Professional Documents
Culture Documents
2012HIPAAPrivacyandSecurityAudits
OCR
Agenda
OCR
HITECHActImpact
HITECHAct(ofAmericanRecoveryandReinvestmentAct) of2009 Establishesbreachnotificationrequirements EstablishesNewPenaltyLevels Establishescompliancerequirementsforbusiness associates ExtendedEnforcementauthoritytoStateAttorneys General Mandatesperformanceofprivacyandsecurityaudits
OCR 3
Background
TheAmericanRecoveryandReinvestmentActof2009, in Section13411oftheHITECHAct,requiresHHStoprovidefor periodicauditstoensurecoveredentitiesandbusiness associatesarecomplyingwiththeHIPAAPrivacyandSecurity RulesandBreachNotificationstandards Toimplementthismandate,OCRispilotingaprogramto performupto115auditsofcoveredentitiestoassessHIPAA privacy,securityandbreachnotificationperformance Auditsareconductedintwophases initialauditstotestthe newlydevelopedprotocolandfinalpilotauditsthrough December2012
OCR 4
ProgramObjective
Auditspresentanewopportunityto: Examinemechanismsforcompliance Identifybestpractices Discoverrisksandvulnerabilitiesthatmaynothavecometo lightthroughcomplaintinvestigationsandcompliance reviews Encouragerenewedattentiontocomplianceactivities
OCR
ProgramGoal
Toimprovecoveredentityandbusinessassociatecompliance withtheHIPAAstandards. Widelypublicizingauditprogram&auditresultswillspur coveredentities,businessassociatestoassessandcalibrate theirprivacyandsecurityprotections. OCRwillsharebestpracticesgleanedthroughtheaudit processandguidancetargetedtoobservedcompliance challenges.Suchtechnicalassistancewillassistthoseentities thatareseekinginformationtoframetheirongoing complianceefforts.
OCR 6
AuditPlan
Description
Auditprogram development study Coveredentity&business associateidentificationand catalog Developauditprotocoland conductaudit Evaluationofaudit program
OCR
Vendor
BoozAllen Hamilton Booz Allen Hamilton KPMG,Inc. TBD
Status/ Timeframe
Closed 2010 Closed 2012 Open 20112012 ToBeAwarded Concludein2013
7
ProtocolDesign&Program
PerformanceContract
WhoWillbeAudited?
Everycoveredentityiseligibleforanaudit For20112012,OCRseekstoauditaswidearangeof typesandsizesofcoveredentitiesaspossiblewhich includes: Healthplansofalltypes Healthcareclearinghouses Individualandorganizationalproviders BusinessAssociatesinlaterauditwave
OCR
AuditeeSelectionCriteria
OCRidentifiedapoolofcoveredentities Specificcriteriaincludesbutisnotlimitedto: PublicversusPrivate Entityssize,e.g.,levelofrevenues/assets,number ofpatientsoremployees,useofHIT Affiliationwithotherhealthcareorganizations Geographiclocation Typeofentityandrelationshiptopatientcare
OCR 10
TimelinefortheAuditProgram
KPMGcontractintoeffectJune2011;nowstandingupthe programactivities.Pilotauditprogramathreestepprocess. 1. WorkingwithKPMGtodevelopthedraftauditprotocols. CompletedNovember2011 2. Aninitialroundofauditstestedtheprotocols.Resultsoffield testingprovidedfeedbackforfinalprotocoldesign. FieldworkcompletedMarch1st FinalprotocoldesigncompletedApril2012 3. Rollingoutthefullrangeofauditsandevaluationprocess. AllauditswillbecompletedbyDecember,2012.
OCR 11
HowwilltheAuditProgramWork?
Entitiesselectedforanauditwillreceiveanotificationletter fromOCRandaskedtoprovidedocumentationtotheauditor Everyauditwillincludeasitevisitandresultinanauditreport KPMGwillrecommendsuggestedmodificationstotheprotocol KPMGwillsummarizefindings&results,highlightconsistent issues Finalreport howtheauditwasconducted; whatthefindingswereand; whatactionsthecoveredentityistakinginresponsetothose findings.
OCR 12
WhatwillbetheOutcome ofanAudit?
Auditsareatypeofreviewthatservesmoreasa complianceimprovementtoolthenaninvestigationof aparticularviolationthatmayleadtosanctionsand penalties.Anauditmayuncovervulnerabilitiesand weaknessesthatcanbeappropriatelyaddressed throughcorrectiveactiononthepartoftheentity. Itispossiblethatanauditcouldindicateserious complianceissuesthatmaytriggeraseparate enforcementinvestigationbyOCR.
OCR 13
WhatisaPerformanceAudit?
Measureperformanceagainstestablishedcriteria Privacy,SecurityandBreach,theRulesweremadeauditable andmeasureablebydevelopingperformancecriteriatoexecute theseaudits Usedbyregulatorstounderstandhowindustryiscomplyingwith asetofregulations ConductedunderGAGAS,GenerallyAcceptedGovernment AuditingStandards,aka,YellowBookStandards Allowforrenderinganopinionofwhetherentityhaskeycontrols andprocessestoallowentitytomaintainorachievecompliance withtheRules Notintendedtobepunitive,butrathermeasurecompliancewith regulations
OCR 14
OverviewofHIPAAAuditProject
2011 - 2012
July Aug Sept Oct Nov Dec Jan Feb Mar
Initial Protocol Development
2012
Apr May Dec.
OCR
15
BreakdownofFirst20Auditees
Level1Entities LargeProvider/HealthPlan ExtensiveuseofHIT complicatedHIT enabledclinical/businesswork streams Revenuesandorassetsgreaterthan $1billion Level2Entities Largeregionalhospitalsystem(310 hospitals/region)/RegionalInsurance Company PaperandHITenabledworkflows Revenuesandorassetsbetween$300 millionand$1billion
First20AuditeesbyEntityType
Level1 Level2 Level3 Level4 HealthPlans Healthcare Providers Healthcare Clearinghouses 2 2 1 5 3 2 1 6 1 2 0 3 2 4 0 6 Total 8 10 2 20
17
Total
OCR
First20PlansandProviders
HealthPlans Medicaid SCHIP GroupHealth Health Insurance Issuer 1 1 3 3 HealthCareProviders
Allopathic& Osteopathic Physicians Hospitals Laboratories Dental Nursing& CustodialCare Facilities Pharmacy
OCR
3 3 1 1 1 1
18
Initial20FindingsAnalysis Overview
OCR
19
Initial20FindingsAnalysis Overview
OCR
20
Initial20FindingsAnalysis Overview
OCR
21
Initial20FindingsAnalysis PrivacyIssues
OCR
22
Initial20FindingsAnalysis PrivacyIssues
OCR
23
Initial20FindingsAnalysisPrivacy: UsesandDisclosures
OCR
24
Initial20FindingsAnalysis Privacy:NoticeandAccess
OCR
25
InitialFindingsAnalysisPrivacy: AdministrativeRequirements
OCR
26
Initial20FindingsAnalysisSecurity Issues
OCR
27
Initial20FindingsAnalysis SecurityIssues
OCR
28
Initial20FindingsSecurityIssues
OCR
29
Initial20Findings SecurityTopIssues
OCR
30
PreliminaryObservations
PoliciesandProcedures PriorityHIPAAcomplianceprograms Smallproviders Largerentitiessecuritychallenges ConductofRiskAssessments Managingthirdpartyrisks Privacychallengesarewidelydispersedthroughout theprotocol nocleartrendsbyentitytypeorsize
31
OCR
FutureofAudit
AllauditsinpilottoendDecember2012 Findingswillbeusedtolookfortrends Evaluationcontracttoconductanalysisof2011 and2012activities Pilotexperienceandreportswillfeedinto decisionsreongoingauditprogram
Structure,focus,size
OCR
32
FutureofAudit
TBD:BusinessAssociates moredecisions BAProtocolDevelopment WhotoAudit howtoidentifyBAs Whoisabusinessassociate?Howtoidentifyinthe population? Location;lineofbusiness;timelinessofinformation; subcontractors? WhattoAudit LimitedrequirementsforBAs
OCR 33
NonComplianceRisks
LossofContracts CriminalandCivilinvestigation Federalpenalties,Statefines PublicHarmandReputationalRisk LegalCosts CostofNotification
OCR
34
NextStepstoConsider
Conductarobustreview&assessment DetermineLinesofBusinessaffectedby HIPAA Map/FlowPHImovementwithinyour organization,aswellasflowsto/fromthird parties FindallofyourPHI SeeguidanceavailableonOCRwebsite
OCR 35