Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.
OCR/HHS HIPAA/HITECHAudit Preparation                       1
Webinar ObjectivesTo provide knowledge and backgroundinformation on OCR/HHSHIPAA/HITECH audit program and toprovide guidel...
Who are we …EHR 2.0 Mission: To assist healthcareorganizations develop and implementpractices to secure IT systems and com...
Glossary1.   HHS, OCR, DOJ and SAG:2.   PHI:3.   Findings:4.   HIPAA: Health Insurance Portability and     Accountability ...
HITECHHITECH modifications to HIPAA including:   Creating incentives for developing a meaningful use of    electronic hea...
Why do you need to care aboutOCR/HHS Audit (Enforcement)?   Federal Mandate   Penalties(CMP) for non-compliance   Reput...
Common fallacies related to OCR audit   “Our compliance officer handles everything – there’s no    need to involve anyone...
Why OCR/HHS audit? (HHS Version)   To assess HIPAA compliance efforts by a range    of covered entities   Opportunity to...
Enforcement Authorities   Office for Civil Rights (OCR)       Investigating complaints filed with HHS       Impose civi...
HIPAA Titles - Overview                          10
HIPAA Security Rule                      11
Information Security Model                   Confidentiality                   Limiting information access and            ...
Covered Entity   HIPAA applies to any entity that is a       Health care provider - of services as a provider of        ...
Business Associates   a person or entity that performs certain functions or    activities that involve the use or disclos...
OCR HITECH Audit Status   KPMG to conduct 150 during 2012   20 audits completed       In the pilot phase, OCR is auditi...
How does HHS notify healthcareorganizations of an audit?  Sample   letter                                 16
Federal Audits  241 Pages                 17
OCR Audit Schedule      Every covered entity and business associate is eligible      for an audit.                        ...
OCR AuditProgram          Civil Money           Penalties                        19
20
Top 5 issues investigated Year         Issue 1           Issue 2   Issue 3    Issue 4    Issue 5 2010   Impermissible Uses...
How to organize for an OCR/HHS Audit?                         Policies                          and                       ...
Policies and Procedures Physical Security Policy   Maintenance record   Disposal   Access Information Security Policy...
Documentation Privacy and Security Notices Health Record Request Log Training Logs PHI/Chart Access Review            ...
Business Associate Cycle Covered                               BA                      HHS/OCR  Entity    • BA Contract   ...
Sample Risk Analysis Template                                      Likelihood                        High             Medi...
PHI         Health      Information      Individually      Identifiable         Health      Information          PHI      ...
ePHI – 18 Elements                 Elements                                             ExamplesName                      ...
Trends in Healthcare IT        Informatics   Collaboration         Mobile           EHR        Computing         HIE      ...
Handheld Usage in Healthcare• 25% usage with providers• Another 21% expected to use• 38% physicians use medical  apps• 70%...
EMR and EHR systems                      31
Health Information Exchange (HIE)                                    32
Social Media   How does your practice use it?   How do your employees use it?   Do you have policies?                  ...
Cloud-based services                                 Public Cloud                                     EHR Applications  ...
Top 5 Recommendations 1. Ensure encryption on all protected health information in storage and transit.(at least de-identif...
What happens after an OCR/HHS audit? OCR will attempt to resolve the case with the covered entity by obtaining: 1. Volunta...
Where do you start?            Identify privacy/security requirements               Contract                            La...
Key Takeaways   HITECH act enforces HIPAA guidelines with new audit,    penalties, notifications requirements etc.,   eP...
References   http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/in    dex.html   http://ehr20.com/resources   http:...
Next Steps   Don’t’ wait till the last minute   Sample polices and procedures kit with 4-hour OCR audit    advisory cons...
Questions?E-mail: info@ehr20.com  Call: 802-448-2255                         41
Thank you!!              42
Próxima SlideShare
Cargando en…5
×

OCR-HHS HIPAA/HITECH Audit Preparation

5.356 visualizaciones

Publicado el

The HITECH Act authorizes HHS to conduct periodic audits to ensure that covered entities and business associates are complying with the HIPAA Privacy and Security Rules. As a result, OCR, through the use of KPMG audit services, has begun to develop a pilot audit program.
Audits will give OCR an ability to assess privacy and security protections and compliance issues on a systemic level, and to identify potential vulnerabilities to help entities prevent problems before they occur. This will complement the incident-based work that HHS currently conducts with respect to investigations.
Site visits conducted as part of every audit would include interviews with leadership (e.g., CIO, Privacy Officer, legal counsel, health information management/medical records director); examination of physical features and operations; consistency of process to policy, observation of compliance with regulatory requirements
After each site visit KPMG will submit an audit report. Audit reports consist of the following information:
Best practices noted
Raw data collection materials such as completed checklists and interview notes
Future oversight recommendations
Findings(if any):
o The defect or noncompliant status observed, and evidence of each
o A clear demonstration that each negative finding is a potential violation of the Privacy or Security Rules, with citation
o The reason that the condition exists, along with identification of supporting documentation used
o Recommendations for addressing each finding
• Acknowledgement of any best practice(s) or success(es).
Overall assessment
In addition, OCR will decide on the resolution approach for each finding based on the severity of the finding.
EHR 2.0 OCR HIPAA audit advisory services help healthcare organizations prepare for the audit by:
1) Assessing the current policies and procedures
2) Identifying key gaps and risk areas based on ePHI created, transmitted , received and stored
3) Training
4) Risk analysis
5) Plans to mitigate risks identified
Visit our OCR audit resource section to learn more: http://ehr20.com/ocr-hhs-hitech-hipaa-audit-resources/

  • Inicia sesión para ver los comentarios

OCR-HHS HIPAA/HITECH Audit Preparation

  1. 1. OCR/HHS HIPAA/HITECHAudit Preparation 1
  2. 2. Webinar ObjectivesTo provide knowledge and backgroundinformation on OCR/HHSHIPAA/HITECH audit program and toprovide guidelines for preparing andkeeping records. E-mail: info@ehr20.com 2
  3. 3. Who are we …EHR 2.0 Mission: To assist healthcareorganizations develop and implementpractices to secure IT systems and complywith HIPAA/HITECH regulations. Education(Training, Webinar & Workshops) Consulting Services Toolkit(Tools, Best Practices & Checklist)Goal: To make compliance an enjoyable and painlessexperience, while building capability and confidence.
  4. 4. Glossary1. HHS, OCR, DOJ and SAG:2. PHI:3. Findings:4. HIPAA: Health Insurance Portability and Accountability Act5. HITECH: Health Information Technology for Economic and Clinical Health Act 4
  5. 5. HITECHHITECH modifications to HIPAA including: Creating incentives for developing a meaningful use of electronic health records Changing the liability and responsibilities of Business Associates Redefining what a breach is Creating stricter notification standards Tightening enforcement Raising the penalties for a violation Creating new code and transaction sets (HIPAA 5010, ICD10) 5
  6. 6. Why do you need to care aboutOCR/HHS Audit (Enforcement)? Federal Mandate Penalties(CMP) for non-compliance Reputation risk Business risk Increased number of breaches and attacks 6
  7. 7. Common fallacies related to OCR audit “Our compliance officer handles everything – there’s no need to involve anyone else.” “We’re compliant; therefore, we’re secure.” “The last time we had an audit they didn’t find anything of concern.” “We have a security policy to keep our systems protected.” “We have a certified EHR system.” 7
  8. 8. Why OCR/HHS audit? (HHS Version) To assess HIPAA compliance efforts by a range of covered entities Opportunity to examine mechanisms for compliance and identify best practices Discover risks and vulnerabilities that may not have come to light through OCR’s ongoing complaint investigations and compliance reviews. 8
  9. 9. Enforcement Authorities Office for Civil Rights (OCR)  Investigating complaints filed with HHS  Impose civil money penalties Department of Justice (DOJ)  Investigates criminal violations State Attorney General (SAG)  Civil actions on behalf of state residents  Civil Money Penalties 9
  10. 10. HIPAA Titles - Overview 10
  11. 11. HIPAA Security Rule 11
  12. 12. Information Security Model Confidentiality Limiting information access and disclosure to authorized users (the right people) Integrity Trustworthiness of information resources (no inappropriate changes) Availability Availability of information resources (at the right time) 12
  13. 13. Covered Entity HIPAA applies to any entity that is a  Health care provider - of services as a provider of medical or other health services, and any other person or organization who furnishes, bills, or is paid for health care in the normal course of business  Health care clearinghouse - public or private entity that does billing services, re-pricing companies, community health management information systems or community health information systems, etc  Health plan - means an individual or group plan that provides, or pays the cost of, medical care https://www.cms.gov/hipaageninfo/downloads/ 13 CoveredEntityCharts.pdf
  14. 14. Business Associates a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity. A member of the covered entity’s workforce is not a business associate.Examples: A third party administrator that assists a health plan with claims processing. A CPA firm whose accounting services to a health care provider involve access to protected health information. An attorney whose legal services to a health plan involve access to protected health information. A consultant that performs utilization reviews for a hospital. A health care clearinghouse that translates a claim from a non-standard format into a standard transaction on behalf of a health care provider and forwards the processed transaction to a payer. An independent medical transcriptionist that provides transcription services to a physician. 14 A pharmacy benefits manager that manages a health plan’s pharmacist network.
  15. 15. OCR HITECH Audit Status KPMG to conduct 150 during 2012 20 audits completed  In the pilot phase, OCR is auditing eight health plans, two claims clearinghouses plus 10 provider organizations, including three hospitals, three physicians offices, and a laboratory, a dental office, a nursing/custodial facility and a pharmacy. 15
  16. 16. How does HHS notify healthcareorganizations of an audit? Sample letter 16
  17. 17. Federal Audits 241 Pages 17
  18. 18. OCR Audit Schedule Every covered entity and business associate is eligible for an audit. 18From HHS.gov site
  19. 19. OCR AuditProgram Civil Money Penalties 19
  20. 20. 20
  21. 21. Top 5 issues investigated Year Issue 1 Issue 2 Issue 3 Issue 4 Issue 5 2010 Impermissible Uses & Safeguards Access Minimum Notice Disclosures Necessary 2009 Impermissible Uses & Safeguards Access Minimum Complaints to Disclosures Necessary Covered Entity 2008 Impermissible Uses & Safeguards Access Minimum Complaints to Disclosures Necessary Covered Entity 21
  22. 22. How to organize for an OCR/HHS Audit? Policies and procedures Risk Analysis Document and -ation Mgmt. OCR Compliance Audit BA Agreement and Training Contracts
  23. 23. Policies and Procedures Physical Security Policy  Maintenance record  Disposal  Access Information Security Policy  Access Policy  Sanction Policy Contingency Plan Policy Security Incident Procedure/Breach 23
  24. 24. Documentation Privacy and Security Notices Health Record Request Log Training Logs PHI/Chart Access Review 24
  25. 25. Business Associate Cycle Covered BA HHS/OCR Entity • BA Contract • HIPAA Privacy and • Breach Notification Security Rule • Assessment (Tier 1) • Minimum Necessary • Breach Notification Sub- contractors 25
  26. 26. Sample Risk Analysis Template Likelihood High Medium Low High Unencrypted Lack of auditing on Missing security laptop ePHI EHR systems patches on web server hosting patient informationImpact Medium Unsecured Outdated anti-virus External hard drives wireless network software not being backed up in doctor’s office Sales presentation Web server backup Weak password on Low on USB thumb tape not stored in a internal document drive secured location server 26
  27. 27. PHI Health Information Individually Identifiable Health Information PHI 27
  28. 28. ePHI – 18 Elements Elements ExamplesName Max Bialystock 1355 Seasonal LaneAddress (all geographic subdivisions smaller than state, including street address, city, county, or ZIP code)Dates related to an individual Birth, death, admission, discharge 212 555 1234, home, office, mobile etc.,Telephone numbers 212 555 1234Fax numberEmail address LeonT@Hotmail.com, personal, officialSocial Security number 239-68-9807Medical record number 189-88876Health plan beneficiary number 123-ir-2222-98Account number 333389Certificate/license number 3908763 NYAny vehicle or other device serial number SZV4016Device identifiers or serial numbers Unique Medical DevicesWeb URL www.rickymartin.comInternet Protocol (IP) address numbers 19.180.240.15Finger or voice prints finger.jpgPhotographic images mypicture.jpgAny other characteristic that could uniquely 28identify the individual
  29. 29. Trends in Healthcare IT Informatics Collaboration Mobile EHR Computing HIE 29
  30. 30. Handheld Usage in Healthcare• 25% usage with providers• Another 21% expected to use• 38% physicians use medical apps• 70% think it is a high priority• 1/3 use hand-held for accessing EMR/EHR 30compTIA 2011 Survey
  31. 31. EMR and EHR systems 31
  32. 32. Health Information Exchange (HIE) 32
  33. 33. Social Media How does your practice use it? How do your employees use it? Do you have policies? 33
  34. 34. Cloud-based services  Public Cloud  EHR Applications HIPAA regulations  Private-label e-mail remain barriers to full cloud adoption  Private Cloud  Archiving of Images  File SharingCloud Computing is takingall batch processing, and  On-line Backupsfarming it out to a hugecentral or virtualized  Hybrid 34computers.
  35. 35. Top 5 Recommendations 1. Ensure encryption on all protected health information in storage and transit.(at least de-identification) 2. Implement a mobile device security program. 3. Strengthen information security user awareness and training programs. 4. Ensure that business associate due diligence includes clearly written contract, a periodic assessment of tier 1 BAs 5. Minimize sensitive data capture, storage and sharing. 35
  36. 36. What happens after an OCR/HHS audit? OCR will attempt to resolve the case with the covered entity by obtaining: 1. Voluntary compliance 2. Corrective action which might include penalty 3. Resolution agreement OCR will not post a listing of audited entities or the findings of an individual audit which clearly identifies the audited entity. 36
  37. 37. Where do you start? Identify privacy/security requirements Contract Law Legal Regulation Adopt & Develop Program Review Security Model/Framework Breach/Incident ManagementAdministrative, Technical and Physical Assess the program Document Monitor 37 Governance Improve
  38. 38. Key Takeaways HITECH act enforces HIPAA guidelines with new audit, penalties, notifications requirements etc., ePHI elements drives the security and compliance requirements There is no silver bullet for audit issues. It is a journey of continuous assessment and improvement 38
  39. 39. References http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/in dex.html http://ehr20.com/resources http://www.natlawreview.com/practice-groups/healthcare- HIPPA-Stark-law-professional-licensing-Medicare- Medicaid-fraud-abuse-audits-kickback-false-claims 39
  40. 40. Next Steps Don’t’ wait till the last minute Sample polices and procedures kit with 4-hour OCR audit advisory consulting ($1500) http://ehr20.com/services/ Next Live Webinars:  Social Media Compliance for Healthcare Professionals (4/11/2012)  Meaningful Use Security Risk Analysis (4/18/2012) Sign-up at ehr20.com/webinars 40
  41. 41. Questions?E-mail: info@ehr20.com Call: 802-448-2255 41
  42. 42. Thank you!! 42

×