OCR - Barbara Holland

Report
RECognition & Health IT 2.0
Expo
HIPAA Audit Program and Omnibus Rule
Tuesday, June 25, 2013
Sheraton Dover Hotel
Dover, DE
Barbara J. Holland, Esq.
DHHS, Office of Civil Rights
Regional Manager, Region III
HIPAA Audit Program
• Mandated by HITECH Act, Section 13411 ‐ Audits
• HHS must conduct periodic audits to ensure covered entities
and business associates are complying with the HIPAA Privacy
and Security Rules and Breach Notification Standards.
• Program Opportunity
•
Examine mechanisms for compliance
• Identify best practices
• Discover risks and vulnerabilities that may not have come to
light through complaint investigations and compliance reviews
• Encourage renewed attention to compliance activities
2
Multi‐year Audit Plan
Description
Vendor
Status/Timeframe
Audit program
development
study
Booz Allen Hamilton
Closed
2010
Covered entity
identification
and cataloguing
Booz Allen Hamilton
Closed
2011
Develop audit protocol
and
conduct audits
KPMG, Inc.
Closed
2011‐2012
Evaluation of audit
program
PWC, LLP
Open
Conclude in 2013
3
2011/2012 Implementation
• Audit Protocol Design
•
Created a comprehensive, flexible process for analyzing entity
efforts to provide regulatory protections and individual rights
• Resulting Audit Program
•
Conducted 115 performance audits through December 2012 to
identify findings in regard to adherence with standards.
• Two phases:
•
Initial 20 audits to test original audit protocol
• Final 95 audits using modified audit protocol
4
What is a Performance Audit?
•
An audit service conducted in accordance with GAGAS, Generally
Accepted Government Auditing Standards (The Yellow Book)
• Provides findings, observations, or conclusions based on an evaluation
of sufficient, appropriate evidence against established audit criteria
• Can include a limitless range of objectives driven by the needs of users
• Can entail objective assessments of a variety of attributes:
– Program effectiveness, economy, and efficiency
– Internal control
– Compliance
– Other questions of interest to management (e.g. value of assets,
determination of pension benefits)
5
Who Can Be Audited?
• Any Covered Entity
o For 2011‐2012, OCR sought wide range of types and sizes
• Health plans of all types
• Health care clearinghouses
• Individual and organizational providers
• Any Business Associate TBD after September 23, 2013
(HITECH Final Rule compliance date)
6
Breakdown of 2012 Auditees
Level 1 Entities
• Large Provider / Health Plan
• Extensive use of HIT ‐ complicated HIT enabled clinical /business work streams
• Revenues and or assets greater than $1 billion
Level 2 Entities
• Large regional hospital system (3‐10 hospitals/region) / Regional Insurance Company
• Paper and HIT enabled work flows
• Revenues and or assets $300 million to $1 billion
Level 3 Entities
• Community hospitals, outpatient surgery, regional pharmacy / All Self‐ Insured entities
that don’t adjudicate their claims
• Some but not extensive use of HIT – mostly paper based workflows
• Revenues $50 Million to $300 million
Level 4 Entities
• Small Providers (10 to 50 Provider Practices, Community or rural pharmacy)
• Little to no use of HIT – almost exclusively paper based workflows
• Revenues less than $50 million
7
Auditees by Type & Size
LEVEL
1
2
3
4
Health Plans
13
12
11
11
47
Health Care Providers
11
16
10
24
61
2
3
1
1
7
Health Care
Clearinghouses
Total
_________________________________________________
Total
26
31
22
36
115
8
Overall Cause Analysis
For every finding and observation cited in the audit reports, audit
identified a “Cause.”
• Most common cause across all entities: entity unaware of the
requirement.
• 39% (115 of 293) of Privacy Requirements
• 27% (163 of 593) of Security Requirements
• 12% (11) of Breach Notification Requirements
• Most of these related to elements of the Rules that explicitly state what
a covered entity must do to comply.
• Other causes noted included but not limited to:
• Lack of application of sufficient resources
• Incomplete implementation
• Complete disregard
9
What have the audits discovered so far?
• 65 % of the violations are in the security area
• 42.70% of the security violations involve administrative
safeguards
• 16.70% involve physical safeguards
• Policies and procedures exist but are outdated or not
implemented
•
•
•
•
HIPAA compliance programs were not a priority
Larger institutions continue to have security problems
Entities are not conducting regular risk assessments
Entities are not managing third party risks
10
What does this mean for you as a covered entity?
• Your odds of being audited have now increased
• OCR is under Congressional pressure to enforce HIPAA/HITECH
• You need to have current policies and procedures that are implemented
• You need to have updated risk assessments
• You need to be aware of the findings and actions taken by OCR in its
recent enforcement actions
• You must have an up-to-date risk assessment of your compliance with
the Privacy and Security Rules. If you had a breach or security incident,
an additional risk assessment has to be performed specifically addressing
those factors that resulted in breach or violation
11
Omnibus HIPAA Final Rule
• Issued January 17, 2013, Effective March 26, 2013
• Compliance Date September 23, 2013
• Major Changes:
o Expands Liability
 Business Associates/Subcontractors and Agents of Covered Entities
o Presumption of Breach unless low probability of data compromise
o CE must make assessment of risk following breach
o Use PHI for marketing and fundraising (opt-out)
o individual’s right of access to electronic PHI
o Enforcement Penalties
12
Expanded Liability
• HITECH made BAs subject to Security Rule and certain
Privacy Rule provisions
• New regs implement HITECH requirements
• BA definition amended to add
 patient safety organizations,
 HIOs/data transmission entities (cloud vendors),
 vendors who provide PHRs on behalf of covered
entities and
 Subcontractors (law firms)
13
Expanded Liability
• BAs now directly Liable
• Subcontractors to BAs also subject to HIPAA
• BAA must spell out delegated authority
• Agreement is also required between BA and subcontractor
that contains all required BAA provisions
• Law of Agency applies even when no BAA -- “No matter
how far ‘down the chain’ the information flows”
14
Revised definition of Breach
• Prior definition:
o Acquisition, access, use or disclosure of PHI in a manner not
permitted by Privacy Rule which compromises the security or
privacy of the PHI
• Interim final rule defined “compromise”
o Poses a significant risk of financial, reputational or other harm
15
New Definition
• An acquisition, access, use or disclosure of PHI in a
manner not permitted is presumed to be a breach
• Unless the CE or BA can demonstrate (via
documentation) that there is a low probability that
the PHI has been compromised
16
CE must conduct a risk assessment to
determine probability of compromise
• Factors that must be weighed in assessing probability of
compromise
o The nature and extent of the PHI involved
o The unauthorized person who used the PHI or to whom the
disclosure was made
o Was the PHI actually acquired or viewed, and
o Has the risk to the PHI been mitigated
17
Enforcement provisions adopted and
clarified
• Regulations adopt HITECH increased penalty structure:
 Did not know: $100-$50,000 per violation
 Reasonable cause: $1,000-$50,000 per violation
 Willful neglect* if corrected: $10,000-$50,000 per
violation
 Willful neglect if uncorrected: $50,000 per violation
• $1,500,000 maximum for all violations of an identical
provision per year
*Conscious, intentional failure or reckless indifference to a compliance
obligation
18
Enforcement Provisions:
new clarifications
• Factors government must now consider when determining penalties
o Nature and extent of violation, now includes number of affected
individuals
o Nature and extent of harm resulting, now includes reputational
harm
o History of compliance, now includes indications of noncompliance (vs. formal findings of violations)
o Financial condition of the organization
• If willful neglect, HHS
o Required to investigate
o Must conduct a compliance review
o May (but probably won’t) resolve informally
19
Areas for CEs and BAs to focus on in the future
•
Risk assessments – ongoing
•
Training of personnel
•
Policies and procedures – especially w/respect to
mobile devices and encryption
20
OCR’s future focus
 Not giving entities a 2nd, 3rd, 4th chance to comply
 May start to look at repeat violators
 Complaints may trigger broad review
 Now required to do compliance review where willful
neglect
 Breach reports may trigger compliance investigations
even where not required.
 Additional audits may be undertaken following evaluation
of initial program
21

similar documents