View the Recording. Webinar: Accounting of Disclosures: Practical Approaches & Enforcement Update. November 17 th, FairWarning, Inc.

Transcription

1 Webinar: Accounting of Disclosures: Practical Approaches & Enforcement Update November 17 th, 2011 View the Recording

2 Learning objectives Enforcement update and lessons learned from past HIPAA audits Accounting of disclosures overview with emphasis on what is new in the pending rule Lessons learned on practical steps toward fuller compliance with key portions of HIPAA, ARRA HITECH, new healthcare privacy state laws as well as preparation for Accounting of Disclosures Steps toward reducing the expense & burden of privacy regulation

3 Today s panel Kurt J. Long Founder, CEO Shane Whitlatch EVP Alliances Chris Arnold Director Product Management Frank DePrisco VP of Global Customer Operations

4 Regulatory enforcement update November 8 th, 2011 announcement by Health and Human Services Office of Civil Rights Up to 150 HIPAA audits begin November 2011 and conclude by December test HIPAA audits November 2011 through April 2012 Up to 130 HIPAA audits May 2012 through December 2012 Should an audit report indicate a serious compliance issue, OCR may initiate a compliance review to address the issue. For more information visit: HHS OCR s web site at

5 Lessons learned from past HIPAA audits Areas of concentration - Policies, Business Associate Agreements, Access Controls, Application Logging & Monitoring, Encryption, Physical Security, Security levels of infrastructure components Appropriate method / technology must be deployed with sustainable processes in place in order to be considered for regulatory compliance. Future plans or shelf-ware do not count Areas in need of biggest improvement include monitoring of systems which access PHI Lessons Learned from the OIG HIPAA Audits with PriceWaterhouseCoopers Helping to Meet Regulatory Requirement Monitoring User Access and Security at Saint Luke s Health System

6 NPRM Accounting of Disclosure Pending rule published on May 27, 2011 Key takeaways from pending rule: Care providers will be responsible for providing patient access reports for disclosures of information even for treatment, payment and healthcare operations Access reports cover patient access in electronic designated record sets Response time changes from 60 days to 30 days Information maintenance period changes from 6 years to 3 years Thorough overview of rule HIMSS and Davis Wright Tremaine LLP webinar Pending rule is hotly debated

7 NPRM Accounting of Disclosure Industry asserts shortcomings in rule: Current form of rule not patient-friendly Goes too far too fast (covers too many systems immediately) Must be balanced with state, local law considerations Core of challenge audit data from healthcare application vendors None the less, care providers need to be preparing for a final rule How is FairWarning assisting customers in preparing for a final rule?

8 A more holistic look at AOD and related regulation HIPAA Security Rule (2003 / 2005): (a)(1)(ii)(d) Information system activity review. Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports (b) Technical safeguards. Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information. ARRA HITECH Privacy (2009): Definition of privacy breach Willful neglect Patient disclosure Governmental notification required Media Notification (500 or more) Increased fines and precedent Ability of state attorney general offices to bring lawsuits against care providers Increased systemic audits Up to 150 now scheduled for 2011 and 2012 Meaningful Use Criteria (2010): Level 1 certification requires an EHR to produce an audit log HITECH 45 CFR (r). Conduct a security risk analysis per HIPAA 45 CFR (a)(1) and implement security updates as necessary and correct identified security deficiencies State Laws: California Assembly Bill 211, California Senate Bill 541, California Senate Bill 850, Texas House Bill 300 Proposed Accounting of Disclosure Rule (2011): Under the May 27th, 2011 proposed accounting of disclosure rule care providers will be responsible for providing access reports for disclosures of information even for treatment, payment and healthcare operations. Providers, plans and their business associates will be required to maintain for 3 years the information required to produce the reports. The rule is available for public comment in the Federal Register through July 2011

9 Lessons learned and insights from leaders in care, getting started Complete an organizational risk assessment by a third-party yesterday. Perform at least annually Target gaps which address the largest vulnerabilities Make investments that address multiple vulnerabilities whenever possible Communicate early & often gaps and risks to executive management they want to know when things have changed Personally understand your patient work-flows walk the floors to identify vulnerabilities in your systems which provide access to PHI Establish remediation processes, sanction policies Certification training of privacy & compliance personnel as well as general training

10 Lessons learned, more specifics Centralize application audit logs for Meaningful Use Certified EHR systems Centralize application audit logs for applications which provide the broadest access to PHI and associated vulnerabilities Enable Access Reporting centralized across audit data Enable privacy breach monitoring and alerting across centralized audit data Use remediation, sanctioning, communication plans and training to curtail breaches as well as perform governmental reporting as required

11 Practical steps forward Meaningful Use Certified EHRs Requirement to produce logs Non-certified applications have hit & miss audit logging support FairWarning supports 145+, but there are hundreds more User identities for FILTERING & analytics Privacy analysis, alerting, access reporting Privacy PeopleSoft IdM

12 Standardization key to savings Electronic health record and healthcare application vendors Open copyright FairWarning Data Definition Guide 2.0 FairWarning Ready Standardized data Rapid addition of audit sources Lower fully loaded expenses Standardized audit log extraction Best-practice audit log data FairWarning Ready Certified and Production Supported Applications

13 FairWarning Ready and Goals No-charge and open copyright program Standardize audit extractions for hundreds of healthcare applications making it easier and less expensive to conduct wide-scale application privacy auditing Apply best data practices from customers representing over 700 hospitals Apply best data practices from over 145+ applications FairWarning making available Data Definition Guide on an open copyright basis to qualified care providers, EHRs, and healthcare application vendors

14 Strategies for broadening applications that are Accounting of Disclosures Ready Meaningful Use Certified EHRs Requirement to produce logs EXAMPLES BELOW Non-certified Standardized extraction applications and have best hit practice & miss audit logging data support FairWarning supports 145+, but there are hundreds more User identities for FILTERING & analytics Privacy analysis, alerting, access reporting Privacy PeopleSoft IdM

15 Access Report

16 Considerations for sustainable compliance Extreme scale to handle volumes due to size of provider and / or retention period Ability to add new audit sources rapidly and inexpensively Filtering enabled - ability to work with user identity data Ability to incorporate patient data not in audit logs for reporting & analytics Production certified compatibility your electronic health record vendor(s) and applications Production certified compatibility with other information security investments such as Security Information Management and Compliance Reporting solutions Breach detection solutions that don t involve audit logs leaves your organization vulnerable to noncompliance to previously detailed regulatory obligations

17 Solution Keys to Success Cooperation with key EHR vendors on open copyright Data Definition Guide Standardized interfaces for audit source extraction and point and click loading, reporting and analytics Standardized interfaces and templates for user information used for robust filtering Standardized non-audit log patient information for advanced analytics and filtering Robust system monitoring, error reporting for audit production Real-time privacy auditing services Extreme scale-ability including proactive query tuning

18 Summary The pending Accounting of Disclosure Rule is hotly debated Take a holistic approach to compliance including training, processes, third-party risk assessments and target technology investments Leverage application audit log HIPAA Security and ARRA HITECH investments to fulfill state laws and position for affordable AOD final rule Regulation-Ready Compliance must be sustained scaling up the number of audited applications, vendor support and pricing models must provide predictable future compliance path Ask healthcare application vendors to make it easier by supporting open copyright standards based approach to auditing & disclosure compliance FairWarning Ready

19 QUESTIONS & ANSWERS