1 / 77

How to Prepare for an OCR HIPAA Audit Tony Brooks, CISA Principal & Director of IT Assurance and Risk Services HORNE

How to Prepare for an OCR HIPAA Audit Tony Brooks, CISA Principal & Director of IT Assurance and Risk Services HORNE LLP Louisiana HIPAA and E H R Conference October 17, 2011. Agenda. What to Expect with an OCR HIPAA Audit HIPAA Gap Analysis Approach Example HIPAA Security Rule Audit Plan.

yauvani
Download Presentation

How to Prepare for an OCR HIPAA Audit Tony Brooks, CISA Principal & Director of IT Assurance and Risk Services HORNE

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. How to Prepare for an OCR HIPAA Audit Tony Brooks, CISA Principal & Director of IT Assurance and Risk Services HORNE LLP Louisiana HIPAA and E H R Conference October 17, 2011

  2. Agenda • What to Expect with an OCR HIPAA Audit • HIPAA Gap Analysis Approach • Example HIPAA Security Rule Audit Plan 2

  3. What to Expect with an OCR HIPAA Audit 3

  4. The HIPAA Auditors Are Coming • In June 2011, the OCR in awarded KPMG, LLP a $9.2 million contract to administer the HIPAA privacy and security compliance audits required by Congress via HITECH • The first phase of the audits -- in which OCR plans to visit 150 covered entities -- is expected to this fall and will end by December 31, 2012 • Though OCR is budgeted for 150 audits, it's unlikelythe auditors will get through that many by the end of 2012. 4

  5. The HIPAA Auditors Are Coming • The key goals of the HIPAA audits align with some of the major issues on OCR's radar for the industry: • Incident detection and response (OCR's top issue) • Access log review • Secure wireless network • User access and passwords management • Theft or loss of mobile devices • Up-to-date software • Role-based access -- lack of information access management 5

  6. The HIPAA Auditors Are Coming • Audits will no longer be driven by responses to complaints or breaches • Audits will be directed at organizations that OCR selects based on an overall risk profile (e.g., size, type, complexity) • Entities will receive advanced notice before any audits. • Site visits conducted as part of every audit will include: • Interviews with leadership (e.g., CIO, Privacy Officer, legal counsel, health information management/medical records director) • Examination of physical features and operations • Assessment of consistency of process to policy • Observation of compliance with regulatory requirements 6

  7. The HIPAA Auditors Are Coming • After each site visit the contractor must submit an audit report • Audit reports will consist of the following information: • Identification and description of the audited entity: Include, full name, address, EIN, contact person • A timeline and methodology of the audit • Raw data collection materials such as completed checklists and interview notes • Specific recommendations for actions the audited entity can take to address identified compliance problems through a corrective action plan • Recommendations to the OCR regarding continued need for corrective action, if any, and description of future oversight recommendations 7

  8. The HIPAA Auditors Are Coming • Specifically, reports will include: • For each finding: • Condition: the defect or noncompliant status observed, and evidence of each • Criteria: a clear demonstration that each negative finding is a potential violation of the Privacy or Security Rules, with citation • Cause: The reason that the condition exists, along with identification of supporting documentation used • Effect: the risk or noncompliant status that results from the finding • Recommendations for addressing each finding • Entity corrective actions taken, if any • Acknowledgement of any best practices or successes • Overall conclusion paragraph • A certification indicating the audit is complete 8

  9. The HIPAA Auditors Are Coming • OCR expects that organizations are performing risk assessments. Risk assessments are not expected to be 'clean,' but it's important that organizations have corrective action plans in place and are diligently working to remediate issues. • The audits are seen as an opportunity to gather information about exposures in the industry and proactively identify certain issues ahead of time before they result in breaches across the industry. • OCR plans to release aggregate findings across all audits as a learning process for the industry. 9

  10. HIPAA GAP ANALYSIS APPROACH 10

  11. HIPAA Gap Analysis Approach • Perform an inventory of places where PHI and ePHI are received, stored, and transmitted • Review and analyze the inventory to confirm and understand sources, locations and destinations of PHI and ePHI that is received, stored and distributed • Review the HIPAA Privacy and Security Rules and develop an audit program designed to determine compliance with the Rules • Develop a list of questions to be asked and information to be gathered during department/clinic walkthroughs to determine how well current practices meet the requirements of the HIPAA Privacy and Security Rules • Develop a list of questions to be asked and information to be gathered during meetings with IT staff to determine what technical safeguards have been implemented 11

  12. HIPAA Gap Analysis Approach • Determine where compliance gaps exist • Prepare a report of findings: • Introduction, including the timeline and methodology of the audit • Identification of each department and clinic audited • Findings grouped according to the HIPAA Privacy and Security Rule requirement that include • HIPAA requirement (criteria) citation • Condition: the defect or noncompliant status observed, and evidence of each • Cause: The reason that the condition exists, along with identification of supporting documentation used • Effect: the risk or noncompliant status that results from the finding • Recommendations for addressing each finding • Entity corrective actions taken, if any • Acknowledgement of any best practices or successes • Conclusion paragraph with next steps and statement of thanks 12

  13. HIPAA Gap Analysis Approach • Provide draft version of the report to key stakeholders for review, correction and comment • Work with key stakeholders to determine how gaps will be remediated, focusing on: • Priority of remediation activities • Assignment of responsibilities • Timeline for activities and follow up • Prepare a final version of the report and optionally include the remediation plan if has already been developed • Prepare and deliver a summary presentation of findings to department managers and executive management 13

  14. EXAMPLE HIPAA Security Rule Audit PlaN 14

  15. Administrative Safeguards General Security Policy§ 164.306 • Determine through inquiry and inspection what policies and procedures have been implemented that are designed to: (1) Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity creates, receives, maintains, or transmits. (2) Protect against any reasonably anticipated threats or hazards to the security or integrity of such information. (3) Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under subpart E of this part. (4) Ensure compliance with this subpart by its workforce. • Determine if all the requirements of the Rule have been addressed 15

  16. Administrative Safeguards Security Management Process§ 164.308(a)(1)(i) • Determine through inquiry and inspection what policies and procedures have been implemented that are designed to: • Prevent • Detect • Contain • Correct security violations 16

  17. Administrative Safeguards Risk Analysis§ 164.308(a)(1)(ii)(A) • Determine through inquiry and inspection if a formal risk analysis been performed for all PHI containing systems • Determine if the risk analysis includes these elements: 1. Conduct an inventory of electronic protected health information (“ePHI”) documenting how ePHI is received, stored, accessed, and transmitted 2. Perform the risk analysis based on the ePHI survey results a. Determine the human, natural and technological threats that could cause unauthorized access, disclosure, alteration, damage, or destruction of ePHI b. Determine if and how the covered entity is vulnerable to each of the identified threats c. Determine how likely it is that the identified threats can take advantage of the identified vulnerabilities by assessing the mitigating controls that are in place 17

  18. Administrative Safeguards Risk Analysis (continued)§ 164.308(a)(1)(ii)(A) • Determine if the risk analysis includes these elements (continued): 2. Perform the risk analysis based on the ePHI survey results (continued) d. Determine the impact level for each identified risk (e.g., regulatory compliance failure, loss of critical data, loss of confidentiality, downtime, negative public relations, etc.) e. Calculate the risk for each identified threat (vulnerability x likelihood x impact = risk) f. Prepare a ranking based on risk level g. Determine what changes should be implemented based on the risk ranking h. Develop an action plan to make changes which includes a budget, action steps and timetable i. Assign responsibility for the action plan and implement accountability measures 18

  19. Administrative Safeguards Risk Management§ 164.308(a)(1)(ii)(B) • Determine through inquiry and inspection if an ongoing risk management program been implemented that addresses the risks identified in the risk analysis and determines your overall HIPAA compliance posture • Determine what security measures have been implemented to reduce risks and vulnerabilities to a reasonable and appropriate level 19

  20. Administrative Safeguards Sanction Policy§ 164.308(a)(1)(ii)(C) • Determine through inquiry and inspection if a written sanction policy been provided to all employees describing the sanctions that will be applied to workforce members who fail to comply with the security policies and procedures of the covered entity • Determine if any sanctions been applied for violations of HIPAA security policies 20

  21. Administrative Safeguards Information System Activity Review§ 164.308(a)(1)(ii)(D) • Determine through inquiry and inspection if an information systems activity review process been established and regularly scheduled (e.g., user access, data changes, transmission of data, etc.) • Determine what information systems activity review software has been implemented (if any), observe the system in use, inspect system-generated reports noting completeness • Obtain and inspect documentation of any reviews conducted in the past 12 months 21

  22. Administrative Safeguards Assign Security Responsibility§ 164.308(a)(2) • Determine through inquiry and inspection if a HIPAA Security Officer been officially designated. If so, who has this responsibility? • Obtain and inspect documentation showing that appointment and a summary of key activities performed in the past year. • Inquire of a sample set of employees regarding the name and role of the HIPAA Security Officer. 22

  23. Administrative Safeguards Workforce Security§ 164.308(a)(3)(i)(A)-(C) • Determine through inquiry and inspection what policies and procedures have been implemented to: • Ensure that all members of the workforce have appropriate access to electronic protected health information • Prevent those workforce members who do not have authorized access from obtaining access to electronic protected health information 23

  24. Administrative Safeguards Addressable Authorization and/or Supervision§ 164.308(a)(3)(ii)(A) • Determine through inquiry and inspection what policies and procedures have been implemented to ensure that: • Physical and logical access to ePHI is appropriate for all workforce members • Workforce members are appropriately supervised when accessing ePHI or working in areas where PHI and ePHI may be located 24

  25. Administrative Safeguards Addressable Workforce Clearance Procedure§ 164.308(a)(3)(ii)(B) • Determine through inquiry and inspection what policies and procedures have been implemented to ensure that physical and logical access to ePHI is appropriate for all workforce members and that workforce members are appropriately supervised when accessing ePHI or working in areas where PHI and ePHI may be located • (continued next page) 25

  26. Administrative Safeguards Addressable Workforce Clearance Procedure (continued)§ 164.308(a)(3)(ii)(B) • Determine through inquiry and inspection what policies and procedures have been implemented to ensure that appropriate workforce clearance procedures have been performed to reduce the likelihood of data breaches and HIPAA violations • Determine if these areas have addressed: • The level of access to individually identifiable health information for workforce members is based upon the nature of each workforce member’s job and his/her duties and responsibilities • Workforce members have access to the protected health information that they need to do their jobs, but no more access than that is required • For a sample set of new hires, determine if background checks or other reviews were performed 26

  27. Administrative Safeguards Addressable Termination Procedures§ 164.308(a)(3)(ii)(C) • Determine through inquiry and inspection what policies and procedures have been implemented to ensure that access to ePHI is promptly removed when their employment ends, or when the workforce member has been sanctioned for serious offenses or violations of policy, in accordance the sanction policy • For a sample set of departing employees, determine if a formal request was submitted asking for access rights to be removed and if such request was timely submitted • For a sample set of departing employees, inspect application user lists to determine if active accounts were still in place for those in the sample set 27

  28. Administrative Safeguards Addressable (i)(B)-(C) Information Access Management § 164.308(a)(4)(i)Access Authorization; Access Establishment & Modification§ 164.308(a)(4)(i)(B)-(C) • Determine through inquiry and inspection if a formal process is in place for administering access rights to ePHI-containing systems. • Determine if these elements have been included as part of the process: • Written requests to establish access by an appropriate manager or supervisor • Guidelines showing how access rights are granted and administered (e.g., role based access, custom access, consideration of access conflicts across multiple application systems, administration of changes to or removal of access rights) • Documentation showing what access rights have been granted, when and by whom 28

  29. Administrative Safeguards Addressable (i)(B)-(C) Information Access Management § 164.308(a)(4)(i)Access Authorization; Access Establishment & Modification§ 164.308(a)(4)(i)(B)-(C) • Determine if these elements have been included as part of the process (continued): • Periodic access rights reviews to ensure access rights are still appropriate and that access rights have been removed in a timely manner • For a sample set of new hires and transfers, determine if formal requests were submitted asking for access rights to be granted/changed and if such requests were timely submitted 29

  30. Administrative Safeguards Addressable (ii)(A) Security Awareness & Training § 164.308(a)(5)(i)Security Reminders § 164.308(a)(5)(ii)(A) • Determine through inquiry and inspection what policies and procedures have been implemented to provide HIPAA privacy and security training to new workforce members and to provide ongoing training, including periodic reminders • For a sample set of new hires, obtain documentation showing that those in the sample set attended HIPAA training prior to or shortly after their employment began (contractors, temporaries, and others should also receive training) • Inspect the training materials to determine if key items have been included and if employees were informed about the sanction policy • Determine how periodic reminders are provided and obtain 4 examples from the past 12 months 30

  31. Administrative Safeguards Addressable Protection from Malicious Software§ 164.308(a)(5)(ii)(B) • Determine through inquiry and observation what anti-virus and anti-spyware software has been installed, both at the network perimeter layer and computer layer • Determine how this software updated and how often • Determine if the organization has experienced the infection of multiple workstations at the same time during the past 12 months (i.e., an outbreak) • For a sample set of users or workstations, visually inspect the workstations to determine if the anti-virus and anti-spyware software has been updated in the past 30 days (or obtain a report showing last update for servers and workstations) 31

  32. Administrative Safeguards Addressable Login Monitoring§ 164.308(a)(5)(ii)(C) • Determine through inquiry and observation what tools and processes have been implemented to allow the organization to detect unsuccessful attempts to log into the network and application systems • Determine how often and by whom failed attempts are reviewed 32

  33. Administrative Safeguards Addressable Password Management§ 164.308 (a)(5)(ii)(D) • Determine through inquiry and inspection if "strong" passwords are required at the domain, application and device level and if passwords much be changed upon initial setup and on a periodic basis thereafter • Determine what policies and procedures have been implemented regarding passwords and password security • Determine if any systems are not able to enforce strong passwords and what is being done to mitigate the associated risks 33

  34. Administrative Safeguards Security Incident Procedures, Response and Reporting§ 164.308(a)(6)(i)-(ii); HITECH 13402 • Determine through inquiry and inspection what policies and procedures have been implemented to define the action to be taken if a security incident occurs, including: • Formation of a security incident response team • Determination if breach occurred (was unencrypted data ePHI involved) • Mitigation of damages • Changes to reduce or eliminate the cause of the breach • Assessment of impact to company operations • Assessment of impact to patients • Determination if notice is required and how notice will be performed • Determination of what type of notice to HHS is required • Determination if press release is required and the content of the release • Contact person for those affected and for media • Documentation of incident and incident response 34

  35. Administrative Safeguards Contingency Plan§ 164.308(a)(7) • Determine through inquiry and inspection what policies and procedures have been implemented for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information 35

  36. Administrative Safeguards Data Backup Plan§ 164.308(a)(7)(ii)(A) • Determine through inquiry and inspection if a data backup plan has been implemented for all ePHI-containing systems and whether tests are periodically performed to ensure that such data can be completely restored • Select the top 5 ePHI containing application systems and ask for evidence that all data files for those systems are being completely backed up. 36

  37. Administrative Safeguards Disaster Recovery Plan§ 164.308(a)(7)(ii)(B) • Determine through inquiry and inspection if a disaster recovery plan has been implemented to ensure that critical ePHI-containing systems can be restored within the timeframes required to meet business and patient care needs, including: • An up-to-date inventory of all critical hardware, software, communications facilities, and data files that are required to provide patient care and conduct business operations • Thorough procedures, including staff responsibilities, vendors, and contact information, to provide for prompt replacement of hardware, software and communications facilities • Detailed technical instructions for the restoration of all ePHI-containing application systems. • Request a demonstration of test restorations for at least one data file for each of the top 5 ePHI-containing application systems. 37

  38. Administrative Safeguards Emergency Mode Operation Plan§ 164.308(a)(7)(ii)(C) • Determine through inquiry and inspection if an emergency mode operation plan has been implemented that will provide for the ongoing security of ePHI while operating in emergency mode. 38

  39. Administrative Safeguards Addressable Testing and Revisions Procedures§ 164.308(a)(7)(ii)(C) • Determine through inquiry and inspection if the disaster recovery plan has been tested during the past 12 months, the results of that test, and what changes were made, if any, as a result 39

  40. Administrative Safeguards Addressable Applications and Data Criticality Analysis§ 164.308(a)(7)(ii)(E) • Determine though inquiry and inspection if a business impact analysis has been performed to determine the relative criticality of various hardware, software, and communications systems in the contingency plan, data backup plan, disaster recovery plan and emergency operations mode plan • Determine if the recovery time objective and recovery point objective for each system has been determined and how the above-mentioned plans incorporate the RTOs and RPOs 40

  41. Administrative Safeguards Evaluation§ 164.308(a)(8) • Determine through inquiry and inspection if and when a HIPAA security rule compliance gap analysis has been performed • Determine what major environmental or operational changes have occurred during the past 12 months and how those changes affected the ePHI-containing systems 41

  42. Administrative Safeguards Business Associate Contracts and Other Arrangements§ 164.308(b)(1) • Determine through inquiry and inspection if the business associate agreement been updated to address the changes required by the HITECH ACT • Determine the process that is used to ensure that up-to-date business associate agreements have been signed by all appropriate business partners and vendors • Determine how business associate agreements are inventoried and who is responsible for ensuring that business associate agreements are maintained 42

  43. Administrative Safeguards Business Associate Contracts (continued)§ 164.308(b)(1) • Request a listing of vendors from the accounts payable application and labeled if possible as to whether or not the vendors provide health care services or IT services which would require them to receive or access ePHI • Select a sample set of 20 vendors who receive or access ePHI and determine if signed business associate agreements are on file for those in the sample set • If business associate agreements are not on file, perform inquiry to determine why a business associate agreement is not on file 43

  44. Physical Safeguards Addressable Facility Access Controls § 164.310(a)(1) • Determine through inquiry and inspection what policies and procedures have been implemented to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed 44

  45. Physical Safeguards Addressable Facility Contingency Operations § 164.310(a)(2)(i) • Determine through inquiry and inspection what procedures have been implemented to that allow facility access in support of restoration of lost data under the disaster recovery plan and emergency mode operations plan in the event of an emergency • Determine how those procedures address situations where the facilities are uninhabitable or totally destroyed 45

  46. Physical Safeguards Addressable Facility Security Plan § 164.310(a)(2)(ii) • Determine through inquiry and inspection what policies and procedures have been implemented to safeguard facilities and ePHI-containing/ accessing equipment from unauthorized physical access, tampering, and theft • Determine how access to high traffic or high risk areas is controlled, logged and monitored • Determine if any physical security incidents occurred in the past 12 months and how those were handled and resolved 46

  47. Physical Safeguards Addressable Facility Access Control and Validation Procedures § 164.310(a)(2)(iii) • Determine through inquiry and inspection what policies and procedures have been implemented to control and validate a person's access to facilities based on their role or function (e.g., employee, vendor, contractor, consultant, temporary or other type of visitor) • Determine what methods are used to control physical access (e.g., key management, swipe card management, etc.) • Determine how physical access devices are inventoried, reviewed, and managed, specifically when individuals transfer or no longer have a need for access 47

  48. Physical Safeguards Addressable Facility Access Control and Validation Procedures (continued) § 164.310(a)(2)(iii) • Request a list of individuals who have been assigned access devices to high risk areas (i.e., data center and network closets) • Compare the list of individuals to a list of current employees noting any individuals who are not current employees • Inquire of IT management regarding the business reason for each person's access, especially those who are not listed as active employees 48

  49. Physical Safeguards Addressable Facility Maintenance Records § 164.310(a)(2)(iv) • Determine through inquiry and inspection what policies and procedures have been implemented to document repairs and modifications to the physical components of a facility which are related to security (for example, hardware, walls, doors, locks, swipe card devices, etc.) • Inspect maintenance and repair logs for completeness 49

  50. Physical Safeguards Workstation Use § 164.310(b) • Determine through inquiry and inspection what policies and procedures have been implemented regarding appropriate workstation use and placement 50

More Related