watch the replay - fairwarning · •risk assessment conducted •within last 2 years •policy or...
TRANSCRIPT
Expert Advice for Navigating an OCR HIPAA Privacy and Security Audit
February 18, 2014
Watch the Replay
Today’s Panel
Chuck Burbank
• Director of Managed Services
• Office: (727) 576-6700 Ext. 129
Shane Whitlatch
• Executive Vice President
• Office: (727) 576-6700 x115
Mike Nessen
• Customer Community Manager
• Office: (727)576-6700 Ext. 133
Agenda
The areas we will cover today are:• Audit Preparation: Universal Applicability• Sustainable Compliance• Overview of the OCR/KPMG Audit Process
– Timeline of Events– Onsite Visit – What to expect– Selected Areas Reviewed
• Questions and Answers
ARRA HITECH Meaningful-UseElectronic Health Records Audit Logs Required
Security Risk Analysis / Correct Deficiencies
Patient Privacy MonitoringHIPAA Audit Protocol
User Activity Monitoring≈
Regulatory Framework for HIPAA Compliance
2014 OCR HIPAA Enforcement
#1 Security Gap from Pilot Audits
CMS Meaningful Use Audits
Failing Audit Means Returning Incentive $$
Sustainable Compliance
Overall sustainability of compliance program
• Ongoing commitment to audit readiness
• Maintain constant set of documented compliance
• Continually review and update status of privacy & security initiatives
Monthly effectiveness report
Timeline of Events
Overview of the Audit Process
An OCR/KPMG HIPAA review begins with a notification letter informing you that you have “been selected” for this honor.• Letter is accompanied by a
document demand• Informs you that they will not
consider things that are new/changed/updated after the receipt date of the notification letter
Documents may not be updated after receipt of notification letter. Must
have documentation ready in advance
Overview of the Audit Process
Document Demand:• Covers policies and processes on a
wide range of areas (privacy and security)
• List of new and termed employees for specific time periods
• List of Business Associates• Others
You have 15 days to provide the required
documents
Overview of the Audit Process
Document Review:
• After you supply the items in the document demand, the audit team assigned to your account will spend 4-8 weeks reviewing the materials and “tailoring” your onsite review
Overview of the Audit Process
The onsite visit:• 3 - ? Days (they told us normally
3-14)
• 2 teams: Privacy and Security
• They will provide you in advance a list of individuals/teams with which they want to meet
Privacy and Security auditors conduct
separate interviews; be sure that the right teams
have the necessary information
Overview of the Audit Process
Preliminary Report:• At the end of the onsite visit you will be issued a
Preliminary Report of findings• Not final until they go back and review with their
management• There may be changes between the Preliminary
Report and the Final Report
Overview of the Audit Process
Final Report:• Approximately 10 – 14 days after the onsite, a
Final Report of findings will be issued and delivered to your organization
• Again, the Final Report may be slightly different from the Preliminary Report
Overview of the Audit Process
Management Response:• Once your organization receives the Final Report, you
have 14 days to provide a management response• It is to your advantage to supply a response• The entire package including your response will be
supplied to the OCR by KPMG• It is suggested to start on the management response as
soon as you have the Preliminary Report
Onsite Visit and Logistics
• Scheduled at time of their choosing• Require work area and areas for conducting interviews• Require internet access• Potential simultaneous Privacy and Security interviews• While onsite, they will do a facility walkthrough
- May include storage areas for equipment/computer disposal - If a hybrid organization (health plan and provider), walkthrough
to ensure separation of duties (including physical separation)
Audit Focus Areas
Privacy Rule
Security Rule
Breach Notification
Key Findings from the Pilot Audits
• Security accounted for 60% of the findings
• Providers had a greater proportion of the findings – 65% compared to health plans and healthcare clearinghouses
• Smaller entities struggled in all three areas
Notice of Privacy Practices (NoPP)
• Review of Notice
• Last time updated
• Policy(ies) around NoPP
• Proof of Delivery
- Health Plans
- Providers
Privacy Rule
Health Plans: Do you have proof of delivery of
Notice of Privacy Practices?
Multiple Functions (hybrid organizations)• Individuals with functions in more
than one part (provider and health plan)
• How do you ensure they do not have access to information that they should not for that role
• Access control for each job
Hybrid Organizations
Privacy Rule
Hybrid employees should have separate log-ins for
each role
• Policies and procedures• Role-based access to limit
information to which employees have access
• Access limited by assigned facility assigned
• Any other special controls that you have implemented
Minimum Necessary
Privacy Rule
Patient Privacy Monitoring is considered
a ‘special control’
• Risk assessment conducted
• Within last 2 years• Policy or process for
conducting the risk assessment
• Areas covered
Risk AssessmentSecurity Rule
Double-dipping: Risk assessment is also
required for Meaningful Use attestation & audits
• Tied to risk assessment• Prioritize high to low risk
compliance gaps• Assign resources to eliminate
privacy and security compliance gaps
• Track and document status• Keep it up to date
Risk Management PlanSecurity Rule
Continually update your Risk Management Plan;
auditors want to see progress since Risk
Assessment, and current status of intended
improvements
• #1 deficiency in initial audits and #1 Technical Security Deficiency after the 115 audits
• Policy or procedure
• Evidence ongoing
• Criteria of what you activities to monitor
• Evidence that criteria has been approved
Audit Controls (User Activity Monitoring)
Security Rule
Audit Controls (User Activity Monitoring)
Security Rule
• Inventory of applications that contain PHI
• Criteria to determine whether to monitor and in what order
• Prioritization of applications to monitor
Audit Controls (User Activity Monitoring)
Security Rule
Prioritize applications by # of users, patient information they contain, whether
internal or external use, sensitivity of the
information, etc…
• Have you identified any applications that contain protected health information that don’t produce audit logs?
• Risk acceptance of applications with no audit logs
Audit Controls (User Activity Monitoring)
Security Rule
Document efforts to work with vendors of any
applications which do not produce audit logs
Security Rule
• One page• Summary of issue• Risk to organization• Recommendation(s)• Approved or Denied• Signature and date of
individual responsible
Decision Paper
• Have evidence you are doing back-ups and what the strategy is (daily, weekly, incremental vs full)
• Have a documented Contingency Plan
• Have evidence you have tested your Contingency Plan (i.e. you have done a restore of critical systems from back-ups)
Contingency Planning and Backups
An untested backup is the same as no backup. Find out now whether your recovery strategy
works in practice
Security Rule
• Processes for granting access to workforce & to third parties
• Processes for removing access
• Processes for updating access
• Elevated privilege management
• People with dual roles
Access Controls
What is your process for updating access when a
worker changes jobs within the organization?
Is it documented?
Security Rule
• Policy or procedure
• Log or evidence of destruction or disposal
• If disposed or sold evidence of wipe meeting FIPS or DoD Standards
• Stored in secure accessed controlled area while awaiting disposal or destruction
Destruction & Disposal of Media
Security Rule
• Mobile devices
• Workstations
• Transmission
Encryption
Ideally, show documentation of
encryption. Auditors will also ask to physically review some devices
Security Rule
Breach Notification Policy:• Policy• Process or procedure for
determining risk of compromise• Sample of notice that would be
sent• Evidence that you have notified if
you have any situations that required notification
• Copies of notices sent
Breach Notification Policy
Have you updated your processes to reflect the Omnibus requirements?
Breach Notification
Risk of Compromise Assessment
Breach Notification
Breach Notification Documentation
Breach Notification
Maximize HIPAA Audit Protocol Coverage for Investment• Patient privacy monitoring: 23 of the HIPAA audit protocols• HIPAA Protocol sections
– Audit Controls– Security Incident Procedures– Security Management Process– Breach Assessment & Notification– Security Awareness and Training– Access Control– Administrative Requirements
More Information
• A full mapping of FairWarning® to the HIPAA Audit Protocols is available online: http://www.fairwarning.com/whitepapers/2012-07-WP-OCR-PROTOCOL-MAPPING.pdf
• OCR website, specifically the audit protocol: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/protocol.html
• Presentation from the OCR on the preliminary results of the 115 Audits done by KPMG in 2012: https://www.privacyassociation.org/media/presentations/13Summit/S13_Lessons_Learned_OCR_PPT.pdf
• Notice of Privacy Practices Contest by ONC: http://oncchallenges.ideascale.com/a/pages/digital-privacy-notice-challenge
Cerner MEDITECH
Streamline Health
Compatible with Every MajorEHR and Over 250 Applications
Used in Healthcare
Best In Category Product Solution
User and PatientAccess Reports
Privacy Breach Detection Analytics and Alerts
Investigationsand Legal Defense
Automated Monthly
Effectiveness Reports
Governance & Compliance Effectiveness
PatentedPatient Privacy Monitoring
Privacy Excellence Awards
Winners will be announced February 25th, 2014
#PrivacyExcellencewww.Facebook.com/FairWarningInc
www.Twitter.com/FairWarningIncwww.LinkedIn.com/company/FairWarning-Inc
Questions
• Please submit via the Webex Q&A or Chat windows to the right side of your screen
Questions & Answers
Question Answer
How are orgainzations selected by OCR for an audit?
For the pilot audits, organizations were selected based on
size and type of organization. However, for the permanent
audit program, they have stated that they will be sending
out an inquiry letter in advance, and select organizations
based on those results (as well as those who have had
breaches affecting more than 500 patients).
Who is the person that they usually send the letter to (CEO,
Privacy Officer?, Chief Compliance Officer)? Ordinarily, this is the Privacy Officer.
Is FW appliance based or can it be installed/run on our own
hardware?
FairWarning® is delivered as either an appliance-based or
software-as-a-service solution.
Can we develop own/custom reports in FW or limited to
reports provided by FW?
FairWarning® reporting capabilities are fully customizable,
to fit your organization's unique needs and workflows. For
more information on how to customize reports with
FairWarning®, please contact [email protected].
Do they want Policies/Procedures in hardcopy or
electronic?
Your audit letter should specify; in our case, most things
were requested in hardcopy.
How are Data Warehouses viewed by OCR where PHI
resides?
Unfortunately, our speakers are not aware of this particular
aspect. However, because the data warehouse contains
extensive PHI, we recommend monitoring access as you
would any other application containing PHI.
Questions & Answers
Question Answer
How important is it that ALL IT security /compliance folks
know where to find documents...current environment is
not very intuitive
Your Privacy and IT Security staff members should all know
where to find necessary documentation, as questions could
come up in either set of interviews.
Should policies and procedures be in the same document or
should you have granularity policy then process them
procedure then work instructions?
We recommend having a policy as a high level document,
with detailed procedures separately. This way, when one is
updated it may not be necessary to update both.
Do you use GPO's to enforce encrypted USB drives
At a previous health system, our speaker relied on
anendpoint protection suite to handle this concern, rather
than GPO.
Is there an abbreviated concise summary available
regarding the findings from the 115 audits and where can
we access? OCR website?
We have not seen a brief summary of these 115 audits.
However, there is a full overview available in the
powerpoint presentation.
Can FairWarning be used for a remotely hosted EHR
Yes, FairWarning® can consume access logs from a
remotely hosted EHR as well as on-site, and we have many
customers doing so.
Can you integrate with overall compliance monitoring
tools.
FairWarning® can correlate information with a variety of
third-party tools through the FairWarning® Ready
Programs. Please visit http://www.fairwarning.com/it-
compatibility/fairwarning-ready-overview for more
information.
Questions & Answers
Question Answer
Would a 3rd party assurance report (e.g., SSAE16) for cloud
providers around their backup procedures be sufficient
evidence to show DR/BC is being done?
In general, we believe that an untested backup is the same
as no backup. Regardless of third party assurance report,
your backup process should have been actually tested and
documented.
Are there fines associated with OCR finding problems in
audit with compliance?
During the pilot audits, the focus was on developing and
refining the audit process, and not on assessing fines.
However, compliance shortfalls may be subject to fines;
please visit the OCR website for examples of resolution
agreements and recent fines.
In the application inventory, did you include excel
spreadsheets?
No, this was not considered an application containing PHI in
our inventory.
You said they were at your organization for 5 days - how
large is your organization?
This audit experience was in an organization with
approximately 3,000 employees.