They re Back! Phase 2 OCR Audits Are Underway

Transcription

1 They re Back! Phase 2 OCR Audits Are Underway Adam Greene, JD, MPH Partner, Davis Wright Tremaine LLP

2 How You Get to Meet OCR 1. Complaint 2. Compliance Review 3. Breach Report 4. Audit 2

3 Background on OCR Audits 2009 HITECH Act requires OCR to conduct periodic audits of CEs and BAs 2013 OCR contractor completes evaluation of audit program Fall 2014 Phase 2 audit programs originally scheduled to begin OCR contractor conducts Phase 1 audits 2014 OCR outlines Phase 2 audit program 3

4 Overall Findings & Observations of Pilot Only 11% of the entities had no findings Security accounted for 60% of findings and observations although only 28% of potential total Providers had a greater proportion of findings and observations (65%) than reflected by their proportion of the total set (53%) 4

5 Pilot Audits Top Findings Privacy Notice of Privacy Practices Access of Individuals Minimum Necessary Authorizations Security Risk Analysis Media Movement and Disposal Audit Controls and Monitoring 5

6 About Phase 2 Desk Audits Focused on specific topics 200 to 250 covered entities and business associates Scheduled for 2016 Onsite Audits Comprehensive 24 audits? Scheduled for

7 Current Phase 2 Audit Dates March 21, 2016 OCR sends first verifications April 4, 2016 OCR sends first pre-screening questionnaires May 20, 2016 OCR sends largest batch of verifications July 11, 2016 OCR sends desk audit requests to 167 covered entities July 13, 2016 OCR presents webinar for auditees Late September OCR s forecast for when business associate audits will begin 2017 Onsite audits to begin 7

8 Initial Desk Audit Subjects: Covered Entities Privacy/Breach Notice of Privacy Practices Right of Access Timeliness of Breach Notification Content of Breach Notification Security Risk Analysis Risk Management 8

9 Covered Entity List of Business Associates OCR also requested from each selected covered entity a list of business associates (BAs) with: Business Associate Name Type of Service(s) provided First Point of Contact Information Second Point of Contact Information Website URL 9

10 Initial Desk Audit Subjects: Business Associates Security/Breach Risk Analysis Risk Management Breach Notification to Covered Entities 10

11 Anatomy of a Desk Audit verification Pre-screening questionnaire Desk audit request (including request for list of BAs) with 10 business days to respond Draft audit report with 10 business days to respond Final audit report 11

12 Sample Data Requests Upload policies and procedures regarding the entity's risk analysis process. Consistent with (b)(2)(i), upload documentation demonstrating that policies and procedures related to the implementation of this implementation specification were in place and in force six (6) years prior to the date of receipt of notification. Consistent with (b)(2)(ii) (iii), upload documentation from the previous calendar year demonstrating that documentation related to the implementation of this implementation specification is available to the persons responsible for implementing this implementation specification and that such documentation is periodically reviewed and, if needed, updated. Upload documentation of the current risk analysis and the most recently conducted prior risk analysis. Upload documentation of current risk analysis results. 12

13 Sample Audit FAQ Q: What would be an example of proof that the risk analysis was available to the workforce members? A: Supporting documentation should show that the entity makes appropriate documentation available to appropriate individuals or groups in order for those individuals or groups to perform their job duties with respect to implementing procedures of the security rule to which the documentation pertains. For example, to show that individuals or groups requiring electronic access to risk analysis documentation (i.e., IT teams, security teams, management, legal counsel, etc.) screen shots could be used to show the availability of the risk analysis documentation by showing document properties, mapped drive permissions, etc. that indicate that the individuals or groups required to have access to such documents have such access. 13

14 Future Desk Audit Topics? 14

15 Desk Audit Tips s are not blocked (including Going forward, start collecting additional information from BAs and maintaining centralized list. Confirm policies and procedures and supporting documentation is in place for likely future audit areas: Device and media controls Transmission security Privacy safeguards Privacy training Encryption and decryption of data at rest Facility access controls 15

16 Onsite Audits Onsite, comprehensive audits will use the revised audit protocol available at Some desk auditees may be subject to a subsequent onsite audit. Will include an entrance conference and a three- to five-day site visit. Entities will have ten business days to respond to draft report. 16

17 Onsite Audit Tips Use the revised audit protocol to prepare. Treat preparation as a significant project and allocate resources accordingly. Don t get onsite audit tunnel vision breach preparedness may be more important compliance priority. 17

18 Resources OCR Audit Website: OCR Audit Protocol: DWT HIPAA Audit Toolkit information: 18

19 For more information Adam H. Greene, JD, MPH

20 ID Experts Webinar Series ID Experts provides software and services for managing the disclosure and breaches of regulated data. Leading organizations in healthcare, insurance, financial services, universities, higher education, and government rely on ID Experts data incident management software and data breach response services for managing risks. ID Experts is an advocate for privacy and a leading contributor to legislation and industry organizations that focus on the protection of PHI and PII. On the web: If you are having a breach now, call