Transcript Lessons Learned
OCR Audit Process & Penalties:
Understanding the U.S. DHHS Office of Civil Rights’ EHR Audit Process and Penalties
Nathan Gibson, CISA, CISSP
Agenda
Common Questions Background HIPAA Audits – Audit Timeline – Audit Process – Penalties – How to Prepare – Tools – Lessons Learned Meaningful Use Audits – How to Prepare – Tools Summary Resources
Common Questions
Who can audit us?
– Office of Civil Rights (OCR) – State Attorneys General (SAG) – Centers for Medicare and Medicaid Services (CMS) • Meaningful Use Will we be audited?
– Short term – probably not (but always assume you will) – Eventually – YES What are ways that we can be audited?
– Random HIPAA – Complaint – Breach of Protected Health Information (PHI) – MU Audit Could our Business Associates be audited?
– Yes
Background
HITECH – Health Information Technology for Economic and Clinical Health – Included Enforcement & Penalties • Transferred Security Rule enforcement from CMS to OCR Office of Civil Rights – Enforcement of the HIPAA Privacy and Security Rules – 115 audits to assess • Privacy Rule • Security Rule • Breach notification performance – Providing HIPAA Enforcement Training to State Attorneys General State Attorneys General – Authority to bring civil actions on behalf of state residents for HIPAA violations
Audit Timeline
HIPAA Audit Timeline – June, 2011: Contract with KPMG – November, 2011: Draft audit protocols developed – April, 2012: Initial round of audits completed – December, 2012: All audits will be completed for the pilot program
Audit Process
Notification letter – Asked to provide documentation Site visit Final Report – Audit details – Findings – Actions taken hhs.gov
Notification Letter (sample)
hhs.gov
Documentation Request
Penalties
Loss of Contracts Criminal and Civil Investigation Federal Penalties – Up to $1.5 million State Fines – Up to $25,000 Reputation Legal Costs Notification Costs http://blog.willis.com/2011/10/scariest-financial services-risk-data-breach/
How to Prepare
(HIPAA)
Self-Assessment – Audit protocol – NIST 800-66 Documentation – Risk assessment – PHI stored and transmitted (including third parties) – Policies & procedures – Documentation Request List Lessons Learned – Existing Audits and Penalties – Best Practices Available Tools – REC, OCR, NIST, HIMSS, etc.
How to Prepare
(HIPAA)
Audit Protocol http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/protocol.html
Tools
REC Tools – Security Risk Assessment Tool – Information Security Policy Template – Breach notification guidance – Privacy and Security Checklist (HIPAA & HITECH) OCR – Audit Protocol: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/protocol.html
NIST – HIPAA Security Rule Toolkit • http://scap.nist.gov/hipaa/ – Special Publications (800 Series) • http://csrc.nist.gov/publications/PubsSPs.html
Tools
(cont.)
HIMSS – HIMSS Privacy and Security Toolkit for Small Providers • http://www.himss.org/asp/topics_PS_SmallProviders.asp
– More Privacy & Security Toolkits • http://www.himss.org/asp/topics_pstoolkitsDirectory.asp?faid=568&tid=111 • Risk Assessment Toolkit • Mobile Security Toolkit • Cloud Security Toolkit
Lessons Learned
Audit Reason: Complaint Organization: Cignet Lessons: – Process in place for patients’ request for copies of their medical records – Cooperate with OCR!
hhs.gov
Lessons Learned
Audit Reason: Breach Organization: DHSS (Alaska) Incident: Stolen USB Drive Lessons: – Policies & Procedures – Risk analysis / risk management – Workforce training – Device & media controls – Encryption Corrective Action Plan (valuable!) http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/alaska -agreement.html
hhs.gov
Lessons Learned
Audit Reason: Random Audits HIPAA: OCR / KPMG MU: CMS Lessons: – Review any audit reports released – Monitor progress of the audit program – Learn from findings discovered hhs.gov
Lessons Learned
Audit Reason: Complaint Organization: Phoenix Cardiac Surgery Incident: Publicly posted clinical and surgical appt.
Lessons: – No practice is too small to experience a breach – Security risk assessment needs too include ALL locations of PHI – Documentation!
– Review corrective action plan hhs.gov
Lessons Learned
Phoenix Cardiac Surgery Resolution Agreement & Corrective Action Plan
Meaningful Use
CMS EHR Incentive Program
– All providers attesting to receive an EHR incentive payment • Medicare or Medicaid EHR Incentive Programs • Retain ALL relevant supporting documentation (in either paper or electronic format used in the completion of the Attestation Module)
Documentation to support the attestation should be retained for six years post-attestation
– Medicare and dually-eligible (Medicare and Medicaid) • Audits performed by CMS, and its contractors – Medicaid • Audits performed by states, and their contractors
Meaningful Use
Audit Contract
– Figliozzi and Co., Garden City, NY (accounting firm) – Medicare recipients and hospitals that received incentive payments from both Medicare and Medicaid – Note: States and their individual contractors will audit incentive program participants who received bonuses from Medicaid alone
How to Prepare
(MU)
Documentation
– Proof that the EHR system used to meet meaningful use requirements is certified.
– Supporting documentation proving that core objectives were met.
– Supporting documentation that menu objectives were met.
Tools
CMS – Attestation FAQ’s (overview, preparing, and details of an audit) • https://www.cms.gov/Regulations-and Guidance/Legislation/EHRIncentivePrograms/Attestation.html#10 REC – Security Risk Assessment Tool – Information Security Policy Template – Breach notification guidance – Privacy and Security Checklist (HIPAA & HITECH)
Summary
Assume you’ll be audited Prepare
– Keep documentation updated – Understand & document where all PHI is stored & transmitted – Reasonable and appropriate security controls • Based on security risk assessment
Resources
OCR (hhs.gov) – – – Audit Pilot Program • http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/auditpilotprogram.html
Sample Notification Letter • http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/sample-ocr_notification_ltr.pdf
Audit Protocol • http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/protocol.html
CMS – FAQ’s • https://www.cms.gov/Regulations-and Guidance/Legislation/EHRIncentivePrograms/Attestation.html#10 NIST – Security Rule Toolkit • http://scap.nist.gov/hipaa/ GAO Report – http://www.gao.gov/assets/600/590538.pdf
OCR Documentation List – http://cynergistek.files.wordpress.com/2012/04/ocr-audit-documentation-request-list.pdf
Have a question, comment, or suggestion?
Contact Nathan Gibson at: [email protected]
304-346-9864 ext. 2236