preparing for an ocr audit: what is expected of you · pdf filewebinar where nicholas heesters...
TRANSCRIPT
Preparing for an OCR Audit: What is Expected of You
Speakers
Chuck BurbankCISO and Director of Managed
Privacy ServicesFairWarning
Robert Mireles, CIPMSr. Healthcare Privacy Specialist
for Managed Privacy ServicesFairWarning
Kurt J. LongFounder and CEO
FairWarning
AgendaThis webinar is a follow-up to our March 9th webinar where Nicholas Heesters from the Office for Civil Rights covered common findings associated to audit controls and access rights management.
• How to conduct an application risk analysis to create written documentation of why you monitor an application or not
• Key elements of your acceptable use policies for authorized users of your applications holding ePHI
• Key aspects of a successful awareness training program
• What generally to expect from an OCR Audit
• Insights into protecting your organization from affiliated staff
• Breakdown of the recent OCR audit control resolution agreement
Application Risk Analysis
• Identify where all your ePHI resides
• Complete an application inventory
• Develop criteria to evaluate the risks involved
• Prioritize the order to integrate into FairWarning® based on the risk criteria
• Proactively monitor applications for inappropriate use
Understanding, Documenting and Mitigating Your Risk
Documentation of Decisions• Document plan to integrate applications into FairWarning• Document criteria used to select applications holding ePHI• Executive sign-off on all documentation
You may reach out to your customer success manager to request educational materials
Acceptable Use of ePHI
Policy Key Elements
• Set expectation that users have zero rights to privacy within organizations application systems
• Who is responsible for setting use and access?
• What is considered business appropriate?
• How can users access records for personal use? i.e. patient portal
• What happens if a user sees inappropriate behavior?
Awareness Training • Evolving threat landscape requires evolving the human firewall
• Educate staff as new threats emerge• Empower them on how to prevent threats from happening
• Change users behavior with proactive training
• Reinforce organization’s expectations
• Train users to be ambassadors
• Document that all users are periodically trained
FairWarning Educational Materials
Reach out to your customer success manager to request educational materials
OCR Enforcement
June 2016 – Iliana Peters cited covered entities lacked appropriate auditing controls
January 2017 – OCR offers guidance on the importance of Audit Controls
February 16, 2017 – OCR issues first of its kind Resolution Agreement highlighting the importance of audit controls
February 20, 2017“We are going to continue to execute our enforcement authorities…business as usual”
- Deven McGraw, Deputy Director of HHS Office for Civil RightsTo hear more on 2017 OCR enforcement from Deven McGraw
What to Expect - Initial Request • Assign individuals designated to work with the OCR
• Documentation of investigative reports for all incidents along with response to mitigate
• Copy of notification letters
• Evidence that the organization notified media of breach greater than 500
• Policies and procedures regarding security incidents
• Policies and procedures surrounding security awareness and training• Proof that staff completed training
• Policies and procedures for reviewing system activity
• Policies and procedures regarding access controls
• Policies and procedures detailing sanctions
• P&P for proper use of workstations
• Documentation that all staff trained for new members and anytime changes to P&P are made
OCR/HIPAA Review/Audit Timeline
Notification Receipt
Timestamp or date of time
receipt
Document Discovery10 days to
supply
Review of Documents4-8 weeks for audit team to
review materials
Onsite Visits
They will notify you of dates (3-14 days onsite)
Preliminary Report
Provided at out brief last
day onsite
Final Report
10-14 days after onsite
Management Response14 days to
provide
Package to OCR
After the 14 day period
ends for management
response
Don’t Be One of These – Lessons Learned• Do not recycle user ID’s
• Policies were not reviewed and do not support your program
• Staff not given any training prior to start of monitoring program
• No plan or process to follow-up on alerts for potentially unwanted behavior
• Zero tolerance policy day one
• No plan or process on how and where to document the follow-ups
• Turning on too many automated alerts at one time
• Leaving investigations “Open and Active” past notification deadlines
Security Management Process
164.308(1)(i)Standard: Implement policies and procedures to prevent, detect, contain, and correct security violations.
(ii) Implementation specifications:(C) Sanction policy (Required). Apply appropriate sanctions against workforce members who fail to comply
with the security policies and procedures of the covered entity. (D) Information system activity review (Required). Implement procedures to regularly review records of
information system activity, such as audit logs, access reports, and security incident tracking reports.
Access Control
164.312 (a)(1) Standard: Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in §164.308(a)(4).
(2) Implementation specifications: (i) Unique user identification (Required). Assign a unique name and/or number for identifying and tracking
user identity.
(b) Standard: Audit controls. Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.
What You Need to Evidence• That you are using unique user IDs for all users
• That you are reviewing system activity in systems that contain ePHI
• That you are following up on potential violations
• That you are sanctioning employees that fail to comply with the policies
The Evidence
The Evidence
The Evidence
The Evidence
The Evidence
The Evidence
Keys to Win Executive Support
• Greater trust between the patients
• Less likelihood of lawsuits
• Fewer patient complaints
• Less likelihood of OCR breach
Risk is Leaving the Business
Breakdown of the Recent OCR Audit Control Resolution Agreement
• The protected health information (PHI) of 115,143 individuals was accessed by its employees and impermissibly disclosed to affiliated physician office staff.
• Failed to implement procedures with respect to reviewing, modifying and/or terminating users' right of access.
• Failed to regularly review records of information system activity on applications that maintain ePHI by workforce users and users at affiliated physician practices.
• The login credentials of a former employee of an affiliated physician's office had been used to access the ePHI on a daily basis without detection, affecting 80,000 individuals.
Application Access Logs
Lawson + AD
FairWarning Dynamic Identity Intelligence
Discover Known Users Unmatched Users Dormant Users
Enables Access after termination Access Control Review Dynamic Identity on
Roles, Profiles, History Data Integrity
Foundational to FairWarning
Healthcare System Network:
ACCESSLOGS
LOCALUSERS
Non-Employees w/ AccessVendorsContractorsAffiliate Physicians
AD
Employees
ACCESSLOGS
LOCALUSERS
CernerACCESSLOGS
LOCALUSERS
ADLOCALUSERS
ACCESSLOGS
3rd Party Physicians and Diagnostics
Clinics, etc…
OthersACCESSLOGS
Prevalent Industry Challenges
Dynamic Identity Intelligence
• Discover unmatched/unknown users
• Report on access after termination
• Reporting on HIPAA’s access rights management
Managed Privacy Services
Trained and certified FairWarning staff members who review your potential incidents as well as guide you toward continual HIPAA compliance readiness
Patient Privacy Intelligence
• Monitors access to PHI in EHR's, app's, cloud and big data• Insider threats - OCR issued an advisory august 2016• HIPAA audit controls
Dynamic Identity Intelligence
• Identify and monitor affiliated, non-employee users• Reporting on HIPAA's access rights management
• Highest Services Levels• Ease of Use
• Secure• Affordable
Cloud
Audit Control References
• HHS Announcement: Understanding the Importance of Audit Controls
• Review the NIST guidance on Risk Analysis
• FairWarning® Executive Webinar: Director of OCR Enforcement announced there would be an upcoming emphasis on Audit Controls
• FairWarning® Executive Webinar: Implications of OCR Audit Controls Enforcement and the Role of Audit Trails in Litigation
Questions?Contact us
Chuck BurbankCISO and Director of Managed
Privacy ServicesFairWarning
Robert Mireles, CIPMSr. Healthcare Privacy Specialist
for Managed Privacy ServicesFairWarning
Kurt J. LongFounder and CEO
FairWarning