360 likes | 658 Views
Vendor Compliance and Oversight. September 2014. Agenda. Vendor Management Challenges Overview of Business Associate Oversight & Management OCR Audits are not your only exposure point What to expect in an audit Engaging your organization. Vendor Management Challenges. Vendor Compliance.
E N D
Vendor Compliance and Oversight September 2014
Agenda • Vendor Management Challenges • Overview of Business Associate Oversight & Management • OCR Audits are not your only exposure point • What to expect in an audit • Engaging your organization
Vendor Compliance Regulatory mandate has forced a call to action in healthcare to improve vendor management: cost/value, fraud and abuse, patient safety and privacy. Government and Industry oversight and financial pressures … … that can otherwise lead to serious financial and legal ramifications. … are forcing health systems to more thoroughly understand who they are doing business with … • Sanction checks PRIOR to commencing business; repeat monthly • On-site access, training, & vaccination verification • Financial & legal monitoring • ePHIrisk assessment • Physician owned distributors • Vendor score carding • Vendor parent-child • HHS/OIG list of excluded individuals and entities • GSA excluded party list • OFAC regulations • Accreditation (JC, DNV) • Federal False Claims Act • Federal Anti-kickback Statute (PODs) • Sunshine Act • ACA MU • HIPAA Security (Omnibus) • Federal reimbursement withholdings • MU re-payment • Financial penalties • Loss of accreditation • False claims violations • Corrective action plan • Costly litigation • Image damaged with payors, employers, public
HIPAA Privacy & Security Rule BUSINESS ASSOCIATES: • May use or disclose protected health information only as permitted or required by its business associate contract or as required by law. • Are directly liable under the HIPAA Rules and subject to civil and, in some cases, criminal penalties for making uses and disclosures of protected health information that are not authorized by its contract or required by law. • Are directly liable and subject to civil penalties for failing to safeguard electronic protected health information in accordance with the HIPAA Security Rule. DEADLINE: September 24, 2014 Requires that covered entities and business associates (BAs) enter into contracts to ensure that the business associates will appropriately safeguard protected health information.
How to Identify a Business Associate PREVIOUSLY: An individual or entity, not acting as an employee, that uses or discloses ePHI on behalf of a Covered Entity (CE) BROADER NOW: Includes those that “create, receive, maintain or transmit ePHI” on behalf of a CE and their subcontractors Business associates beforewere defined as… Business associates are now defined as… A person or entity that creates, receives, or transmits PHI in fulfilling functions for a HIPAA-covered entity A person or entity that creates, receives, or transmits PHI in fulfilling functions for a HIPAA-covered entity Entities that “maintain” PHI for a covered entity, such as a data storage company Health Information Organizations E-prescribing gateways Sub-contractors Data transmission providers
New Categories of BAs Health Information Organizations(HIOs) Patient Safety Organizations (PSOs) Data Storage Companies Entities that offer PersonalHealth Records Subcontractors that create, receive, maintain or transmit PHI on behalf of another BA 8
What’s the Risk of Not Being In Compliance Source:Department of Health and Human Resources, Federal Register.gov http://federalregister.gov/a/2013-01073
What’s the Risk of Not Being In Compliance Recent HIPAA Settlements New York and Presbyterian Hospital – $3.3M Columbia University – $1.5M Parkview Health System – $800K
Business Associates and Data Breaches Breaches InvolvingBusiness Associates (% Total Breaches) Involvement of Business Associates inBreaches (% Total Records Exposed) CoveredEntities 38% BusinessAssociates 42% CoveredEntities 58% BusinessAssociates 62% Ponemon Institute 2012 OCR Breach Statistics 2012 Nearly half of all healthcare organizations report more than 5 breaches a year, over forty percent involve third parties…
OCR Audits Coming in 2014 Creation of pool of covered entities eligible for audit complete Screening “pre-survey” to be sent to entities summer 2014 – to confirm size, type, contacts Selected entities will receive notification and data requests in Fall 2014 – to include identification of business associates Business associates in second wave Both desk and on-site audits Updated protocol will be available on website Source: OCR presentation from HCCA 2014 Conference
2014 OIG Work Plan Include Audits Security of portable devices containing personal health information Controls over networked medical devices at hospitals (new) Source: 2014 OIG Work Plan
Meaningful Use Dollars at Risk #15. Protect electronichealth information created ormaintained by the certifiedEHR technology through the implementation of appropriatetechnical capabilities. Source: ONC’s Guide to Privacy and Security of Health Information
FBI Issues Warning on Breaches (U) Cyber actors will likely increase cyber intrusions against health care systems – to include medical devices – due to mandatory transition from paper to electronic health records (EHR), lax cybersecurity standards, and a higher financial payout for medical records in the black market. Source: FBI Pin
Business Associate Vendor Compliance Exposure Points • HIPAA DATA BREACH / COMPLAINT • Triggers OCR Investigation • Can lead to investigations by IRS, FTC and FBI • OCR AUDITof Covered Entity • Omnibus Final Rule • Beginning Fall 2014 • 20 days notification • OIG 2014 WORK PLANHIPAA Data Security Audit • Patient at risk for identity theft • MEANINGFUL USE Stage 1 • Core Measure #15 • HIPAA Data Security – #1 reason to fail audit Hospital / Health System Unidentified & unmanaged Business Associate Vendors increase your risk
What to Expect from an OCR Audit Letter requesting the following with only 20 days to provide: List of Business Associates with updated contact information A copy of your most recent security risk assessment Copies of your HIPAA Policies and Procedures Proof that you have provided your employees with HIPAA training and security reminders Your incident response plan Proof that you have signed agreements with all your Business Associates
OCR Audit or Breach Investigation Whether it is a random audit or breach investigation, OCR will be looking for documentation of: Policies and procedures Implementation of policies and procedures Training Business associate agreements Risk analysis documentation Risk management policies, procedures and implementation Encryption/decryption evidence Mobile device policies and implementation
Challenges of Managing Business Associates Organizational support and alignment across functions for another HIPAA regulatory initiative (e.g., clinical and IT buyers, accounts payable, supply chain, legal, compliance) 3 1 Determining which vendors are business associates 5 Budget for technology and servicesto identify and provide ongoing oversight 2 Proof of BAoversight 4 Sense of urgency, need to act to be “audit-ready” for OCR audits and other investigations Successfully defending against any allegation of willful neglect or lack of oversight
How Can Your Organization Prepare? Identifying BA vendors Proof ofBA oversight Full organizational support Sense of urgency CHALLENGES SOLUTIONS Utilize technology solutions to vet through all existing vendors, then going forward assess new vendors as they come onboard Simplify HIPAA compliance by turning policy into documented procedure Accomplish screening, tracking and cross-department collaboration related to BAs Prepare for OCR audit and investigations with complete reporting to document BA oversight
How to Get Started • BA oversight is a shared responsibility across the organization, but must identify an ultimate owner • Create a complete, single vendor master file that is the single source of truth • Define your BA risk categories and assign vendors • Vet all vendors new and existing with technology solutions • Register vendors upfront to do BA assessments just as Tax ID and Sanction checks • Operationalize the workflow • Perform required oversight tasks Remember… it is an ongoing process throughout vendor lifecycle
How to Engage your OrganizationThe Message:HIPAA data security and Business Associate oversight What is the risk of non-compliance? What do we need to do? Revise policies and procedures regarding vendor management to be in compliance with business associate requirements. Initial assessment of all vendors Oversight tasks of BA vendors Ongoing process with new vendors Implement enablers – tools, technology & service; scale Piece of overall vendor management process • Risk of severe financial penalties • High cost of data breach • Regulatory investigation • Criminal prosecution • Damage reputation with community as a trusted healthcare provider
How to Engage your Organization BOARD • Know your board members, their responsibilities and liabilities • Make opportunities for them to see you as a “trusted advisor” • Keep it high level and don’t use healthcare jargon and acronyms • Don’t quote law and statutes • Do tell a story C-SUITE • Know your audience • Strategically engage the C-suites’ direct reports • Don’t quote law and statutes • Do tell a story • Be clear in asking for help • Define business risk
Why Act Now? September 24 deadline to have revised BAAs for all BAs New rules being enforced • BA audits starting this Fall • Covered Entities have begun to get letters • Meaningful Use attestation • OIG Work Plan Recent HIPAA Settlements Very difficult to get policies, procedures and documentation in place…NEED TO START NOW
FAQs What are best practices for policies to identifying business associate vendors? You should require all vendors to be registered with your organization, to provide tax id and answer business associate risk questions. Discuss with the internal champion of that vendor if any protected health information will be accessed. We have thought that medical device vendors were not BAs. Are they BAs if the devices collect PHI? Medical device vendors qualify as BAs if they meet the BA definition but there are some cases in which medical device companies are ‘health care providers’ under HIPAA and do not require a BAA*. Q: Q: Q: A: A: A: Some vendors are under the assumption that if they are compliant with rep credentialing requirements that they do not have to sign a BAA. Is this correct? No, if a vendor is a BA, then a BAA agreement needs to be put in place to govern the relationship between the vendor and covered entity. *You should always consult with your legal counsel about your specific circumstance.