is reviewed – Compliance documentation is maintained • The person answering the call from HHS • The person answering the call from the CEO © Copyright 2013 www.compliance2go.com 4 HIPAA Privacy & Security Rules • Privacy Rule – – – – – 45 CFR Part 164 Subpart E; 45 CFR §164.5xx Enforceable since 2003 Establishes Rights of Individuals Controls on Uses and Disclosures Several changes under the new rules • Security Rule – – – – – – 45 CFR Part 164 Subpart C; 45 CFR §164.3xx Enforceable since 2005 Applies to all electronic PHI Flexible, customizable approach to health information security Uses Risk Analysis to identify and plan the mitigation of security risks Unchanged in new rules, except to apply to Business Associates • Now being enforced more, including identity theft cases © Copyright 2013 www.compliance2go.com 5 HIPAA Breach Notification Rule • 45 CFR Part 164 Subpart D; 45 CFR §164.4xx • Enforceable since February 2010, Final Rule now in effect, with new changes in how to determine if a breach must be reported • “Harm Standard” replaced by risk assessment showing “Probability of Compromise” • Requires reporting of all PHI breaches to HHS and individuals • Extensive/expensive obligations • Provides great examples of what not to do; HHS Wall of Shame: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachn otificationrule/breachtool.html © Copyright 2013 www.compliance2go.com 6 2 31-10-2013 HIPAA Omnibus Update Implements the HITECH Act • Health Information Technology for Economic and Clinical Health Act, or the HITECH Act, under consideration already in 2008 • Became Title XIII of the American Recovery and Reinvestment Act of 2009, or ARRA, signed February 17, 2009 • Title XIII, Subtitle D-Privacy (all the sections 134xx of ARRA) • Most of the interim final and proposed rules now finalized in the big HIPAA Omnibus Update published January 25, 2013, effective March 26, 2013, enforceable September 23, 2013 • Omnibus Update Rule, with Preamble, available at: http://www.gpo.gov/fdsys/pkg/FR-2013-01-25/pdf/2013-01073.pdf • New Combined Rules published by HHS OCR, available at: http://www.hhs.gov/ocr/privacy/hipaa/administrative/combined/index.html © Copyright 2013 www.compliance2go.com 7 What is a Breach Under HIPAA? • §164.402 Breach is acquisition, access, use, or disclosure in violation of the Privacy Rule • Exceptions by law: Not Reportable if secured or destroyed; unintentional, in good faith, with no further use (within the entity); inadvertent and within job scope (within the entity); or, info cannot be retained • Not reportable if risk assessment shows “low probability of compromise” based on four factors: – what is the data, how identifiable is it, and might its release have an “adverse impact” on the individuals – to whom was it disclosed – was it actually accessed or viewed – has it been mitigated © Copyright 2013 www.compliance2go.com 8 Statistics on HIPAA Breach Notification • For reported breaches of 500 or more individuals’ PHI in the first year of the reporting requirement: 76% of breaches involve loss (15%), theft (56%), or improper disposal (5%) – Old-fashioned physical security of valuable data 17% are caused by unauthorized access or disclosure 6% are caused by hacking Portable data, laptops, smart phones, memory sticks the leaders for larger breaches of PHI • For smaller breaches: Largely single individuals affected Misdirected fax, e-mail, or hard copy communication © Copyright 2013 www.compliance2go.com 9 3 31-10-2013 Breach Notification Deadlines • New breach determination rules now in effect • Must report breaches to individuals within 60 days • Must report breaches affecting 500 or more individuals to HHS and press within 60 days • Must report ALL breaches of any size to HHS within 60 days of the end of the calendar year (by March 1 st every year for the preceding year) • To file breaches with HHS go to: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breach notificationrule/index.html or http://tinyurl.com/yemwev8 © Copyright 2013 www.compliance2go.com 10 PHI, Uses, and Disclosures • Protected Health Information (PHI): Individually identifiable information about health, health care or payment for healthcare services • Disclosure: the release, transfer, provision of, access to, or divulging in any other manner of information outside the entity holding the information • As distinct from Use: the sharing, employment, application, utilization, examination, or analysis of individually identifiable health information within an entity that maintains such information © Copyright 2013 www.compliance2go.com 11 More Definitions: DRS, TPO • Designated Record Set – The medical records and billing records about individuals maintained by or for a covered health care provider; – The enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or – Used, in whole or in part, by or for the covered entity to make decisions about individuals. • TPO: Treatment, Payment, and Healthcare Operations – Relating to provision, coordination, and management of healthcare services – Reviews, determinations, billing, collection – Case management, workforce evaluation, peer review, outcomes analysis, etc. related to YOUR operations – http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/usesand disclosuresfortpo.html © Copyright 2013 www.compliance2go.com 12 4 31-10-2013 Accounting of Disclosures • Individual has right to an accounting of all disclosures of health information in last six years • Except for disclosures: • For Treatment, Payment, and Healthcare Operations • To the individual; under authorization; associated with disclosures under §164.502; for facility directories; for national security; law enforcement; limited data set… • Proposed Rule to implement changes under HITECH Act §13405(c) NOT included in the Omnibus HIPAA Update Final Rule • To be finalized at a point uncertain in the future; hearings are under way to devise new proposed rules © Copyright 2013 www.compliance2go.com 13 Restriction of Disclosures • Minimum Necessary is the basic rule http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/min imumnecessary.html • HITECH §13405(a) Individual may request no disclosure to insurer if paid out of pocket; provider must comply • (b)(1) Disclosers must provide only limited data set or “minimum necessary,” • (b)(2) Disclosers will need to determine “minimum necessary,” • (d) No sale of PHI without authorization specifically allowing remuneration • Changes to HIPAA §164.522(a)(1)(vi), 502(b), 514(e), 508(a)(4) to implement the new rules – Guidance on “minimum necessary” will supersede (b)(1) above – Was formerly requester’s responsibility © Copyright 2013 www.compliance2go.com 14 Requests for Restrictions • Must have a process for individuals to request restrictions on use and disclosure – Need not honor requests – Do what you reasonably can • • New: Individual may request no information shared with insurer if paid in full out of pocket; MUST honor! Impacts of new restriction: – – – – – – – – Must have a policy/procedure/process Required in your EHR to meet the law Can you flag such encounters? What about pass-through effects? Issues with aggregated data What about contracts with insurers? May need to update BA Agreements Will need to update the Notice of Privacy Practices © Copyright 2013 www.compliance2go.com 15 5 31-10-2013 Individual Access of PHI • Must have a process for individual to request access, for reasonable cost-based fee • Must provide the entire record in the Designated Record Set if requested: – Medical and billing records used in whole or in part to make decisions related to health care – Information kept electronically must be available electronically if requested – Exceptions for Psychotherapy notes, CLIA, others – Changes to HIPAA and CLIA proposed to allow access of lab information by individuals, not finalized yet • 30-day extension for offsite data no longer allowed © Copyright 2013 www.compliance2go.com 16 Individual Preferences for Communication §164.522(b)(1) Standard: Confidential Communications Requirements (i) A covered health care provider must permit individuals to request and must accommodate reasonable requests by individuals to receive communications of protected health information from the covered health care provider by alternative means or at alternative locations. §164.524(c) Provision of Access (2) Form of access requested. (i) The covered entity must provide the individual with access to the protected health information in the form or format requested by the individual, if it is readily producible in such form or format; or, if not, in a readable hard copy form or such other form or format as agreed to by the covered entity and the individual. New (c)(2)(i): If PHI is electronic, individual may request electronic copy. Process: Must accommodate reasonable requests Provide ability to mail to alternate addresses, not receive telephone calls, etc. May refuse if request is unreasonable Individuals may want to use e-mail, texting, social media Use Risk Analysis to determine suitability, obtain agreements © Copyright 2013 www.compliance2go.com 17 Calculating/Evaluating Risk • Each Risk Issue has an Impact and Likelihood – Impact is how great the damage would be; more information about more people with more detail has a greater Impact – Likelihood is how likely it is that the risk issue would become a reality • Risk = Impact x Likelihood • If risk level appears low, it may be acceptable to both the entity and the individual – An informed risk decision can be made about the importance of mitigating certain risks – Rights can not be given up under HIPAA, but individuals can make an informed risk decision © Copyright 2013 www.compliance2go.com 18 6 31-10-2013 System Vendor Questions Can disclosures to insurers be properly restricted if requested? Can systems provide access to DRS PHI for individuals? Does your Business Associate agreement with the vendor supplying your systems require them to provide the abilities you need to meet the new requirements? What about proposed changes in Accounting of Disclosures (not in this final rule, but coming someday)? Can systems provide an access audit report good enough to satisfy HIPAA Security Rule requirements? © Copyright 2013 www.compliance2go.com 19 Marketing Changes • Marketing is still marketing and still requires an authorization • Treatment and Healthcare Operations are not marketing, but… • Authorizations are now required for all treatment and healthcare operations where the Covered Entity receives financial remuneration from a third party whose product or service is being marketed • New guidance available at: http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/ma rketingrefillreminder.html • Exemptions: • Face to Face communication • Refill reminders or other info about a drug or biologic that is currently prescribed but not exempt if remuneration above costs is involved • Communications promoting health in general, such as routine tests • Communications about government and government-sponsored programs © Copyright 2013 www.compliance2go.com 20 Sale of PHI • HIPAA §164.508(a)(4): If you disclose for remuneration, you must have an authorization stating that the disclosure results in remuneration • Exceptions for public health, research, treatment and payment purposes, sale of practice, transfer to a BA providing services, to the individual, etc. © Copyright 2013 www.compliance2go.com 21 7 31-10-2013 Fundraising Changes • HITECH §13406(b) and HIPAA §164.514(f)(1) Opportunity to Opt Out of Fundraising • Demographic information, dates of healthcare services, department providing services, physician, health plan status, and outcome can be used for fundraising without authorization • Notice of Privacy Practices must state so • Easy Opt-out must be provided, by campaign or for all campaigns, must be honored, and can’t be used to condition treatment or payment © Copyright 2013 www.compliance2go.com 22 Additional Changes to HIPAA: Genetic Information Nondiscrimination Act (GINA) • New changes to §164.502(a)(5)(i) • Genetic information not to be used in health plan underwriting, enrollment, eligibility, premium computation, consideration of pre-existing conditions, etc… • Must update and redistribute Health Plan Notice of Privacy Practices © Copyright 2013 www.compliance2go.com 23 NPP Modifications • Right to be notified in the event of a breach • New Right to restrict disclosures to insurers if services paid in full out of pocket, must comply • New Right to receive electronic copy of electronic PHI • Authorizations for sale of PHI for remuneration will say so • Changes based on new Marketing and Healthcare Operations definitions and exceptions • Changes to PHI used for Fundraising, and easy opt-out • Talk about PHI sharing, Health Information Exchanges • New Templates from HHS and AMA – http://www.hhs.gov/ocr/privacy/hipaa/modelnotices.html – http://www.ama-assn.org/go/hipaa © Copyright 2013 www.compliance2go.com 24 8 31-10-2013 Implementation • Update Policies and Procedures to match new rights and restrictions • Update NPP to include new changes and required items • Provide training in new policies and procedures, and the new Notice of Privacy Practices • Implement both NPP and P&Ps simultaneously – Post new NPP on the wall (or a summary) and Website – Have NPP readily available without having to ask – Start handing out the new one – Providers don’t have to mail a new one to everyone © Copyright 2013 www.compliance2go.com 25 What is a Business Associate? • An individual or entity, not acting as an employee, that: – Creates, receives, maintains, or transmits protected health information for a function or activity regulated by HIPAA on behalf of a covered entity (CE) or another BA – Provides legal, actuarial, accounting, consulting, data aggregation (as defined in §164.501 of this subchapter), management, administrative, accreditation, or financial services and needs PHI to do it • Anything a CE or BA could do itself but has someone else do it for them, involving using, disclosing, creating, receiving, maintaining, or transmitting PHI • May include any vendor with “persistence of custody” of PHI © Copyright 2013 www.compliance2go.com 26 What is a Business Associate? • Includes: – Billing service – Shredding service – Systems vendors who access PHI • Does not include those who would have no reason to use or disclose PHI, such as: – Tradesmen (plumber, etc.) – Housekeeping, etc. • Not Payers, other Providers, or Workforce Members • Not Conduits (USPS, FedEx, etc.) • BAs now include subcontractors, Health Information Organizations, and Patient Safety Organizations © Copyright 2013 www.compliance2go.com 27 9 31-10-2013 Business Associate Changes • Business Associates now under HIPAA – – – – – – – Security Rule safeguards apply to BAs Privacy Rule use & disclosure applies Can use info only as stated in contract Penalties can apply to BAs BAs also responsible for having BAAs Final Rule enforceable September 23, 2013 Valid BA Agreements in place under old rules executed by January 25, 2013 are OK until September 23, 2014 • New sample Business Associate Agreement language: http://www.hhs.gov/ocr/privacy/hipaa/understanding/covere dentities/contractprov.html © Copyright 2013 www.compliance2go.com 28 Information Security Management Process • Definition of Information Security: • Protecting information Confidentiality Integrity Availability • Definition of a Management Process: Define and understand what you have See how well it performs Watch for problems Review activities and issues Make changes based on bang-for-buck © Copyright 2013 www.compliance2go.com 29 Information Security Management Process Information Inventory and Flow Analysis Access and Configuration Control Know who and what’s been going on in your networks and systems Respond to and learn from Incidents Audit and review regularly, and when operations or environment change Make risk-based improvements Focus: Confidentiality, Integrity, Availability © Copyright 2013 www.compliance2go.com 30 10 31-10-2013 Security Requirements within the Privacy Rule – §164.530(c) • §164.530(c)(1): “A covered entity must have in place appropriate physical, technical, and administrative safeguards to protect the privacy of protected health information.” • §164.530(c)(2)(i): “A covered entity must reasonably safeguard protected health information from any intentional or unintentional use or disclosure that is in violation of the standards, implementation specifications, or other requirements of this subpart.” © Copyright 2013 www.compliance2go.com 31 HIPAA Security Rule §164.306: General Rules • (a)(1) Ensure confidentiality, integrity, and availability of electronic PHI • (a)(2) Protect against “reasonably anticipated” threats or hazards to security of PHI • (a)(3) Protect against “reasonably anticipated” improper uses and disclosures under Privacy Rule • (a)(4) Ensure compliance by the Workforce • (b) Flexibility • (c) Requirement to meet all Standards (18) • (d) Meet Required Implementation Specifications (14); Assess Addressable Specifications (22) and Document • (e) Regularly Review © Copyright 2013 www.compliance2go.com 32 §164.306(b): The Flexibility Section • “… may use any security measures that allow the CE or BA to reasonably and appropriately implement the standards and implementation specifications as specified…” • Must consider a number of factors... – Size, Complexity, and Capabilities – Technical Infrastructure, Hardware, and Software Security Capabilities – Costs – Probability and Criticality of RISKS © Copyright 2013 www.compliance2go.com 33 11 31-10-2013 Standards and Implementation Specifications • Standards (18) Provide the Objectives and Primary Mission – All Standards are Required to be met – 12 Standards have Implementation Specifications • Implementation Specifications (36) Provide Additional Details – 14 are Required – 22 are Addressable • Required vs. Addressable Implementation Specifications – If Required, implement as specified – If Addressable, implement if “reasonable and appropriate” – If not reasonable and appropriate, implement an alternative if you can and JUSTIFY YOUR ACTIONS © Copyright 2013 www.compliance2go.com 34 Six Steps to Compliance 1. Enumerate All Your Systems 2. Information Flow Analysis 3. Preliminary Risk Analysis 4. Detailed Risk Assessment 5. Risk Determination 6. Mitigation, Policies and Procedures, and Training • And document every step of the way © Copyright 2013 www.compliance2go.com 35 Security Regulation §164.308 Administrative Safeguards • (a)(1) Security Management Process – Risk Analysis (R) and Risk Management (R) – Sanction Policy (R), Information System Activity Review (R) • (a)(2) Assigned Security Responsibility (R) • (a)(3) Workforce Security • (a)(4) Information Access Management – Authorization and/or Supervision (A), Clearance Procedure (A), Termination Procedures (A) – Access Authorization (A) – Access Establishment and Modification (A) • (a)(5) Security Awareness and Training (A) – For ALL staff, initially and continuing – a PROGRAM © Copyright 2013 www.compliance2go.com 36 12 31-10-2013 Security Regulation §164.308 Administrative Safeguards • (a)(6) Security Incident Procedures (R) – For reporting and responding to various kinds of security incidents and policy violations, with documentation • (a)(7) Contingency Plan – Data Backup (R); Disaster Recovery (R) – Emergency Mode Operation Plans (R) – Testing & Revision Procedures, Applications & Data Criticality Analyses (A) • (a)(8) Evaluation (R) – Must formally periodically evaluate compliance – By Calendar or if Changes in Systems or Environment • (b) Business Associates (R) – Must have Written Contracts; See §164.314 for details © Copyright 2013 www.compliance2go.com 37 Security Regulation §164.310 Physical Safeguards • (a) Facility Access Controls (A) – Contingency Operations; Facility Security Plan; Access Control and Validation Procedures; Maintenance Records • (b) Workstation Use (R) – Policies and Procedures Required; Acceptable Use Policy • (c) Workstation Security (R) – Must restrict access to Authorized Users only; Work area access; Monitor placement • (d) Device and Media Controls – Disposal and Re-Use (R) – Must clear old data before disposal or re-use – Accountability (A) – Record of equipment movements and responsibility © Copyright 2013 www.compliance2go.com 38 Security Regulation §164.312 Technical Safeguards • (a) Access Control • (b) Audit Controls (R) – Unique User Identification (R); Emergency Access Procedure (R); Automatic Logoff (A); Encryption and Decryption (A) – Hardware, software, or procedural means to record and examine system activity – How to accomplish? Log all activity, or sample activity for a period of time or a subset of users and systems • • • (c) Integrity (A) (d) Person or Entity Authentication (R) (e) Transmission Security – Integrity Controls (A); Encryption (A) © Copyright 2013 www.compliance2go.com 39 13 31-10-2013 Security Policy Framework • Four Basic Policies – Security Management Process – Information Access Controls – Data Management (Contingency-Backup-Retention) – User Policy • Include enabling language in Policy • Define details in Procedures • Documentation, Documentation, Documentation © Copyright 2013 www.compliance2go.com 40 Security Policy Help The SANS Security Policy Project Samples of several policies, guidance in policy development and deployment Available at: http://www.sans.org/resources/policies/ New York University HIPAA security policies Does provide a good level of detail Many of the concepts are directly transferable to other organizations Available at: http://www.nyu.edu/its/policies/#hipaa NIST Incident Handling Guide Computer Security Incident Handling Guide SP 800-61 Revision 2, a practical guide to responding to incidents and establishing a computer security incident policy and process: http://csrc.nist.gov/publications/nistpubs/800-61rev2/SP800-61rev2.pdf In addition, the September 2012 NIST ITL Bulletin focuses on the revised SP 800-61, providing additional insights and guidance, available at: http://csrc.nist.gov/publications/nistbul/itlbul2012_09.pdf © Copyright 2013 www.compliance2go.com 41 Enforcement and Penalties • HITECH Act §13409 – Wrongful Disclosures – Law specifically applies to individuals for wrongful disclosures • HITECH Act §13410 – New Penalty Structure – (a), (b) “Willful Neglect” violations • Must be investigated, penalties mandatory – (c) Distribution of penalties • To provide more enforcement • Portion will go to those harmed, regulations overdue – (d) Higher penalties effective for violations • New, four tier penalty structure, with up to $1.5 million maximum for all violations of the same provision in a calendar year – (e) State Attorneys General may bring HIPAA action – (f) Continued corrective action allowed, even if no penalty © Copyright 2013 www.compliance2go.com 42 14 31-10-2013 New Enforcement Definitions • Reasonable Cause (revised): An act or omission in which a covered entity or business associate knew, or by exercising reasonable diligence would have known, that the act or omission violated an administrative simplification provision, but in which the covered entity or business associate did not act with willful neglect • Reasonable Diligence: Business care and prudence expected from a person seeking to satisfy a legal requirement under similar circumstances • Willful Neglect: Conscious, intentional failure or reckless indifference to the obligation to comply with the administrative simplification provision violated © Copyright 2013 www.compliance2go.com 43 Tiered Penalty Structure • HIPAA §160.404: Penalty Amounts • Tier 1: Did not know and, with reasonable diligence, would not have known • Tier 2: Violation due to reasonable cause and not willful neglect • Tier 3: Violation due to willful neglect and corrected within 30 days of when known or should have been known with reasonable diligence • Tier 4: Violation due to willful neglect and NOT corrected within 30 days of when known or should have been known with reasonable diligence • $1.5 million maximum for all violations of a similar type in a calendar year – $100 - $50,000 per violation – $1000 - $50,000 per violation – $10,000 - $50,000 per violation – $50,000 per violation © Copyright 2013 www.compliance2go.com 44 Affirmative Defenses and Waivers • Affirmative Defenses – §160.410: For violations after 2/17/2009: – Act is punishable under 42 USC 1320d-6 (wrongful disclosures) – Or Secretary is satisfied that violation is: • Not due to willful neglect (reasonable cause requirement now removed), and • Corrected during: – 30 days from when known or should have known – Additional period as Secretary determines • Waivers – §160.412: For violations due to reasonable cause and not willful neglect – Not corrected within the 30-day (or extended) period – Secretary may waive penalty or a portion, to the extent penalty is excessive relative to the violation © Copyright 2013 www.compliance2go.com 45 15 31-10-2013 HHS Is Serious About Enforcement • $4.3 million fine for Cignet Health of Maryland for multiple HIPAA violations including ignoring OCR investigators – the first actual fine! • $1 million settlement with Mass General Hospital in connection with a staff member’s leaving sensitive records for 192 individuals on the subway • $865K+ settlement with UCLA Medical Center for snooping in celebrity records • Multiple multi-million dollar settlements with pharmacies • $100K settlement with a physician’s office for Security Rule violations • • • • • • $1.5 million settlement with BC/BS of Tennessee for lost hard drives $1.7 million settlement with Alaska Medicaid for lack of security process $1.5 million settlement with MEEI for lack of security for portable devices $500K settlement with Hospice of North Idaho for insecure laptop, no process $400K settlement with Idaho State University for insecure server, no process $275K settlement with Shasta Regional Med Center for inappropriate disclosure of PHI and lack of sanctions for violations • $1.7 million settlement with WellPoint for insecure server, no process • $1.2 million settlement with Affinity Health for improper disposal of copiers © Copyright 2013 www.compliance2go.com 46 HIPAA Audits • HITECH §13411 now requires HHS to conduct periodic audits • Initial program conducted in 2012, being revised • New program to begin in 2014 • Will focus on identified problem areas: laptops, encryption, audits, NPPs • Show you have in place all the policies and procedures required by the HIPAA Privacy and Security Rules • Show you have been using them – e.g., Show training policy, training materials, and training rosters – e.g., Show security incident policy and security incident reports • 3 week notice – you must be prepared in advance or it’s too late! • HHS site for the audit program: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/index.html © Copyright 2013 www.compliance2go.com 47 What will they ask for in an Audit? • HIPAA Privacy, Security, and Breach Notification Rule policies and procedures and evidence of their application – 42 questions asked in first OIG HIPAA Security audit in March 2007 at: http://tinyurl.com/2ac9jm – CMS OESS 2008 Interview and Document Request for HIPAA Security Onsite Investigations and Compliance Reviews, at: http://tinyurl.com/2gaswf – Questions asked of a small provider after a data breach involving theft of a laptop and server, at: http://tinyurl.com/3jpoa4p – Questions asked in early 2012 audits, at: http://tinyurl.com/cbcllz7 – HHS’s 2012 HIPAA Audit Protocol, not revised for new rules: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/protocol.h tml © Copyright 2013 www.compliance2go.com 48 16 31-10-2013 How to Prepare for an Audit • Do it NOW, before they call • Be ready to answer the questions asked in prior audits • Make sure your documentation is complete and up-to-date – use tools such as the HIPAA Audit Protocol and the NIST HIPAA Security Rule Toolkit to evaluate and document compliance – HIPAA Audit Protocol (download it to a spreadsheet!): http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/protocol.h tml – NIST HIPAA Security Rule Toolkit: http://scap.nist.gov/hipaa/ © Copyright 2013 www.compliance2go.com 49 Your to-do list… Don’t be in denial – willful neglect will cost you Review your policies and procedures per the new rights and restrictions Update your policies and Notice of Privacy Practices Review Business Associate Agreements Make sure EHR vendors can meet restriction requirements and provide electronic copies Prepare for Breach Notification Review the questions asked in prior HIPAA audits Be ready for incidents and audits – conduct drills Provide training and document compliance Always have a plan for moving forward, and follow it! © Copyright 2013 www.compliance2go.com 50 Thank You! • Numerous resources, regulations, laws, guidance, and tools are available without charge or registration at: • News items of interest to those involved with health information privacy and security are available without charge or registration at: www.lewiscreeksystems.com/resources.html www.lewiscreeksystems.com/privacy_security_and_compli.html • If there are any further questions which we are not able to get to today please feel free to contact me at: Jim Sheldon-Dean Lewis Creek Systems, LLC © Copyright 2013 www.compliance2go.com 51 17 31-10-2013 Q/A Session © Copyright 2013 www.compliance2go.com 52 Upcoming Webinar from Jim Sheldon-Dean • New HIPAA Business Associate Responsibilities and Agreements Under the HITECH Act Omnibus HIPAA Update • Wednesday, November 20, 2013 at 1:00 PM Eastern time. • For additional information and registration, please see: https://www.compliance2go.com/product/?pid=CP2013228 © Copyright 2013 www.compliance2go.com 53 Thankyou for Attending Our Live Web Seminar Please feel free to contact us for any questions on the web seminar at support@compliance2go.com /events@compliance2go.com or call us at Toll Free 877.782.4696 © Copyright 2013 www.compliance2go.com 54 18