Update on Audits of Entity Compliance with the HIPAA Rules

Similar documents
Text. What the Heck is a HIPAA AUDIT? Presented by Sue Miller

They re Back! Phase 2 OCR Audits Are Underway

From the Front Lines: Navigating the OCR Phase 2 HIPAA Audits

2012 HIPAA Privacy and Security OCR Audits

HIPAA Compliance. Mandatory for 7 MILLION Covered Entities (CE) & Business Associates (BA) 70% of the market is NOT compliant!

Welcome to today s Live Event we will begin shortly. Please feel free to use Chat or Q&A to tell us any burning questions you may have in advance

HIPAA Demystified: Strategies to Bullet Proof Your Compliance Plan. Chris Apgar, CISSP Ron Moser, CISA, CRISC

Managing the Business Associate Relationship: From Onboarding to Breaches. March 27, 2016

Do You Know What Your Business Associates Subcontractors & Vendors Are Doing With Your PHI & ephi?

Do You Know What Your Business Associates Subcontractors & Vendors Are Doing With Your PHI & ephi?

Collaboration with Business Associates on Compliance

THE FIVE ELEMENTS OF AN EFFECTIVE HIPAA AUDIT PREPARATION PROGRAM

Preparing for an OCR Audit: What is Expected of You

The Relationship Between HIPAA Compliance and Business Associates

2018 Program Audit Process Overview

INTERNAL AUDIT AND ASSURANCE MANDATE

a physicians guide to security risk assessment

HIPAA and Electronic Information

Pioneers in Quality. Joint Commission 2018 ecqm Direct Data Submission Platform: Your Questions Answered. Tricia Elliott, MBA, CPHQ.

NOT PROTECTIVELY MARKED

OCR Audits: 2012 Results Overview

Privacy Assessment: Beginning the Process

Compliance Operations Draft Reliability Standard Compliance Guidance for MOD and MOD October 22, 2013

2017 Archaeology Audit Program Procedure Manual. April 2017

How to Finish the HIPAA Security Risk Analysis and Meaningful Use Risk Assessment

View the Recording. Webinar: Accounting of Disclosures: Practical Approaches & Enforcement Update. November 17 th, FairWarning, Inc.

Rick Ensenbach, CISSP-ISSMP, CISA, CISM, CCSFP Senior Manager, Wipfli Risk Advisory Services OBJECTIVES

Clearwater and Encompass Case Study Creating an OCR-Quality Risk Management Plan

University Document Hierarchy

Navigating the New Health Economy

Procedure: Supporting Sponsored Project Audits and Site Visits

Auditing data protection

ISCC Integrity Program

National Grid Electricity Transmission plc Balancing Mechanism Review

Administrative Response Business Continuity Internal Audit Report

Governance & Total Compliance

Standard Operating Procedure. GCP Auditing of Research Studies

HIPAA PRIVACY RULE IMPLEMENTATION WHAT S UP AFTER 4/14/03?

NPCC 2008 Corporate Goals

Report No. AHCA A February Agency Agreements EXECUTIVE SUMMARY

Trends in CMS Audits and Enforcement Actions Against Medicare Advantage and Part D Plans

Regional Seminar/Workshop on USOAP CMA and SAST Tools

Compliance Operations Draft Reliability Standard Compliance Guidance for PER July 1, 2013

Developing an Environmental Compliance Plan

1.0.0 EXPORT MANAGEMENT & COMPLIANCE PROGRAM Introduction This self-assessment tool is created for exporters to aid in the development of

Audit Project Process Overview 1/18/ Compliance and Audit Symposium. Agenda. How to Kick-start your. Audit Planning and Risk Assessment

Review of agreed-upon procedures engagements questionnaire

RBA Validated Audit Program (VAP) Operations Manual Revision January 2018

Conduct a More Effective Management Review. Rob Packard, Consultant

This webinar is Parish Emergency Operations Planning Session 1: Beginning the Basic Plan. October 22, Welcome Questions - Chat feature

ADVANCED COMPLIANCE STRATEGIES: CORPORATE GOVERNANCE AND CORPORATE COMPLIANCE

General Data Protection Regulation

Privacy Management Programs. Ruth Marks and Stacey Pratt April 2018

You Might Have a HIPAA Breach. Now What?

You Might Have a HIPAA Breach. Now What?

SQF Code Version 7.2 NSF International. May 20, 2014

Human Research Protection Program Compliance Plan

To recognize the importance of due diligence in initial vendor selection. To understand what should be included in a robust vendor oversight program

Quality Insights Quality Innovation Network Security Risk Assessments: Meaningful Use and HIPAA Perspectives Webinar August 26, 2015

1. Membership of the Committee

Effects of GDPR and NY DFS on your Third Party Risk Management Program

Phase IV CAQH CORE Operating Rules

HIPAA Summit VII. Preconference III. Advanced Strategies to Achieve ROI in Implementing HIPAA

PHYSICIAN PRACTICE MANAGEMENT

Tip Sheet 17: Review of Research by the Expedited Procedure

Sarbanes-Oxley Compliance Kit

Contract and Procurement Fraud. Detection and Prevention

Information Governance Policy

Table of Contents 1. PURPOSE 2. SCOPE 3. BACKGROUND 4. RESPONSIBILITY

University Document Hierarchy

Alignment with the OECD Due Diligence Guidance

Procedure for Conducting On-Site Compliance Audits

An EMS is a management tool to improve environmental performance by providing a systematic way of managing an organization s environmental affairs.

Topics summarised in this presentation are: method for defining quality level you want meaning of external controls quality assurance activities

Role Based Access Governance and HIPAA Compliance: A Pragmatic Approach

4/21/2017. Compliance Simplified: A True Story. Dixon Davis, MBA,MHSA,CMPE Laurie K. Brown, MBA, COMT, COE Senior Consultants with BSM Consulting

COUNCIL OF THE EUROPEAN UNION. Brussels, 22 November /13. Interinstitutional File: 2013/0027 (COD)

APPRENTICESHIP SUBCONTRACTING POLICY

Certificate of Recognition (COR ) COR Program Guidelines. Infrastructure Health & Safety Association (IHSA) 05/17 1

U.S. Department of Energy Office of Environment, Health, Safety and Security. Procedure AD-1-2A Conducting DOECAP Laboratory and TSDF Phased Audits

Quality Control Systems and Engagement Files Monitoring and Inspections the Protocol

IOSCO Comments on SWP Consultation Paper (CP) and Planning Committee (PC) Responses and Recommendations

STEPS FOR EFFECTIVE MANAGEMENT OF VENDOR AND SUPPLIER CYBERSECURITY RISKS. April 25, 2018 In-House Counsel Conference

RESULTS. Of the 6 recommendations assessed in this follow-up, all were determined to be fully implemented, as presented below. 2

Considering the Cloud: Inside the Mind of the Healthcare CIO. December 15, :00 3:00 pm ET

Phase II CAQH CORE 250: Claim Status Rule version March 2011

Terms of Reference. Quality and Value Audits

Standard on Quality Control (SQC)-1 Need for Documentaton. Abhay Vasant Arolkar

Meaningful Use Audit

Presenting a live 90-minute webinar with interactive Q&A. Today s faculty features:

Summary QRP Report INSIDE THIS REPORT

Webinar audit time calculation 22 June 2015

Internal Audit Report

Alberta Construction Safety Association

Prince William County, Virginia Internal Audit Report Timekeeping Cycle Audit. August 31, 2018

Internal Auditing and Control of Nonconforming Work

Procedures on Management System Certification

DATA PROTECTION POLICY

Chemical Inhibitor Approval Scheme (CIAS) Audit Procedure

Audits must be conducted with due concern for employee safety and environmental protection.

Transcription:

Update on Audits of Entity Compliance with the HIPAA Rules Linda Sanches Office for Civil Rights (OCR) U.S. Department of Health and Human Services September, 2017

Presentation Topics Purpose Phase 2 Audit Program Status, Process, Protocol Preliminary Findings Guidance 2

Audit Program Purpose Support Improved Compliance Identify best practices; uncover risks & vulnerabilities; detect areas for technical assistance; encourage consistent attention to compliance Intended to be non-punitive, but OCR can open up compliance review (for example, if significant concerns are raised during an audit or an entity fails to respond) Learn from this phase in structuring permanent audit program Develop tools and guidance for industry selfevaluation and breach prevention 3

Audit Program Status Desk audits of covered entities complete Desk audits of business associates underway Business associate selection pool largely drawn from over 20,000 entities identified by audited CEs On-site audits of both CEs and BAs after completion of the desk audit process, to evaluate against a comprehensive selection of controls in protocols Desk audit subject may be subject to on-site audit 4

# of Audits by Type & Provision CE Audits (166) Privacy and Breach (103) Security (63) BA Audits (41) Breach and Security 5

Audited Covered Entities 2016 Audited Covered Entities Health Plan 8.7% Health Care Clearinghouse 1% Provider 90% 6

7 # of Audits by Region

Desk Audit Reporting: Process After review of submitted documentation draft findings shared with the entity, Entity may respond in writing Final audit reports will describe how the audit was conducted, present any findings, and contain any written entity responses to the draft Under OCR s separate, broad authority to open compliance reviews, OCR could decide to open a separate compliance review in a circumstance where significant threats to the privacy and security of PHI are revealed through the audit 8

Failure to Respond Email notice to verify contact information Pre-audit screening questionnaire Document request notification Entities who fail to respond, remain in the audit pool & may be subject to compliance review 9

Covered Entity Desk Audit Controls Notice of Privacy Practices & Content Requirements [ 164.520(a)(1) & (b)(1)] Privacy Rule Controls Provision of Notice Electronic Notice [ 164.520(c)(3)] Right to Access [ 164.524(a)(1), (b)(1), (b)(2), (c)(2), (c)(3), (c)(4), (d)(1), (d)(3)] Breach Notification Rule Controls Security Rule Controls Timeliness of Notification [ 164.404(b)] Content of Notification [ 164.404(c)(1)] Security Management Process -- Risk Analysis [ 164.308(a)(1)(ii)(A)] Security Management Process -- Risk Management [ 164.308(a)(1)(ii)(B)] 10

Business Associate Desk Audit Controls Breach Notification Rule Controls Notification by a Business Associate [ 164.410, with reference to Content of Notification 164.404(c)(1)] Security Management Process -- Risk Analysis [ 164.308(a)(1)(ii)(A)] Security Rule Controls Security Management Process -- Risk Management [ 164.308(a)(1)(ii)(B)] 11

Document Requests: Privacy and Breach Audits Notice of Privacy Practices Copy of all notices including URL of notice posted on the entity web site, electronic notice policy and procedures Right to Access Access requests, extensions to access requests, access requests templates/forms, NOPP, access policies and procedures Timeliness of Notification Documentation for five small and large breaches incidents Content of Notification Five large breach incidents, breach template/form, copy of a single written notice 12

Document Requests: Security Audits Risk Analysis Current and prior risk analysis and results Policies and procedures of the risk analysis process Policies and procedures related to the implementation of risk analysis 6 years prior to the date of audit notification Documentation from the previous year demonstrating implementation of risk analysis process, how it is available to persons responsible for process and evidence the documentation is periodically reviewed and updated, as needed 13

Document Requests: Security Audits Risk Management Documentation demonstrating the security measures implemented to reduce risks as a result of the current risk analysis or assessment Documentation demonstrating the efforts used to manage risks from the previous calendar year Policies and procedures of the risk management process Policies and procedures related to the implementation of risk management for the prior 6 years of the date of audit notification Documentation demonstrating the current and ongoing risks reviewed and updated Documentation from the previous year demonstrating implementation of the risk management process, how it is available to persons responsible for the risk management process and evidence the documentation is periodically reviewed and updated, as needed 14

Effort Ratings Rating Description Compliance Effort Ratings Legend 1 The audit results indicate the entity is in compliance with both goals and objectives of the selected standards and implementation specifications. 2 The audit results indicate that the entity substantially meets criteria; it maintains appropriate policies and procedures, and documentation and other evidence of implementation meet requirements. 3 Audit results indicate entity efforts minimally address audited requirements; analysis indicates that entity has made attempts to comply, but implementation is inadequate, or some efforts indicate misunderstanding of requirements. 4 Audit results indicate the entity made negligible efforts to comply with the audited requirements - e.g. policies and procedures submitted for review are copied directly from an association template; evidence of training is poorly documented and generic. 5 The entity did not provide OCR with evidence of serious attempt to comply with the Rules and enable individual rights with regard to PHI. 15

Anatomy of an Audit Report Introduction Audit Objective Background Scope and Methodology Results of Review Auditor Ratings Legend Summary of Auditor Ratings Auditor Analysis & Findings Element # Auditor s Analysis Effect Finding Ratings Entity Response 16

17 Draft Findings to Date

Ratings Rating Poles Breach T 103 5 Rating 1 Rating Timeliness of Notification 15 67 Content of Notification 9 14 Privacy T 103 Access 11 1 Notice Content 16 2 enotice 15 59 Security T 63 Risk Analysis 13 0 Risk Management 17 1 18

Breach Notification BNR 12 -- Timeliness of Notification 2% 9% 6% 11% 7% 65% Ratings 1 2 3 4 5 N/A 19

Breach Notification Content Ratings BNR 13 -- Content of Notification 37% 7% 5% 14% 23% 14% Ratings 1 2 3 4 5 N/A 20

NPP Content Ratings P55 -- Notice of Privacy Practices -- Content 2% 11% 15% 39% 33% Ratings 1 2 3 4 5 21

Web Site Posting of NPP Ratings P58 - Provision of Notice 4% 6% 15% 3% 57% Ratings 1 2 3 15% 4 5 N/A 22

Access Ratings P65 -- Right to Access 1 11 10 Ratings 54 27 1 2 3 4 5 23

Risk Analysis Ratings S 2 Security Risk Analysis Ratings 63 Covered Entities 13 0 8 Ratings 1 2 3 23 19 4 5 24

Risk Management Ratings S 3 Risk Management Ratings 1 3 17 13 29 Ratings 1 2 3 4 5 25

Posted Audit Guidance Selected protocol elements with associated document submission requests and related Q&As Slides from audited covered entity webinar held July 13, 2016 Comprehensive question and answer listing OCR Audit Website: http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/index.html 26

More Information http://www.hhs.gov/hipaa Join us on @hhsocr 27

For additional information contact: Zinethia L. Clemmons HIPAA Compliance Audit Program Director zinethia.clemmons@hhs.gov

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback