RECognition & Health IT 2.0 Expo HIPAA Audit Program and Omnibus Rule Tuesday, June 25, 2013 Sheraton Dover Hotel Dover, DE Barbara J. Holland, Esq. DHHS, Office of Civil Rights Regional Manager, Region III HIPAA Audit Program • Mandated by HITECH Act, Section 13411 ‐ Audits • HHS must conduct periodic audits to ensure covered entities and business associates are complying with the HIPAA Privacy and Security Rules and Breach Notification Standards. • Program Opportunity • Examine mechanisms for compliance • Identify best practices • Discover risks and vulnerabilities that may not have come to light through complaint investigations and compliance reviews • Encourage renewed attention to compliance activities 2 Multi‐year Audit Plan Description Vendor Status/Timeframe Audit program development study Booz Allen Hamilton Closed 2010 Covered entity identification and cataloguing Booz Allen Hamilton Closed 2011 Develop audit protocol and conduct audits KPMG, Inc. Closed 2011‐2012 Evaluation of audit program PWC, LLP Open Conclude in 2013 3 2011/2012 Implementation • Audit Protocol Design • Created a comprehensive, flexible process for analyzing entity efforts to provide regulatory protections and individual rights • Resulting Audit Program • Conducted 115 performance audits through December 2012 to identify findings in regard to adherence with standards. • Two phases: • Initial 20 audits to test original audit protocol • Final 95 audits using modified audit protocol 4 What is a Performance Audit? • An audit service conducted in accordance with GAGAS, Generally Accepted Government Auditing Standards (The Yellow Book) • Provides findings, observations, or conclusions based on an evaluation of sufficient, appropriate evidence against established audit criteria • Can include a limitless range of objectives driven by the needs of users • Can entail objective assessments of a variety of attributes: – Program effectiveness, economy, and efficiency – Internal control – Compliance – Other questions of interest to management (e.g. value of assets, determination of pension benefits) 5 Who Can Be Audited? • Any Covered Entity o For 2011‐2012, OCR sought wide range of types and sizes • Health plans of all types • Health care clearinghouses • Individual and organizational providers • Any Business Associate TBD after September 23, 2013 (HITECH Final Rule compliance date) 6 Breakdown of 2012 Auditees Level 1 Entities • Large Provider / Health Plan • Extensive use of HIT ‐ complicated HIT enabled clinical /business work streams • Revenues and or assets greater than $1 billion Level 2 Entities • Large regional hospital system (3‐10 hospitals/region) / Regional Insurance Company • Paper and HIT enabled work flows • Revenues and or assets $300 million to $1 billion Level 3 Entities • Community hospitals, outpatient surgery, regional pharmacy / All Self‐ Insured entities that don’t adjudicate their claims • Some but not extensive use of HIT – mostly paper based workflows • Revenues $50 Million to $300 million Level 4 Entities • Small Providers (10 to 50 Provider Practices, Community or rural pharmacy) • Little to no use of HIT – almost exclusively paper based workflows • Revenues less than $50 million 7 Auditees by Type & Size LEVEL 1 2 3 4 Health Plans 13 12 11 11 47 Health Care Providers 11 16 10 24 61 2 3 1 1 7 Health Care Clearinghouses Total _________________________________________________ Total 26 31 22 36 115 8 Overall Cause Analysis For every finding and observation cited in the audit reports, audit identified a “Cause.” • Most common cause across all entities: entity unaware of the requirement. • 39% (115 of 293) of Privacy Requirements • 27% (163 of 593) of Security Requirements • 12% (11) of Breach Notification Requirements • Most of these related to elements of the Rules that explicitly state what a covered entity must do to comply. • Other causes noted included but not limited to: • Lack of application of sufficient resources • Incomplete implementation • Complete disregard 9 What have the audits discovered so far? • 65 % of the violations are in the security area • 42.70% of the security violations involve administrative safeguards • 16.70% involve physical safeguards • Policies and procedures exist but are outdated or not implemented • • • • HIPAA compliance programs were not a priority Larger institutions continue to have security problems Entities are not conducting regular risk assessments Entities are not managing third party risks 10 What does this mean for you as a covered entity? • Your odds of being audited have now increased • OCR is under Congressional pressure to enforce HIPAA/HITECH • You need to have current policies and procedures that are implemented • You need to have updated risk assessments • You need to be aware of the findings and actions taken by OCR in its recent enforcement actions • You must have an up-to-date risk assessment of your compliance with the Privacy and Security Rules. If you had a breach or security incident, an additional risk assessment has to be performed specifically addressing those factors that resulted in breach or violation 11 Omnibus HIPAA Final Rule • Issued January 17, 2013, Effective March 26, 2013 • Compliance Date September 23, 2013 • Major Changes: o Expands Liability Business Associates/Subcontractors and Agents of Covered Entities o Presumption of Breach unless low probability of data compromise o CE must make assessment of risk following breach o Use PHI for marketing and fundraising (opt-out) o individual’s right of access to electronic PHI o Enforcement Penalties 12 Expanded Liability • HITECH made BAs subject to Security Rule and certain Privacy Rule provisions • New regs implement HITECH requirements • BA definition amended to add patient safety organizations, HIOs/data transmission entities (cloud vendors), vendors who provide PHRs on behalf of covered entities and Subcontractors (law firms) 13 Expanded Liability • BAs now directly Liable • Subcontractors to BAs also subject to HIPAA • BAA must spell out delegated authority • Agreement is also required between BA and subcontractor that contains all required BAA provisions • Law of Agency applies even when no BAA -- “No matter how far ‘down the chain’ the information flows” 14 Revised definition of Breach • Prior definition: o Acquisition, access, use or disclosure of PHI in a manner not permitted by Privacy Rule which compromises the security or privacy of the PHI • Interim final rule defined “compromise” o Poses a significant risk of financial, reputational or other harm 15 New Definition • An acquisition, access, use or disclosure of PHI in a manner not permitted is presumed to be a breach • Unless the CE or BA can demonstrate (via documentation) that there is a low probability that the PHI has been compromised 16 CE must conduct a risk assessment to determine probability of compromise • Factors that must be weighed in assessing probability of compromise o The nature and extent of the PHI involved o The unauthorized person who used the PHI or to whom the disclosure was made o Was the PHI actually acquired or viewed, and o Has the risk to the PHI been mitigated 17 Enforcement provisions adopted and clarified • Regulations adopt HITECH increased penalty structure: Did not know: $100-$50,000 per violation Reasonable cause: $1,000-$50,000 per violation Willful neglect* if corrected: $10,000-$50,000 per violation Willful neglect if uncorrected: $50,000 per violation • $1,500,000 maximum for all violations of an identical provision per year *Conscious, intentional failure or reckless indifference to a compliance obligation 18 Enforcement Provisions: new clarifications • Factors government must now consider when determining penalties o Nature and extent of violation, now includes number of affected individuals o Nature and extent of harm resulting, now includes reputational harm o History of compliance, now includes indications of noncompliance (vs. formal findings of violations) o Financial condition of the organization • If willful neglect, HHS o Required to investigate o Must conduct a compliance review o May (but probably won’t) resolve informally 19 Areas for CEs and BAs to focus on in the future • Risk assessments – ongoing • Training of personnel • Policies and procedures – especially w/respect to mobile devices and encryption 20 OCR’s future focus Not giving entities a 2nd, 3rd, 4th chance to comply May start to look at repeat violators Complaints may trigger broad review Now required to do compliance review where willful neglect Breach reports may trigger compliance investigations even where not required. Additional audits may be undertaken following evaluation of initial program 21