Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
HIPAAComplianceAuditsPhase2
LindaSanchesSeniorAdvisorDivisionofHealthInforma5onPrivacy
HIPAAEnforcementProgram
SusanRhodesRegionalManagerNewEnglandRegion
HIPAAPrivacy,Security&BreachNo5fica5onRuleCompliance
Privacy & Security Forum HIMSS 1
December 7, 2016
Topics
Privacy & Security Forum HIMSS 2
q Phase II HIPAA Audit Program q Status q Random Selection Processes q Desk Audits &. On-site Audits
q Desk Audit Mechanics
q What to Expect q Document Request – Receipt and Response q Final Reports
q Standards Selected
q Compliance Issues
q Enforcement
q Available Guidance
HIPAACOMPLIANCEAUDITSPHASE2
Update
Privacy & Security Forum HIMSS 3
• Iden5fybestprac5ces;uncoverrisks&vulnerabili5es;detectareasfortechnicalassistance;encourageconsistentaMen5ontocompliance– Intendedtobenon-puni5ve,butOCRcanopenupcompliancereview(forexample,ifsignificantconcernsareraisedduringanauditoranen5tyfailstorespond)
• Learnfromthisnextphaseinstructuringpermanentauditprogram
• Developtoolsandguidanceforindustryself-evalua5onandbreachpreven5on
Audit Program Purpose
Purpose—SupportImprovedCompliance
Privacy & Security Forum HIMSS 4
HITECHlegislaDon:HHS(OCR)shallprovideforperiodicauditstoensurethatcovereden55esandbusinessassociatescomplywithHIPAAregula5ons.(Sec5on13411)
Pilotphase(2011-2012)–
comprehensive,on-siteauditsof115covered
en55es.
2013–issuanceofformalevaluaDon
report
2016–Phase2(ongoing)–between
200-250“desk”auditsofcovered
en55esandbusinessassociates
Background
AuditProgramHistory
Privacy & Security Forum HIMSS 5
Audit Program Status
6
v Desk audits underway. Total 214
v 166 Covered Entities
v 48 Business Associates—documents due 12/13
v Business Associate selection pool largely drawn from over 20,000 entities identified by audited CEs
v On-site audits of both CEs and BAs in 2017 to evaluate against comprehensive selection of controls in protocols
v A desk audit subject may be subject to on-site audit
Privacy & Security Forum HIMSS
CE Selection Process
Privacy & Security Forum HIMSS 7
Selectedauditeescheckedforconflictofinterestswiththecontractor,aswellassubjectsofongoinginves5ga5ons.
Conflic5ngauditeeswerereplacedinkind
Ranarandomizedselec5onalgorithmthatdrewfromeachofthecategories,resul5ngin166CEs.
Iden5fiedpoolsofwiderangeofCEsSamplingcriteriaincludedsize,affilia5ons,loca5on,publicor
private,etc.
Healthplansweredividedintogroupplansandissuers
Providerscategorizedbytype• Hospital,prac55oner,eldercare/SNF,healthsystem,pharmacy
Types of Business Associates
Privacy & Security Forum HIMSS 8
Non-ClinicalG&S
Claims&Billing Professional Clinical EHR&IT Insuranc
e Other
Admin Claims Legal Providers EHRsystem Salesbroker Accredita5on
Collec5ons Billing Consultant Labservice ITsolu5ons Agency Educa5on
DMESales TPA Accoun5ng Pharmacy ITsupport Provider Registry
Staffing Sogware Benefits Research
Answerservice Staffing
Document Requests & Responses
Privacy & Security Forum HIMSS 9
DocumentrequestssenttoselectedCE&BAauditeesviaemail
Forspecificpolicies,procedures,otherevidenceofimplementa5onItemsmustbesubmiMedusingsecureonlineportallinkinno5fica5onemail
CEsonlywereaskedtosubmit,viaemail,listofalltheCE’sBAs• Over20,000submiMed
Desk Expectations
Privacy & Security Forum HIMSS 10
En55eshave10businessdaystoprovideresponses
• Responsesshouldcontainthespecifieddocumenta5on--applicablepolicies,procedures,evidenceofimplementa5on
• Providecompleteandrelevantmaterials• Refrainfromsubmikngsuperfluousdocumenta5on!10MBfilesizelimita5on
Desk Audit Reporting: Process
Privacy & Security Forum HIMSS 11
AgerreviewofsubmiMeddocumenta5on• dragfindingssharedwiththeen5ty,• En5tymayrespondinwri5ng
Finalauditreportswill• describehowtheauditwasconducted,
• presentanyfindings,and• containanywriMenen5tyresponsestothedrag
UnderOCR’sseparate,broadauthoritytoopencompliance
reviews,OCRcoulddecidetoopenaseparatecompliancereviewinacircumstancewheresignificant
threatstotheprivacyandsecurityofPHIarerevealedthroughtheaudit
Covered Entity Desk Audit Controls
Privacy & Security Forum HIMSS 12
Privacy Rule Controls
Notice of Privacy Practices & Content Requirements [§164.520(a)(1) & (b)(1)]
Provision of Notice – Electronic Notice [§164.520(c)(3)]
Right to Access [§164.524(a)(1), (b)(1), (b)(2), (c)(2), (c)(3), (c)(4), (d)(1), (d)(3)]
Breach Notification Rule Controls
Timeliness of Notification [§164.404(b)]
Content of Notification [§164.404(c)(1)]
Security Rule Controls
Security Management Process -- Risk Analysis [§164.308(a)(1)(ii)(A)]
Security Management Process -- Risk Management [§164.308(a)(1)(ii)(B)]
Business Associate Desk Audit Controls
Privacy & Security Forum HIMSS 13
Breach Notification Rule Controls
Notification by a Business Associate [§164.410, with reference to Content of Notification §164.404(c)(1)]
Security Rule Controls
Security Management Process -- Risk Analysis [§164.308(a)(1)(ii)(A)]
Security Management Process -- Risk Management [§164.308(a)(1)(ii)(B)]
COMPLIANCEISSUESANDENFORCEMENT
Privacy & Security Forum HIMSS 14
Regional Operations
NEWENGLAND(BOSTON)
EASTERNANDCARIBBEAN(NEWYORK)
MID-ATLANTIC(PHILADELPHIA)
SOUTHEAST(ATLANTA)
MIDWEST(CHICAGOANDKANSASCITY)
SOUTHWEST(DALLAS)
ROCKYMOUNTAIN(DENVER)
PACIFIC(SANFRANCISCO,
LOSANGELESANDSEATTLE)
MISSION of 8 REGIONAL OFFICES:
ENFORCEMENT, TECHNICAL ASSISTANCE, OUTREACH
• BusinessAssociateAgreements
• RiskAnalysis• FailuretoManageIden5fiedRisk,e.g.Encrypt
• LackofTransmissionSecurity
• LackofAppropriateAudi5ng
• NoPatchingofSogware• InsiderThreat• ImproperDisposal
• InsufficientDataBackupandCon5ngencyPlanning
Recurring Compliance Issues
RecurringComplianceIssues
16Privacy & Security Forum HIMSS
Corrective Action
CorrecDveAcDonsMayInclude:
• Upda5ngriskanalysisandriskmanagementplans
• Upda5ngpoliciesandprocedures• Trainingofworkforce• Implemen5ngspecifictechnicalorothersafeguards
• Mi5ga5on
• CAPsmayincludemonitoring
17Privacy & Security Forum HIMSS
Good Practices
SomeGoodPracDces:• Reviewallvendorandcontractorrela5onshipstoensureBAAs
areinplaceasappropriateandaddressbreach/securityincidentobliga5ons
• Riskanalysisandriskmanagementshouldbeintegratedintobusinessprocesses;conductedregularlyandwhennewtechnologiesandbusinessopera5onsareplanned
• DisposeofPHIonmediaandpaperthathasbeeniden5fiedfordisposalina5melymanner
• Incorporatelessonslearnedfromincidentsintotheoverallsecuritymanagementprocess
• Providetrainingspecifictoorganiza5onandjobresponsibili5esandonregularbasis;reinforceworkforcemembers’cri5calroleinprotec5ngprivacyandsecurity
18Privacy & Security Forum HIMSS
• Worksta5onsassociatedwithmedicaldevicesLaheyHospitalandMedicalCenter(Lahey)agreedtopay$850,000andwilladoptarobustcorrec5veac5onplantocorrectdeficienciesinitsHIPAAcomplianceprogram.Lahey(MA)isanonprofitteachinghospitalaffiliatedwithTugsMedicalSchool,providingprimaryandspecialtycare.Itsriskanalysisfailedtoiden5fywhereallePHIwasheld,resul5nginimpermissibledisclosureswhenalaptopassociatedwithamedicaldevicewasstolen.
• EnterpriseRiskAnalysisSt.JosephHealth(SJH)(largesystemonTXandNM)agreedpayaresolu5onamountof$2,140,500andadoptacomprehensivecorrec5veac5onplan.SJHfailedtoconductanenterprise-wideriskanalysissystemwideandriskmanagementplanresul5nginpublicaccessto31,800individuals’ePHI
Risk Analysis
SecurityRule:riskanalysisandriskmanagement
Privacy & Security Forum HIMSS 19
• CatholicHealthCareServicesoftheArchdioceseofPhiladelphia(CHCS)hasagreedtoaresolu5onpaymentof$650,000andacorrec5veac5onplanagerthethegofaCHCSmobiledevicecompromisedtheprotectedhealthinforma5on(PHI)ofhundredsofnursinghomeresidents.CHCSprovidedmanagementandinforma5ontechnologyservicesasabusinessassociatetosixskillednursingfacili5es.Thetotalnumberofindividualsaffectedbythecombinedbreacheswas412.
RA & RM
SecurityRule:riskanalysisandriskmanagement
Privacy & Security Forum HIMSS 20
• RelatedtoOCR’sseMlementagainstCareNewEnglandwhereWomenandInfantsHospital,anaffiliatedcovereden5ty,failedtoupdateitsbusinessassociateagreementwiththeparentcompany(resolu5onamountof$4OOkandacomprehensivecorrec5veac5onplan),theMAAMorneyGeneral’sOfficeseMledonotherissuesincluding“failingtoprovide5melyno5ceofthelossofPHIinviola5onof45C.F.R.§164.404and45C.F.R.§164.408.”TheMAAMorneyGeneralseMledtheircasefor$150kandacorrec5veac5onplan.
Breach Notification
BreachNoDficaDonRule:content&Dmeliness
Privacy & Security Forum HIMSS 21
• Througharegionalinves5ga5onandtechnicalassistance,OCRrequiredacovereden5tytoceaseusingapa5entagreementthatcondi5onedtheen5ty’scompliancewiththePrivacyRule.Addi5onally,OCRrequiredthecovereden5tytoreviseitsNo5ceofPrivacyPrac5ces.Priortotheresolu5on,thecovereden5tyrequestedthatpa5entssignanagreementen5tled“ConsentandMutualAgreementtoMaintainPrivacy.”Theagreementprohibitedthepa5entfromdirectlyorindirectlypublishingorairingcommentaryaboutthephysician,hisexper5se,and/ortreatmentinexchangeforthephysician’scompliancewiththePrivacyRule.Apa5ent’srightsunderthePrivacyRulearenotcon5ngentonthepa5ent’sagreementwithacovereden5ty.Acovereden5ty’sobliga5ontocomplywithallrequirementsofthePrivacyRulecannotbecondi5onedonthepa5ent’ssilence.
NPP and Access
PrivacyRule:NPPandindividualaccessright
Privacy & Security Forum HIMSS 22
• CareNewEnglandresolu5onagreementwith$400kresolu5onamountandcomprehensivecorrec5veac5onplan.HIPAAseMlementillustratestheimportanceofreviewingandupda5ng,asnecessary,businessassociateagreements–September23,2016Covereden5tyWomenandInfantsfailedtoupdateitsbusinessassociateagreementwithCareNewEngland,itscorporateparent,postHIPAAOmnibusFinalRulewhichincludingupdatestobusinessassociaterepor5ngrequirement.“Thiscaseillustratesthevitalimportanceofreviewingandupda5ng,asnecessary,businessassociateagreements,especiallyinlightofrequiredrevisionsundertheOmnibusFinalRule,saidOCRDirectorJocelynSamuels
BAA & Breach Reporting
BreachNoDficaDonRule:reporDngtocoveredenDty
Privacy & Security Forum HIMSS 23
• $650,000UMassseMlespoten5alHIPAAviola5onsfollowingmalwareinfec5on–November22,2016
• $2.14millionHIPAAseMlementunderscoresimportanceofmanagingsecurityrisk–October17,2016HIPAAseMlementillustratestheimportanceofreviewingandupda5ng,asnecessary,businessassociateagreements–September23,2016
• AdvocateHealthCareSeMlesPoten5alHIPAAPenal5esfor$5.55Million-August4,2016
• Mul5pleallegedHIPAAviola5onsresultin$2.75millionseMlementwithUniversityofMississippiMedicalCenter(UMMC)-July21,2016
• WidespreadHIPAAvulnerabili5esresultin$2.7millionseMlementwithOregonHealth&ScienceUniversity-July18,2016
• BusinessAssociate’sFailuretoSafeguardNursingHomeResidents’PHILeadsto$650,000HIPAASeMlement–June29,2016
2016 Enforcement Actions (1)
Privacy & Security Forum HIMSS 24
2016 Enforcement Actions (2)
• UnauthorizedFilmingfor“NYMed”Resultsin$2.2MillionSeMlementwithNewYorkPresbyterianHospital-April21,2016
• $750,000seMlementhighlightstheneedforHIPAAbusinessassociateagreements
• Improperdisclosureofresearchpar5cipants’protectedhealthinforma5onresultsin$3.9millionHIPAAseMlement-March17,2016
• $1.55millionseMlement
underscorestheimportanceofexecu5ngHIPAAbusinessassociateagreements-March16,2016
• PhysicaltherapyproviderseMlesviola5onsthatitimpermissiblydisclosedpa5entinforma5on-February16,2016
• Administra5veLawJudgerulesinfavorofOCRenforcement,requiringLincare,Inc.topay$239,800-February3,2016
Privacy & Security Forum HIMSS 25
SelectedprotocolelementswithassociateddocumentsubmissionrequestsandrelatedQ&As
Slidesfromauditeden5tywebinarheldJuly13,2016
Comprehensiveques5onandanswerlis5ng
Audit Guidance
PostedGuidancefor2016DeskAudits
Privacy & Security Forum HIMSS 26
OCR Website: http://www.hhs.gov/hipaa/for-professionals/compliance-
enforcement/audit/index.html
Protocol Guidance
Privacy & Security Forum HIMSS 27
Protocol Guidance
Privacy & Security Forum HIMSS 28
• OCRreleasedguidanceclarifyingthataCSPisabusinessassociate–andthereforerequiredtocomplywithapplicableHIPAAregula5ons–whentheCSPcreates,receives,maintainsortransmitsiden5fiablehealthinforma5on(referredtoinHIPAAaselectronicprotectedhealthinforma5onorePHI)onbehalfofacovereden5tyorbusinessassociate.
• WhenaCSPstoresand/orprocessesePHIforacovereden5tyorbusinessassociate,thatCSPisabusinessassociateunderHIPAA,eveniftheCSPstorestheePHIinencryptedformanddoesnothavethekey.
• CSPsarenotlikelytobeconsidered“conduits,”becausetheirservicestypicallyinvolvestorageofePHIonmorethanatemporarybasis.
– hMp://www.hhs.gov/hipaa/for-professionals/special-topics/cloud-compu5ng/index.html– hMp://www.hhs.gov/hipaa/for-professionals/faq/2074/may-a-business-associate-of-a-hipaa-covered-en5ty-block-or-
terminate-access/index.html
Cloud
CloudCompuDngGuidance
Privacy & Security Forum HIMSS 29
New BA Access FAQ
MayabusinessassociateofaHIPAAcovereden5tyblockorterminateaccessbythecovereden5tytotheprotectedhealthinforma5on(PHI)maintainedbythebusinessassociatefororonbehalfofthecovereden5ty?
No
FAQaddresses
PrivacyRulerequirementsforpermissibleusesanddisclosuresofPHI
SecurityRuleconsidera5onsforensuringePHIconfiden5ality,integrity,&availability
FulfillingPRindividualaccessright
Specialservices&CEresponsibili5es
30Privacy & Security Forum HIMSS
Cybersecurity Newsletters
• February2,2016(Ransomware,“TechSupport”Scam,NewBBBScamTracker)
• March3,2016(TipsforkeepingPHIsafe,NSA’slessonslearned,MalwareandMedicalDevices)
• March30,2016(NewCyberThreatsandAMacksontheHealthcareSector)
• May3,2016(IsYourBusinessAssociatePreparedforaSecurityIncident)
• June2016(What’sinYourThird-PartyApplica5onSogware)
• September2016(CyberThreatInforma5onSharing)
• October2016(MiningMorethanGold(FTP))hMp://www.hhs.gov/hipaa/for-professionals/security/guidance/index.html
Privacy & Security Forum HIMSS 31
• OCRprovidedguidanceonindividuals’accesstotheirprotectedhealthinforma5onunderthePrivacyRule:hMp://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html
• Scope• FormandFormatandMannerofAccess• Timeliness• Fees• Direc5ngCopytoaThirdParty,andCertainOtherTopics
Access Guidance
PrivacyRuleAccessGuidance
Privacy & Security Forum HIMSS 32
• OCRlaunchedplayormformobilehealthdevelopersinOctober2015;purposeistounderstandconcernsofdevelopersnewtohealthcareindustryandHIPAAstandards
• Userscansubmitques5ons,commentonothersubmissions,voteonrelevancyoftopic
• OCRwillconsidercommentsaswedevelopourpriori5esforaddi5onalguidanceandtechnicalassistance– GuidanceissuedinFebruary2016abouthowHIPAAmightapplytoarange
ofhealthappusescenarios– FTC/ONC/OCR/FDAMobileHealthAppsInterac5veToolonWhichLaws
ApplyissuedinApril2016
HITDeveloperPortalhSp://hipaaQsportal.hhs.gov
33
Platform for users to influence guidance /
Privacy & Security Forum HIMSS
• OCRreleasedguidanceclarifyingthataCSPisabusinessassociate–andthereforerequiredtocomplywithapplicableHIPAAregula5ons–whentheCSPcreates,receives,maintainsortransmitsiden5fiablehealthinforma5on(referredtoinHIPAAaselectronicprotectedhealthinforma5onorePHI)onbehalfofacovereden5tyorbusinessassociate.
• WhenaCSPstoresand/orprocessesePHIforacovereden5tyorbusinessassociate,thatCSPisabusinessassociateunderHIPAA,eveniftheCSPstorestheePHIinencryptedformanddoesnothavethekey.
• CSPsarenotlikelytobeconsidered“conduits,”becausetheirservicestypicallyinvolvestorageofePHIonmorethanatemporarybasis.– hMp://www.hhs.gov/hipaa/for-professionals/special-topics/cloud-compu5ng/
index.html– hMp://www.hhs.gov/hipaa/for-professionals/faq/2074/may-a-business-associate-
of-a-hipaa-covered-en5ty-block-or-terminate-access/index.html
Cloud Guidance
CloudCompuDngGuidance
Privacy & Security Forum HIMSS 34
• http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/rafinalguidance.html
• http://scap.nist.gov/hipaa/
• http://www.healthit.gov/providers-professionals/security-risk-assessment
Risk Analysis Guidance
Privacy & Security Forum HIMSS 35