250 likes | 464 Views
OCR Audit Process & Penalties: Understanding the U.S. DHHS Office of Civil Rights’ EHR Audit Process and Penalties. Nathan Gibson, CISA, CISSP. Agenda. Common Questions Background HIPAA Audits Audit Timeline Audit Process Penalties How to Prepare Tools Lessons Learned
E N D
OCR Audit Process & Penalties: Understanding the U.S. DHHS Office of Civil Rights’ EHR Audit Process and Penalties Nathan Gibson, CISA, CISSP
Agenda • Common Questions • Background • HIPAA Audits • Audit Timeline • Audit Process • Penalties • How to Prepare • Tools • Lessons Learned • Meaningful Use Audits • How to Prepare • Tools • Summary • Resources
Common Questions • Who can audit us? • Office of Civil Rights (OCR) • State Attorneys General (SAG) • Centers for Medicare and Medicaid Services (CMS) • Meaningful Use • Will we be audited? • Short term – probably not (but always assume you will) • Eventually – YES • What are ways that we can be audited? • Random HIPAA • Complaint • Breach of Protected Health Information (PHI) • MU Audit • Could our Business Associates be audited? • Yes
Background • HITECH • Health Information Technology for Economic and Clinical Health • Included Enforcement & Penalties • Transferred Security Rule enforcement from CMS to OCR • Office of Civil Rights • Enforcement of the HIPAA Privacy and Security Rules • 115 audits to assess • Privacy Rule • Security Rule • Breach notification performance • Providing HIPAA Enforcement Training to State Attorneys General • State Attorneys General • Authority to bring civil actions on behalf of state residents for HIPAA violations
Audit Timeline • HIPAA Audit Timeline • June, 2011: Contract with KPMG • November, 2011: Draft audit protocols developed • April, 2012: Initial round of audits completed • December, 2012: All audits will be completed for the pilot program
Audit Process • Notification letter • Asked to provide documentation • Site visit • Final Report • Audit details • Findings • Actions taken hhs.gov
Notification Letter (sample) hhs.gov
Penalties • Loss of Contracts • Criminal and Civil Investigation • Federal Penalties • Up to $1.5 million • State Fines • Up to $25,000 • Reputation • Legal Costs • Notification Costs http://blog.willis.com/2011/10/scariest-financial-services-risk-data-breach/
How to Prepare (HIPAA) • Self-Assessment • Audit protocol • NIST 800-66 • Documentation • Risk assessment • PHI stored and transmitted (including third parties) • Policies & procedures • Documentation Request List • Lessons Learned • Existing Audits and Penalties • Best Practices • Available Tools • REC, OCR, NIST, HIMSS, etc.
How to Prepare (HIPAA) • Audit Protocol http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/protocol.html
Tools • REC Tools • Security Risk Assessment Tool • Information Security Policy Template • Breach notification guidance • Privacy and Security Checklist (HIPAA & HITECH) • OCR • Audit Protocol: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/protocol.html • NIST • HIPAA Security Rule Toolkit • http://scap.nist.gov/hipaa/ • Special Publications (800 Series) • http://csrc.nist.gov/publications/PubsSPs.html
Tools (cont.) • HIMSS • HIMSS Privacy and Security Toolkit for Small Providers • http://www.himss.org/asp/topics_PS_SmallProviders.asp • More Privacy & Security Toolkits • http://www.himss.org/asp/topics_pstoolkitsDirectory.asp?faid=568&tid=111 • Risk Assessment Toolkit • Mobile Security Toolkit • Cloud Security Toolkit
Lessons Learned • Audit Reason: Complaint • Organization: Cignet • Lessons: • Process in place for patients’ request for copies of their medical records • Cooperate with OCR! hhs.gov
Lessons Learned • Audit Reason: Breach • Organization: DHSS (Alaska) • Incident: Stolen USB Drive • Lessons: • Policies & Procedures • Risk analysis / risk management • Workforce training • Device & media controls • Encryption • Corrective Action Plan (valuable!)http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/alaska-agreement.html hhs.gov
Lessons Learned • Audit Reason: Random Audits • HIPAA: OCR / KPMGMU: CMS • Lessons: • Review any audit reports released • Monitor progress of the audit program • Learn from findings discovered hhs.gov
Lessons Learned • Audit Reason: Complaint • Organization: Phoenix CardiacSurgery • Incident: Publicly postedclinical and surgical appt. • Lessons: • No practice is too small toexperience a breach • Security risk assessment needstoo include ALL locations of PHI • Documentation! • Review corrective action plan hhs.gov
Lessons Learned • Phoenix Cardiac Surgery Resolution Agreement & Corrective Action Plan
Meaningful Use • CMS EHR Incentive Program • All providers attesting to receive an EHR incentive payment • Medicare or Medicaid EHR Incentive Programs • Retain ALL relevant supporting documentation (in either paper or electronic format used in the completion of the Attestation Module) Documentation to support the attestation should be retained for six years post-attestation • Medicare and dually-eligible (Medicare and Medicaid) • Audits performed by CMS, and its contractors • Medicaid • Audits performed by states, and their contractors
Meaningful Use • Audit Contract • Figliozzi and Co., Garden City, NY (accounting firm) • Medicare recipients and hospitals that received incentive payments from both Medicare and Medicaid • Note: States and their individual contractors will audit incentive program participants who received bonuses from Medicaid alone
How to Prepare (MU) • Documentation • Proof that the EHR system used to meet meaningful use requirements is certified. • Supporting documentation proving that core objectives were met. • Supporting documentation that menu objectives were met.
Tools • CMS • Attestation FAQ’s (overview, preparing, and details of an audit) • https://www.cms.gov/Regulations-and-Guidance/Legislation/EHRIncentivePrograms/Attestation.html#10 • REC • Security Risk Assessment Tool • Information Security Policy Template • Breach notification guidance • Privacy and Security Checklist (HIPAA & HITECH)
Summary • Assume you’ll be audited • Prepare • Keep documentation updated • Understand & document where all PHI is stored & transmitted • Reasonable and appropriate security controls • Based on security risk assessment
Resources • OCR (hhs.gov) • Audit Pilot Program • http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/auditpilotprogram.html • Sample Notification Letter • http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/sample-ocr_notification_ltr.pdf • Audit Protocol • http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/protocol.html • CMS • FAQ’s • https://www.cms.gov/Regulations-and-Guidance/Legislation/EHRIncentivePrograms/Attestation.html#10 • NIST • Security Rule Toolkit • http://scap.nist.gov/hipaa/ • GAO Report • http://www.gao.gov/assets/600/590538.pdf • OCR Documentation List • http://cynergistek.files.wordpress.com/2012/04/ocr-audit-documentation-request-list.pdf
Have a question, comment, or suggestion? • Contact Nathan Gibson at: • ngibson@wvmi.org • 304-346-9864 ext. 2236