Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

Lessons Learned

advertisement 
OCR Audit Process & Penalties:
Understanding the U.S. DHHS Office of Civil Rights’
EHR Audit Process and Penalties
Nathan Gibson, CISA, CISSP
Agenda



Common Questions
Background
HIPAA Audits
–
–
–
–
–
–

Audit Timeline
Audit Process
Penalties
How to Prepare
Tools
Lessons Learned
Meaningful Use Audits
– How to Prepare
– Tools


Summary
Resources
Common Questions
 Who can audit us?
– Office of Civil Rights (OCR)
– State Attorneys General (SAG)
– Centers for Medicare and Medicaid Services (CMS)
• Meaningful Use
 Will we be audited?
– Short term – probably not (but always assume you will)
– Eventually – YES
 What are ways that we can be audited?
–
–
–
–
Random HIPAA
Complaint
Breach of Protected Health Information (PHI)
MU Audit
 Could our Business Associates be audited?
– Yes
Background
 HITECH
– Health Information Technology for Economic and Clinical Health
– Included Enforcement & Penalties
• Transferred Security Rule enforcement from CMS to OCR
 Office of Civil Rights
– Enforcement of the HIPAA Privacy and Security Rules
– 115 audits to assess
• Privacy Rule
• Security Rule
• Breach notification performance
– Providing HIPAA Enforcement Training to State Attorneys General
 State Attorneys General
– Authority to bring civil actions on behalf of state residents for HIPAA violations
Audit Timeline
 HIPAA Audit Timeline
–
–
–
–
June, 2011: Contract with KPMG
November, 2011: Draft audit protocols developed
April, 2012: Initial round of audits completed
December, 2012: All audits will be completed for the pilot program
Audit Process
 Notification letter
– Asked to provide documentation
 Site visit
 Final Report
– Audit details
– Findings
– Actions taken
hhs.gov
Notification Letter (sample)
hhs.gov
Documentation Request
Penalties
 Loss of Contracts
 Criminal and Civil Investigation
 Federal Penalties
– Up to $1.5 million
 State Fines
– Up to $25,000
 Reputation
 Legal Costs
 Notification Costs
http://blog.willis.com/2011/10/scariest-financialservices-risk-data-breach/
How to Prepare (HIPAA)

Self-Assessment
– Audit protocol
– NIST 800-66

Documentation
–
–
–
–

Risk assessment
PHI stored and transmitted (including third parties)
Policies & procedures
Documentation Request List
Lessons Learned
– Existing Audits and Penalties
– Best Practices

Available Tools
– REC, OCR, NIST, HIMSS, etc.
How to Prepare (HIPAA)
 Audit Protocol
http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/protocol.html
Tools
 REC Tools
–
–
–
–
Security Risk Assessment Tool
Information Security Policy Template
Breach notification guidance
Privacy and Security Checklist (HIPAA & HITECH)
 OCR
– Audit Protocol:
http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/protocol.html
 NIST
– HIPAA Security Rule Toolkit
• http://scap.nist.gov/hipaa/
– Special Publications (800 Series)
• http://csrc.nist.gov/publications/PubsSPs.html
Tools
(cont.)
 HIMSS
– HIMSS Privacy and Security Toolkit for Small Providers
• http://www.himss.org/asp/topics_PS_SmallProviders.asp
– More Privacy & Security Toolkits
•
•
•
•
http://www.himss.org/asp/topics_pstoolkitsDirectory.asp?faid=568&tid=111
Risk Assessment Toolkit
Mobile Security Toolkit
Cloud Security Toolkit
Lessons Learned
 Audit Reason: Complaint
 Organization: Cignet
 Lessons:
– Process in place for patients’
request for copies of their
medical records
– Cooperate with OCR!
hhs.gov
Lessons Learned




Audit Reason: Breach
Organization: DHSS (Alaska)
Incident: Stolen USB Drive
Lessons:
–
–
–
–
–
Policies & Procedures
Risk analysis / risk management
Workforce training
Device & media controls
Encryption
 Corrective Action Plan (valuable!)
http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/alaska
-agreement.html
hhs.gov
Lessons Learned
 Audit Reason: Random Audits
 HIPAA: OCR / KPMG
MU: CMS
 Lessons:
– Review any audit reports
released
– Monitor progress of the audit
program
– Learn from findings discovered
hhs.gov
Lessons Learned
 Audit Reason: Complaint
 Organization: Phoenix Cardiac
Surgery
 Incident: Publicly posted
clinical and surgical appt.
 Lessons:
– No practice is too small to
experience a breach
– Security risk assessment needs
too include ALL locations of PHI
– Documentation!
– Review corrective action plan
hhs.gov
Lessons Learned
 Phoenix Cardiac Surgery
Resolution Agreement & Corrective Action Plan
Meaningful Use
 CMS EHR Incentive Program
– All providers attesting to receive an EHR incentive payment
• Medicare or Medicaid EHR Incentive Programs
• Retain ALL relevant supporting documentation (in either paper or
electronic format used in the completion of the Attestation Module)
Documentation to support the attestation should be retained for six
years post-attestation
– Medicare and dually-eligible (Medicare and Medicaid)
• Audits performed by CMS, and its contractors
– Medicaid
• Audits performed by states, and their contractors
Meaningful Use
 Audit Contract
– Figliozzi and Co., Garden City, NY
(accounting firm)
– Medicare recipients and hospitals that received
incentive payments from both Medicare and
Medicaid
– Note: States and their individual contractors will
audit incentive program participants who received
bonuses from Medicaid alone
How to Prepare (MU)
 Documentation
– Proof that the EHR system used to meet meaningful use requirements
is certified.
– Supporting documentation proving that core objectives were met.
– Supporting documentation that menu objectives were met.
Tools
 CMS
– Attestation FAQ’s (overview, preparing, and details of an audit)
• https://www.cms.gov/Regulations-andGuidance/Legislation/EHRIncentivePrograms/Attestation.html#10
 REC
–
–
–
–
Security Risk Assessment Tool
Information Security Policy Template
Breach notification guidance
Privacy and Security Checklist (HIPAA & HITECH)
Summary
 Assume you’ll be audited
 Prepare
– Keep documentation updated
– Understand & document where all PHI is stored &
transmitted
– Reasonable and appropriate security controls
• Based on security risk assessment
Resources

OCR (hhs.gov)
–
Audit Pilot Program
•
–
Sample Notification Letter
•
–
FAQ’s
•
Security Rule Toolkit
•
http://scap.nist.gov/hipaa/
GAO Report
–

https://www.cms.gov/Regulations-andGuidance/Legislation/EHRIncentivePrograms/Attestation.html#10
NIST
–

http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/protocol.html
CMS
–

http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/sample-ocr_notification_ltr.pdf
Audit Protocol
•

http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/auditpilotprogram.html
http://www.gao.gov/assets/600/590538.pdf
OCR Documentation List
–
http://cynergistek.files.wordpress.com/2012/04/ocr-audit-documentation-request-list.pdf
Have a question, comment, or suggestion?
Contact Nathan Gibson at:
ngibson@wvmi.org
304-346-9864 ext. 2236
Related documents
Evolution of an Automated Internal Audit Management System
Evolution of an Automated Internal Audit Management System
Audit Poster - BSG Colonoscopy Audit
Audit Poster - BSG Colonoscopy Audit
LGFMA Presentation - Internal Audit Program Model
LGFMA Presentation - Internal Audit Program Model
QUALITY ASSURANCE: Obstetrics Auditing, Records & Reports
QUALITY ASSURANCE: Obstetrics Auditing, Records & Reports
OMB A-133 Audits - PA Head Start Association
OMB A-133 Audits - PA Head Start Association
NDSA Standards: Self-assessment a
NDSA Standards: Self-assessment a
TH INSTITUTE OF CHARTERED ACCOUNTANTS OF
TH INSTITUTE OF CHARTERED ACCOUNTANTS OF
Subcommittee on Internal and External Audits Activity Report
Subcommittee on Internal and External Audits Activity Report
Download
advertisement