Prepared for The Florida Bar – Health Law SectionPresenter: Susan Thomas, MHSA, CHC®, CIA, CRMA, CPC®

February 3, 2017

REPRESENTING THE PHYSICIAN: IT IS HARDER THAN IT LOOKS

Office of Civil Rights HIPAA AuditsPreparing Your Clients and Yourself

Prepared for The Florida Bar – Health Law Section Page 2

Objectives

Understand the Office of Civil Rights (OCR) Health Information Technology for Economic and Clinical Health (HITECH) audit program

Review lessons learned from Phase 1 audits Discuss the scope and selection for Phase 2 audits Determine Health Insurance Portability and Accountability

Act (HIPAA) audit readiness Review a breach investigation case study Consider additional resources

Prepared for The Florida Bar – Health Law Section Page 3

The HITECH Audit Program

The HITECH Act Section 13411 requires the U.S. Department of Health and Human Services (HHS) to perform periodic audits of covered entity (CE) and business associate (BA) HIPAA compliance.

OCR views this program as a method to expand its capacity to ensure compliance with HIPAA.

In 2011, OCR established a pilot audit program and developed an audit protocol.

In 2012, OCR used the protocol to evaluate the HIPAA compliance efforts of 115 covered entities.

Prepared for The Florida Bar – Health Law Section Page 4

First Round of OCR HIPAA Audits

Notification Letters from KPMG Included a request for documents and onsite review scheduling

information

Initial 20 entities selected for Phase 1 audits: Physicians – 3

Hospitals – 3

Pharmacy – 1

Post-acute care facilities – 1

Group health plans – 3

Health insurance issuer – 3

Clearinghouses – 2

Dentist – 1

Laboratory – 1

Medicaid – 1

State Children’s Health Insurance Program (SCHIP) – 1

Prepared for The Florida Bar – Health Law Section Page 5

Phase 1 Audit Findings

General Findings Privacy Issues Security Issues Breach Notification Reasons for Findings

Entity unaware of the requirements

Lack of application of sufficient resources

Incomplete implementation

Complete disregard

Prepared for The Florida Bar – Health Law Section Page 6

Phase 1 Audit Lessons

Don't wait until you get an audit letter to think about HIPAA compliance.

Risk assessment and analysis are a big deal. Relevant training is crucial – all employees must

understand their role. Addressable security standards are important –

especially encryption. A binder of policies and procedures is not sufficient.

Prepared for The Florida Bar – Health Law Section Page 7

Phase 2 Audits – Scope and Selection

Scope OCR is concentrating on protected health information (PHI)

security and non-compliance as noted in Phase 1 Audits include both CEs AND BAs Audits started in 2016 and will take place over 3 years

CE Selection Pre-audit screening surveys – Spring 2015 Random selection of CEs through the National Provider Identifier

(NPI) database and other external sources

BA Selection Screening surveys identified BAs IT-related BAs and non-IT-related BAs selected from survey pool

Prepared for The Florida Bar – Health Law Section Page 8

HIPAA Audit Readiness

Each OCR Priority Item must have an appropriate Action Step: Risk Analysis and Risk Management Device & Media Controls Transmission Security Encryption Facility Access Breach Notification & Reporting Individual Right to Access to PHI Notice of Privacy Practices Training Defined Policies

Prepared for The Florida Bar – Health Law Section Page 9

Additional Steps to Prepare for Audits

Maintain a complete list of BAs with current contact information and an associated inventory of signed, upstream and downstream BA agreements.

Alternative Security Measures If any of the Security Rule’s addressable implementation

standards have not been implemented, ensure that the following is formally documented:

Why the implementation specification was not “reasonable” and “appropriate,” as defined by OCR

The alternative security measures implemented

Prepared for The Florida Bar – Health Law Section Page 10

OCR Audit Reviews

Data requests Response content

Response timeline

OCR evaluation of response Completion

Clarifications

Desk and on-site audits Feedback from OCR

Prepared for The Florida Bar – Health Law Section Page 11

Case Study

Small Health System Hospital

Physician Practices

Outpatient Departments

Post-Acute Care Facilities

Use of a contracted vendor for online bill payment Business Associate Agreement Unknown subcontractor Information security issue 8,500 patients

Prepared for The Florida Bar – Health Law Section Page 12

Additional Resources

OCR’s security risk analysis tool for small providers: http://www.healthit.gov/providers-professionals/security-riskasses

sment-tool

OCR and NIST guidance on security rule, including links to relevant NIST publications: http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/s

ecurityruleguidance.html

Security risk analysis self-assessment Assessment tools and model policies and procedures for

CEs and BAs

Prepared for The Florida Bar – Health Law Section Page 13

Questions?

PERSHING YOAKLEY & ASSOCIATES, P.C.800.270.9629 | www.pyapc.com

Susan ThomasMHSA, CHC®, CIA, CRMA, CPC®

Consulting Managersthomas@pyapc.com