1

CHIEF AUDIT EXECUTIVE (CAE) PANEL DISCUSSION

AHIA 31st Annual Conference – August 26-29, 2012 – Philadelphia PAwww.ahia.org

Panel – Discussion Topics and Leadersp

Leveraging and Aligning Internal Audit Resources 2

Dan Pantera, Vice President, Audit, Compliance & PrivacyThe Methodist Hospital System, Houston Texas

Types of Risks & Readiness Assessments Types of Risks & Readiness AssessmentsDeborah Mendel, Vice President, Internal AuditMedstar Health, Baltimore Maryland

Value Added IT and HIPAA Security AuditsRon Skillens, Vice President, Compliance & Internal AuditChildren’s Medical Center, Dallas Texas

Internal Audits – Attorney-Client Privilege ConsiderationsDebi Weatherford, Executive Director Internal Audit Piedmont Healthcare Atlanta GeorgiaPiedmont Healthcare, Atlanta Georgia

3

CAE PANEL DISCUSSIONC C C C CCDANIEL W. PANTERA, CPA, CIA, CHC, MACC

VICE PRESIDENT, INTERNAL AUDIT, COMPLIANCE & PRIVACYTHE METHODIST HOSPITAL SYSTEM

Leveraging Internal Audit Resources

AHIA 31st Annual Conference – August 26-29, 2012 – Philadelphia PAwww.ahia.org

The Methodist Hospital Systemp y

About Methodist

4

A leading Academic Medical Center located in the Texas Medical Center.

Si e of Methodist Operations Size of Methodist Operations 5 Hospitals

$2.4B Net Revenue

13,867 employees

Scope of my responsibilitiesI l A di Internal Audit

Corporate Compliance

HIPAA Privacy

What has changed?g5

“Even on top of significant p gimplications of healthcare reform, your organization is challenged by economic pressures increasedby economic pressures, increased regulatory requirements, and constantly advancing information 

d h land communication technologies. Is your Internal Audit function positioned to see your p yorganization through this transition?” 

Source: Deloitte 2011 Vital Signs: Leveraging Internal Audit to monitor, and succeed in the changing healthcare environment.

Why Align? – Stakeholder Expectationsy g p6

PWC 2012 S f hPWC 2012: State of the Internal Audit Profession

Where should Internal Audit be leveraged?g7

Regulatory Compliance Regulatory Compliance Meaningful Use ICD-10 ICD 10

Data Privacy & Security Physician Arrangements Physician Arrangements Cost Controls

I f ti T h l Information Technology Enterprise Risk Management

Deloitte 2011 Whitepaper:L i I t l A dit tLeveraging Internal Audit to monitor, and succeed in, the changing healthcare industry

Meaningful Use – Internal Audit’s Roleg

Steering Committee8

g

Attestation Readiness –independent verifier

AA S HIPAA Security Risk Assessment

OIG Audit Preparation Document retention

2012 AHIA & PWC Whitepaper:Meaningful Use Risks – Internal gAudit Assessment and Response

Patient Privacy & Security y y9

Encryption Encryption Access Controls Business Associates Business Associates Health Information Exchange

M bil D i

PWC 2012: State of the Internal Audit Profession

Mobile Devices KPMG Audit Readiness

Physician Arrangementsy g

Contract Management & Compliance

10

Contract Management & Compliance Employment agreements Bonus calculations

Private Physician Payments written agreement FMV determination

Non-monetary Compensation Stark Log Reporting ($373) Incidental Benefits (< $31)

Conflicts of Interest

Cost Control

Contract Audits11

Construction Audits

Accounts Payabley

Supply Chainpp y

Labor productivity & benchmarkingp y g

References12

PWC 2012 State of the Internal Audit Professionhttp://www.pwc.com/en_US/us/risk-assurance-services/internal-audit/publications/assets/pwc-2012-state-of-internal-audit-survey.pdf

Deloitte 2011 Leveraging Internal Audit to monitor, and succeed in the changing healthcare industry

AHIA & PWC J 2012 M i f l U Ri k I t l A dit AHIA & PWC June 2012 Meaningful Use Risks – Internal Audit Assessment and Responsehttp://www.ahia.org/audit_library/resources/MeaningfulUseWhitePaper05302012FINAL.pdf

PWC 2012 Old data learns new tricks: Managing patient security and privacy on a new data-sharing playgroundhttp://pwchealth.com/cgi-local/hregister.cgi/reg/old-data-learns-new-tricks.pdf

13

CAE PANEL DISCUSSIONDEBORAH L. MENDEL, CPA, CIA, CHFP, CICA, CRMAVICE PRESIDENT, INTERNAL AUDITMEDSTAR HEALTH

Types of Risk and Readiness Assessments

AHIA 31st Annual Conference – August 26-29, 2012 – Philadelphia PAwww.ahia.org

MedStar Health

About MedStar

14

Largest regional healthcare system in the Maryland and Washington DC area.

Si e of MedStar Operations Size of MedStar Operations 9 Hospitals

20 Other Health-Related Businesses

$4.0B+ Net Operating Revenue

27,000+ Employees

S f ibiliti Scope of my responsibilities Internal Audit

Enterprise Risk Management Coordination

Types of Risk/Readiness Assessmentsyp

Annual Assessment to Establish Audit Plan

15

Annual Assessment to Establish Audit Plan Risk-Based Audit Approach Enterprise Risk Management Enterprise Risk Management HIPAA Security

P C d I d Payment Card Industry 340B Drug Enforcement Meaningful Use ICD-10

Annual Risk Assessment

Purpose16

Establish risk-based plan to determine the priorities of Internal Audit consistent with the organization's goals

Key Sources/Areas to Consider Organization’s goals, strategies and tactical initiatives External and Regulatory Risksg y Enterprise Risk Management Activities – “Organization's Risk Universe” Information Technology Risks Fraud Risks Fraud Risks Compliance/OIG Work Plan Input from Senior Management and the Board/Audit Committee

Risk‐Based Audit Approachpp

Purpose17

Establish audit objective and scope based on the assessment of risk for the department/process to be reviewed.

Focus on areas that are relevant and of value to your client.

Key Sources/Areas to Consider Department/function’s goals and objectives and related risk p / g j

awareness Processes and control activities Monitoring activitiesg Information Technology Risks Fraud Risks

Enterprise Risk Management Risk Assessment

Purpose

18

Conduct a thorough assessment of the risks that face the operations of the Internal Audit, and to develop management plans to mitigate those risks.

Used a framework developed by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) for Internal Organizations of the Treadway Commission (COSO) for Internal Environment.

Key Sources/Areas to Consider y / Situation Analysis Risks Gapsp Mitigation Strategies Reporting Monitoring Monitoring

HIPAA Security Readiness Assessmenty

Purpose

19

Assess if IS Management has properly prepared to meet their HIPAA compliance responsibility according to the criteria established by the Department of Health established by the Department of Health and Human Services’ (HHS) Office of Civil Rights (OCR) .

Key Sources/Areas to Consider Key Sources/Areas to Consider

Risk Assessment

User Access Provisioning

User Activity Monitoring

Authentication/Integrity

Incident Response

Contingency Planning

Media Reuse and Destruction

Physical Access Controls

OCR Audit Approach: http://ocrnotifications.hhs.gov/hipaa.html

Encryption

HIPAA Security Readiness Assessmenty

HIPAA Security Audit Readiness Worksheet

20

HIPAA S it R l F ti l A dit SHIPAA Security RuleStandards Detail

Functional Audit ScopeHow to Audit the Standards

Business Associate Contracts and Other Arrangements (§ 164.308(b)(1)), (§ 164.314(a)(1))

Business Associate OversightIdentification of Critical Vendors, Vendor Due Diligence, and Documentation Review

Contingency Plan (§ 164.308(a)(7)) Access Control (§ 164.312(a)(1))

Business ContinuityData Backup, Disaster Recovery, and Business Impact Analysis

Information Access Management (§ 164.308(a)(4)) Device and Media Controls (§ 164.310(d)(1)) Integrity (§ 164.312(c)(1))

Data SecurityEPHI Disposal, Storage, and Transmission

Security Management Process (§ 164.308(a)(1)) Assigned Security Responsibility (§ 164.308(a)(2)) Security Incident Procedures (§ 164.308(a)(6))

E l ti (§ 164 308( )(8))

Information Security ProgramRisk Management and Incident Detection and Response

Evaluation (§ 164.308(a)(8)) Audit Controls (§ 164.312(b)) Policies and Procedures (§ 164.316(a)) Documentation (§ 164.316(b)(1))

Access Control (§ 164.312(a)(1)) Audit Controls (§ 164.312(b))

Network AnalysisArchitecture, Access Control, Device Management,

Integrity (§ 164.312(c)(1)) Transmission Security (§ 164.312(e)(1))

and Event Management

Workforce Security (§ 164.308(a)(3)) Security Awareness and Training (§ 164.308(a)(5))

Personnel SecurityHiring Processes, Security Awareness, and Security Training

Facility Access Controls (§ 164.310(a)(1)) Workstation Use (§ 164.310(b))

W k t ti S it ( 164 310( ))

Physical SecurityData Center, Facilities, and Environmental Concerns

Workstation Security (§ 164.310(c)) Access Control (§ 164.312(a)(1)) Audit Controls (§ 164.312(b)) Integrity (§ 164.312(c)(1)) Person or Entity Authentication (§ 164.312(d))

Systems AnalysisPatching, System Hardening, Anti-Virus, Upgrade

Procedures, System Access, Logging, Password Policies,and Account Lockouts

Payment Card Industry Readiness Assessment

Purpose

21

Assess the receipt of credit card payments and associated controls that align with the 12 PCI DSS requirements.

O ll R i t D i ti f R i tOverall Requirement Description of Requirement

Build and Maintain a Secure Network A firewall configuration to protect cardholder data is installed and maintained.

Vendor-supplied defaults for system passwords and other security parameters are not used.

Protect Cardholder Data Stored cardholder data is protected.

Encrypted transmission of cardholder data across open, public networks.

Maintain a Vulnerability Management Program

Updated anti-virus software is used and regularly updated

Secure systems and applications are developed and maintained.

Implement Strong Access Control Access to cardholder data is restricted by business need-to- know.Implement Strong Access Control Measures

Access to cardholder data is restricted by business need to know.

A unique ID is assigned to each person with computer access.

Physical access to cardholder data is restricted.

Regularly Monitor and Test Networks All access to network resources and cardholder data is tracked and monitored.

Security systems and processes are regularly testedSecurity systems and processes are regularly tested.

Maintain an Information Security Policy A policy that addresses information security is maintained.

Payment Card Industry Readiness Assessment

Key Sources/Areas to Consider

22

Requires both IS and Operational ownership and accountability

Need inventory of front-end operational processes that employ cardholder datadata

Need inventory of all applications and systems that transmit and/or store cardholder data

S d l d d h dd PCI System-wide policies and procedures that address PCI requirements

Requirement Description

Examples of Required Controls or

Controls and Processes Identified by IA

Risk Ranking

IA Recommendation

Documentation

Protect stored cardholder data

Primary Account Numbers are masked if stored.

Payment Card Industry Readiness Assessment

Practical Tips: What You Can Do Better

23

Practical Tips: What You Can Do Better Store less data Understand the flow of data Encrypt data Address application and network vulnerabilities Improve security awareness and training Monitor systems for intrusions and anomalies Segment and control access to credit card networks

340B Drug Program Enforcementg g

Why is this a HOT TOPICHOT TOPIC?

24

y September 2011 GAO report concluded that Health

Resources and Services Administration’s (HRSA) oversight f h 340B i d id of the 340B program was inadequate to provide

reasonable assurance that covered entities and drug manufacturers are in compliance with program requirements

Congressional concern Audits began February 2012February 2012

340B Drug Program Enforcementg g25

Background Pharmaceutical manufacturers agree to provide front-end discounts on

covered outpatient drugs purchased by specified government-supported facilities, called "covered entities," that serve the nation's most vulnerable patient populations. p p p

“Covered entities" include disproportionate share hospitals (DSH) with a DSH adjustment percentage greater than 11.75%.

Purpose Assess the entity's eligibility to participate in the 340B program; Assess whether the participant has sold or diverted 340B covered drugs

h li ibl i dto persons who are not eligible patients; and Assess whether participants have the proper controls in place to prevent

and detect instances of diversion and duplicate discounts.

340B Drug Program Enforcementg g

Key Sources/Areas to Consider

26

y / Initial and continued eligibility of entity Eligibility of patients, drugs and drug purchases Documentation of 340B drug dispensation Record retention Reconciliation of quantities ordered to quantities used by 340B

patients R l t d li i d d Related policies and procedures Staff training and education

Meaningful Use Readiness AssessmentCore and Menu ObjectivesCore and Menu Objectives

Purpose

27

p Assess workflows to attain core

and select menu set objectives.

Key Sources/Areas to Consider Interpretation for each measure Workflow redesign S t biliti System capabilities Training and education Reporting Reporting

Meaningful Use Readiness AssessmentCore and Menu ObjectivesCore and Menu Objectives

Core and Menu Set Risk Assessment Template

28

Core and Menu Set Risk Assessment Template

Hospital Objective Risk Rating

Core Objectives

Computerized physician order entry Low

Drug and drug-allergy interaction checks Moderate

Maintain active medication list High

ICD‐10 Readiness Assessment

Purpose

29

p Assess if the organization is properly preparing to meet ICD-10

compliance.

Key Sources/Areas to Consider Project Governance Training S t R di ti System Remediation Staffing Communication Communication Project Plan

ICD‐10 Project Teamj30

ICD-10 Executive Steering Committee

Physician Advisors

ICD-10 Program Director

Hospital Billing, Payor Readiness,

Patient Access Adoption Workgroup

Physician/Clinician

Adoption WorkgroupIT and Integration Education &

TrainingHIM & Coding

Practice &Specialty Billing

Finance, Reimbursement, Managed Care,

Compliance

EMR

Conclusion – Keep it Timelyp y31

Conclusion – Keep it Manageablep g32

33

CAE PANEL DISCUSSIONRON SKILLENSRON SKILLENSVICE PRESIDENT, COMPLIANCE AND INTERNAL AUDITCHILDREN’S MEDICAL CENTER DALLAS

Value Added IT & HIPAA Security audits

AHIA 31st Annual Conference – August 26-29, 2012 – Philadelphia PAwww.ahia.org

Children’s Medical Center Dallas

About Children’s

34

A leading pediatric academic medical center located in the Dallas Medical DistrictDistrict

Size of Children’s Operations 2 Hospitals, Surgical Center, 9 Primary

C Cl 2 Ph CCare Clinics, 2 Physician Corporations

$1B+ Net Operating Revenue

5000+ Employees

Scope of my responsibilities Internal Audit

Corporate Compliance

HIPAA Privacy & Security

Discussion Points

Value Added IT Audits

35

Value Added IT Audits HIPAA Security Considerations

What makes a value added IT audit?36

Scope

CommunicationCommunication

Project Selection

Strategic Project Selections…

Contracts and Vendor Management Monitoring

g j37

g g Mergers , Acquisitions and Divestitures (M&A) Business Expansions & Contractions Business Expansions & Contractions Technology P&L reviews

Technology Fixed Asset Reviews Technology Fixed Asset Reviews IT Organizational Structure

O i C id i Outsourcing Considerations Major Application Development Efforts

Insightful Scope Determinations…

Penetration Testing

g p38

g Computer Operations Phone Bill Reviews Phone Bill Reviews Data Center Reviews

Application Security Reviews Application Security Reviews Change Management Reviews

Di R R i Disaster Recovery Review End User Assets (HW & SW) Policy Reviews

And never failing to communicate.

Market the Internal Audit function to IT

g39

Communicate plans, risks, projects, status, results, etc. Ask to participate in standing IT meetings Ask to participate in standing IT meetings Have a monthly/quarterly update with your CIO

Are you secure with HIPAA?

HIPAA Security Considerations

y40

y OCR Audit Protocol Risk AssessmentRisk Assessment Encryption of email and mobile devices Centralized Logging Centralized Logging Social Networking Patch Management Patch Management Access Control

OCR Security Pilot Findingsy g

• 65% of findings relate to security

41

g y• Top security findings included user/activity monitoring,

contingency planning, authentication/integrity, and media /d ireuse/destruction

• Many findings with small providers but large entities had security findingssecurity findings

• OCR recommends:• Conducting robust reviews and risk assessmentsg• Map the flow of PHI internally and externally• Identify/Find all of your PHI• See guidance on OCR website

Source: Health and Human Services Office of Civil Rights presentation titled 2012 HIPAA Privacy and Security Audits by Linda Sanches, OCR Senior Advisor

42

CAE PANEL DISCUSSIONDEBI WEATHERFORDDEBI WEATHERFORDEXECUTIVE DIRECTOR, INTERNAL AUDITPIEDMONT HEALTHCARE

Attorney Client Privilege (ACP) Considerations

AHIA 31st Annual Conference – August 26-29, 2012 – Philadelphia PAwww.ahia.org

About Piedmont Healthcare

1.6 billion dollar health system

43

1.6 billion dollar health system 5 hospitals Physician clinics Physician clinics Heart Institute

Phil h Philanthropy Insurance company

ACP Policy & Procedure Considerationsy

Invoking the attorney-client privilege

44

Invoking the attorney client privilege Notification of appropriate personnel Communication protocols Communication protocols E-mail guidelines

D id li Document guidelines Working paper documentation Reporting

ACP Policy & Procedure Considerations (continued)(continued)

Granting access to engagement records

45

Granting access to engagement records Education of board and management

*** Review IIA Practice Advisory 2330.A1-2

ACP Auditing Challengesg g

Audit work conducted before ACP invoked

46

Audit work conducted before ACP invoked Audit work conducted under ACP Coordinated effort between Compliance Legal and Coordinated effort between Compliance, Legal and

Internal Audit Concurrent versus retrospective reviews Concurrent versus retrospective reviews Sampling

47

Thank You!

Dan Pantera, Vice President, Audit, Compliance & PrivacyThe Methodist Hospital System, Houston TexasDPantera@tmhs.org

Deborah Mendel, Vice President, Internal AuditMedstar Health Baltimore MarylandMedstar Health, Baltimore MarylandDeborah.L.Mendel@MedStar.net

Ron Skillens, Vice President, Compliance & Internal AuditChildren’s Medical Center Dallas TexasChildren s Medical Center, Dallas TexasRon.Skillens@Childrens.com

Debi Weatherford, Executive Director Internal Audit Piedmont Healthcare, Atlanta GeorgiaDebi.Weatherford@Piedmont.org

AHIA 31st Annual Conference – August 26-29, 2012 – Philadelphia PAwww.ahia.org

Save the Date: August 25-28 2013August 25-28, 2013

32nd Annual Conference Chi ILChicago, IL

48