HEALTH & HUMAN SERVICES OFFICE FOR CIVIL RIGHTS HIPAA COMPLIANCE AUDITS. What do I need to know?

Transcription

1 HEALTH & HUMAN SERVICES OFFICE FOR CIVIL RIGHTS HIPAA COMPLIANCE AUDITS What do I need to know?

2 INITIAL AUDITS PERFORMED IN 2016 Covered Entities Business associates

3 AUDIT PURPOSE: SUPPORT IMPROVED COMPLIANCE Identify best practices; uncover risks & vulnerabilities; detect areas for technical assistance; encourage consistent attention to compliance Intended to be non-punitive, but OCR can open up compliance review (for example, if significant concerns are raised during an audit or an entity fails to respond) Learn from this next phase in structuring permanent audit program Develop tools and guidance for industry self-evaluation and breach prevention

4 AUDIT PROGRAM STATUS: Desk audits underway 166 Covered Entities 43 Business Associates Business Associate selection pool largely drawn from over 20,000 entities identified by audited CEs On-site audits of both CEs and BAs in 2017, after completion of the desk audit process, to evaluate against a comprehensive selection of controls in protocols A desk audit subject may be subject to on-site audit OCR beginning distribution of draft findings

5 HOW WILL I BE CONTACTED AND WHAT DO I NEED? The Health Insurance Portability and Accountability Act of 1996 (HIPAA) mandates the protection of certain individually identifiable health information -referred to as Protected Health Information or PHI -from unauthorized use and disclosure. The Office for Civil Rights (OCR) of the Department of Health and Human Services (HHS) has responsibility for administering and enforcing the HIPAA Privacy, Security and Breach Notification Rules (altogether, "the Rules"). The Rules provide important health information privacy and security protections and specify the rights of individuals regarding their PHI. The American Recovery and Reinvestment Act of 2009 (ARRA), in Section of the Health Information Technology for Economic and Clinical Health Act (HITECH Act), requires HHS to perform periodic audits of covered entity and business associate compliance with the Rules. Covered entities include health plans, health care clearinghouses and health care providers who conduct certain administrative and payment- related transactions electronically. A business associate performs certain functions or activities on behalf of, or provides certain services to, a covered entity that involve the use or disclosure of individually identifiable health information. You are receiving this letter because your organization has been selected for a desk audit of your compliance with the HIPAA Rules. The objective of this audit is to 1) analyze the key policies, procedures and related processes and controls your entity maintains relative to the selected requirements, and 2) assess your entity's compliance efforts with regard to the selected provisions of the Rules, to ensure that covered entities and business associates are adequately safeguarding PHI and providing individuals with the rights afforded to them by the Rules. The results of our audits will enable us to identify potential areas of noncompliance across industries or in certain sectors and better target our technical assistance. For HIPAA covered entities, the desk audit will focus on the risk analysis and risk management provisions of the Security Rule, the access and notice provisions of the Privacy Rule, and the applicable content and timeliness provisions of the Breach Notification Rule. For business associates, the desk audit will focus on the risk analysis and risk management provisions of the Security Rule, and the applicable content and timeliness provisions of the Breach Notification Rule. As noted below, the documents required for the desk audit must be uploaded to OCR's audit portal; the audit portal sets fourth in greater detail the documents that will be required, consistent with our Audit Protocol. Please upload documents corresponding to the elements identified in the portal within 10 business days of the date of this letter. Only the specified documents uploaded through the audit portal will be considered by the auditor. OCR auditors will not consider documentation submitted after the deadline. Only documentation in effect as of the date of this letter will be considered during the audit. Timeframe Opening Meetings through Webinar You will be contacted by an OCR auditor with draft findings, if any, approximately 90 days after your document submission. You will have 10 business days to review the draft findings and provide a written response, if any. OCR will send you the final report once completed.

6 WHO HAS A COMPLETED SRA FOR 2016 & 2017?

7 CORNERSTONE PRINCIPLES OF HIPAA COMPLIANCE: Identify compliance team Employee training Review & update P&P s Review & update BAA s Update SRA

8 BUILDING THE COMPLIANCE TEAM: Most providers have someone that has been unofficially elected the Compliance Officer. Now is the time to make it official! the compliance officer will be the main contact for: 1. Identifying individuals responsible for HIPAA compliance and define responsibilities 2. Performing Updated SRA 3. Managing all BAA s and other HIPAA related documentation 4. Establishing and maintaining an ongoing HIPAA awareness training program 5. Breach and incident reporting (know the requirements and act accordingly)

9 WHAT IS A HIPAA AWARENESS PROGRAM: Formalizing a HIPAA awareness program is how you communicate HIPAA policies and guidelines with your employees. The program should include the following at a minimum: 1. Provide all employees a copy of your companies HIPAA P&P s and require a signature acknowledging they understand the rules 2. Quarterly quizzes 3. Well defined escalation procedures

10 Employee training ENTER YOUR WORKFORCE AND DEPLOY YOUR HIPAA COMPLIANCE TRAINING

11 BREACH AND INCIDENT REPORTING: Breach Notification Requirements for CE's: Following a breach of unsecured protected health information, covered entities must provide notification of the breach to affected individuals, the Secretary, and, in certain circumstances, to the media. In addition, business associates must notify covered entities if a breach occurs at or by the business associate. Individual Notice: Covered entities must notify affected individuals following the discovery of a breach of unsecured protected health information. Covered entities must provide this individual notice in written form by first-class mail, or alternatively, by if the affected individual has agreed to receive such notices electronically. If the covered entity has insufficient or out-of-date contact information for 10 or more individuals, the covered entity must provide substitute individual notice by either posting the notice on the home page of its web site for at least 90 days or by providing the notice in major print or broadcast media where the affected individuals likely reside. The covered entity must include a toll-free phone number that remains active for at least 90 days where individuals can learn if their information was involved in the breach. These individual notifications must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach and must include, to the extent possible, a brief description of the breach, a description of the types of information that were involved in the breach, the steps affected individuals should take to protect themselves from potential harm, a brief description of what the covered entity is doing to investigate the breach, mitigate the harm, and prevent further breaches, as well as contact information for the covered entity (or business associate, as applicable). Media Notice: Covered entities that experience a breach affecting more than 500 residents of a State or jurisdiction are, in addition to notifying the affected individuals, required to provide notice to prominent media outlets serving the State or jurisdiction. Covered entities will likely provide this notification in the form of a press release to appropriate media outlets serving the affected area. Like individual notice, this media notification must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach and must include the same information required for the individual notice. Notice to the Secretary: In addition to notifying affected individuals and the media (where appropriate), covered entities must notify the Secretary of breaches of unsecured protected health information. Covered entities will notify the Secretary by visiting the HHS web site and filling out and electronically submitting a breach report form. If a breach affects 500 or more individuals, covered entities must notify the Secretary without unreasonable delay and in no case later than 60 days following a breach. If, however, a breach affects fewer than 500 individuals, the covered entity may notify the Secretary of such breaches on an annual basis. Reports of breaches affecting fewer than 500 individuals are due to the Secretary no later than 60 days after the end of the calendar year in which the breaches are discovered.

12 BREACH AND INCIDENT REPORTING: Administrative Requirements and Burden of Proof: Covered entities and business associates, as applicable, have the burden of demonstrating that all required notifications have been provided or that a use or disclosure of unsecured protected health information did not constitute a breach. Thus, with respect to an impermissible use or disclosure, a covered entity (or business associate) should maintain documentation that all required notifications were made, or, alternatively, documentation to demonstrate that notification was not required: (1) its risk assessment demonstrating a low probability that the protected health information has been compromised by the impermissible use or disclosure; or (2) the application of any other exceptions to the definition of breach. Covered entities are also required to comply with certain administrative requirements with respect to breach notification. For example, covered entities must have in place written policies and procedures regarding breach notification, must train employees on these policies and procedures, and must develop and apply appropriate sanctions against workforce members who do not comply with these policies and procedures. Notification by a Business Associate: If a breach of unsecured protected health information occurs at or by a business associate, the business associate must notify the covered entity following the discovery of the breach. A business associate must provide notice to the covered entity without unreasonable delay and no later than 60 days from the discovery of the breach. To the extent possible, the business associate should provide the covered entity with the identification of each individual affected by the breach as well as any other available information required to be provided by the covered entity in its notification to affected individuals.

13 THE BAD STUFF: The HHS OCR has implemented this program to ensure that all providers comply with the HIPAA/HITECH standards The main focus is to safeguard against willful neglect!!! The OCR portal is complete and the audits are ramping up The following slides show examples of the fines and give a brief description of what happened:

14 TEXAS HEALTH SYSTEM SETTLES POTENTIAL HIPAA VIOLATIONS FOR DISCLOSING PATIENT INFORMATION Memorial Hermann Health System (MHHS) has agreed to pay $2.4 million to the U.S. Department of Health and Human Services (HHS) and adopt a comprehensive corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. MHHS is a not-for-profit health system located in Southeast Texas, comprised of 16 hospitals and specialty services in the Greater Houston area MHHS senior management approved the impermissible disclosure of the patient s PHI by adding the patient s name in the title of a press release. In addition, MHHS failed to timely document the sanctioning of its workforce members for impermissibly disclosing the patient s name in the title of the press release In addition to a $2.4 million monetary settlement, a corrective action plan requires MHHS to update its policies and procedures on safeguarding PHI from impermissible uses and disclosures and to train its workforce members. The corrective action plan also requires all MHHS facilities to attest to their understanding of permissible uses and disclosures of PHI, including disclosures to the media

15 TEXAS HEALTH SYSTEM SETTLES POTENTIAL HIPAA VIOLATIONS FOR DISCLOSING PATIENT INFORMATION They included a patients name in the press release They didn t document the corrective action given to the employees responsible for including patients name Cost = $2.4mm

16 $2.5 MILLION SETTLEMENT SHOWS THAT NOT UNDERSTANDING HIPAA REQUIREMENTS CREATES RISK APRIL 24, 2017 The U.S. Department of Health and Human Services, Office for Civil Rights (OCR), has announced a Health Insurance Portability and Accountability Act of 1996 (HIPAA) settlement based on the impermissible disclosure of unsecured electronic protected health information (ephi). CardioNet has agreed to settle potential noncompliance with the HIPAA Privacy and Security Rules by paying $2.5 million and implementing a corrective action plan. This settlement is the first involving a wireless health services provider, as CardioNet provides remote mobile monitoring of and rapid response to patients at risk for cardiac arrhythmias. In January 2012, CardioNet reported to the HHS Office for Civil Rights (OCR) that a workforce member s laptop was stolen from a parked vehicle outside of the employee s home. The laptop contained the ephi of 1,391 individuals. OCR s investigation into the impermissible disclosure revealed that CardioNet had an insufficient risk analysis and risk management processes in place at the time of the theft. Additionally, CardioNet s policies and procedures implementing the standards of the HIPAA Security Rule were in draft form and had not been implemented. Further, the Pennsylvania based organization was unable to produce any final policies or procedures regarding the implementation of safeguards for ephi, including those for mobile devices.

17 $2.5 MILLION SETTLEMENT SHOWS THAT NOT UNDERSTANDING HIPAA REQUIREMENTS CREATES RISK APRIL 24, 2017 Laptop containing PHI of 1391 patients stolen from a parked car Insufficient risk analysis Insufficient risk management processes Policies & Procedures still in draft form No P&P related to HIPAA awareness training and employee understanding the HIPAA rules Cost = $2.5mm

18 NO BUSINESS ASSOCIATE AGREEMENT? $31K MISTAKE APRIL 20, 2017 The Center for Children s Digestive Health (CCDH) has paid the U.S. Department of Health and Human Services (HHS) $31,000 to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule and agreed to implement a corrective action plan. CCDH is a small, for-profit health care provider with a pediatric subspecialty practice that operates its practice in seven clinic locations in Illinois. In August 2015, the HHS Office for Civil Rights (OCR) initiated a compliance review of the Center for Children s Digestive Health (CCDH) following an initiation of an investigation of a business associate, FileFax, Inc., which stored records containing protected health information (PHI) for CCDH. While CCDH began disclosing PHI to Filefax in 2003, neither party could produce a signed Business Associate Agreement (BAA) prior to Oct. 12, 2015.

19 NO BUSINESS ASSOCIATE AGREEMENT? $31K MISTAKE APRIL 20, 2017 Business associate investigated Covered entity receives notice of compliance review Doing business since 2003 Neither party can produce fully executed BAA BAA submitted was from 2015 Cost = $31k!!!!!!!!!!!!!!!

20 OVERLOOKING RISKS LEADS TO BREACH, $400,000 SETTLEMENT The U.S. Department of Health and Human Services, Office for Civil Rights (OCR), has announced a Health Insurance Portability and Accountability Act of 1996 (HIPAA) settlement based on the lack of a security management process to safeguard electronic protected health information (ephi). Metro Community Provider Network (MCPN), a federallyqualified health center (FQHC) of Denver, Colorado has agreed to settle potential noncompliance with the HIPAA Rules by paying $400,000 and implementing a corrective action plan. With this settlement amount, OCR considered MCPN s status as a FQHC when balancing the significance of the violation with MCPN s ability to maintain sufficient financial standing to ensure the provision of ongoing patient care. MCPN provides primary medical care, dental care, pharmacies, social work, and behavioral health care services throughout the greater Denver, Colorado metropolitan area to approximately 43,000 patients per year, a large majority of whom have incomes at or below the poverty level. On January 27, 2012, MCPN filed a breach report with OCR indicating that a hacker accessed employees' accounts and obtained 3,200 individuals' ephi through a phishing incident. OCR s investigation revealed that MCPN took necessary corrective action related to the phishing incident; however, the investigation also revealed that MCPN failed to conduct a risk analysis until mid-february Prior to the breach incident, MCPN had not conducted a risk analysis to assess the risks and vulnerabilities in its ephi environment, and, consequently, had not implemented any corresponding risk management plans to address the risks and vulnerabilities identified in a risk analysis. When MCPN finally conducted a risk analysis, that risk analysis, as well as all subsequent risk analyses, were insufficient to meet the requirements of the Security Rule.

21 OVERLOOKING RISKS LEADS TO BREACH, $400,000 SETTLEMENT Breach report notifying OCR of phishing incident 3200 EPHI compromised Corrective action was taken and performed as necessary However- Covered entity could not produce completed SRA prior to the breach No risk management plan implemented Vulnerabilities not identified & addressed SRA deemed insufficient to meet requirements of the security rule Cost = $400K

22 $5.5 MILLION HIPAA SETTLEMENT SHINES LIGHT ON THE IMPORTANCE OF AUDIT CONTROLS Memorial Healthcare System is a nonprofit corporation which operates six hospitals, an urgent care center, a nursing home, and a variety of ancillary health care facilities throughout the South Florida area. MHS is also affiliated with physician offices through an Organized Health Care Arrangement (OHCA). MHS reported to the HHS Office for Civil Rights (OCR) that the protected health information (PHI) of 115,143 individuals had been impermissibly accessed by its employees and impermissibly disclosed to affiliated physician office staff. This information consisted of the affected individuals names, dates of birth, and social security numbers. The login credentials of a former employee of an affiliated physician s office had been used to access the ephi maintained by MHS on a daily basis without detection from April 2011 to April 2012, affecting 80,000 individuals. Although it had workforce access policies and procedures in place, MHS failed to implement procedures with respect to reviewing, modifying and/or terminating users right of access, as required by the HIPAA Rules. Further, MHS failed to regularly review records of information system activity on applications that maintain electronic protected health information by workforce users and users at affiliated physician practices, despite having identified this risk on several risk analyses conducted by MHS from 2007 to 2012.

23 $5.5 MILLION HIPAA SETTLEMENT SHINES LIGHT ON THE IMPORTANCE OF AUDIT CONTROLS 115,143 patients accessed by employees and impermissibly disclosed to an affiliated physician Log-in credentials of former employee used for a year Workforce access P&P in place but didn t have a policy implemented for decommissioning ex-employee accounts Provided SRA s that identified this risk but never implemented corrective action plan to fix vulnerabilities identified Cost = $5.5mm

24 LACK OF TIMELY ACTION RISKS SECURITY AND COSTS MONEY - FEBRUARY 1, 2017 The U.S. Department of Health and Human Services, Office for Civil Rights (OCR), has announced a Health Insurance Portability and Accountability Act of 1996 (HIPAA) civil money penalty on the impermissible disclosure of unsecured electronic protected health information (ephi). Children s Medical Center of Dallas (Children s) did not file a timely request for a hearing by the date in accordance with the instructions in the Notice of Proposed Determination and have paid the full civil money penalty of $3.2 million. Children s is a pediatric hospital in Dallas, Texas, and is part of Children s Health, the seventh largest pediatric health care provider in the nation. On January 18, 2010, Children s filed a breach report with OCR indicating the loss of an unencrypted, nonpassword protected BlackBerry device at the Dallas/Fort Worth International Airport on November 19, The device contained the ephi of approximately 3,800 individuals. On July 5, 2013, Children's filed a separate HIPAA Breach Notification Report with OCR, reporting the theft of an unencrypted laptop from its premises sometime between April 4 and April 9, Children's reported the device contained the ephi of 2,462 individuals. Although Children's implemented some physical safeguards to the laptop storage area (e.g., badge access and a security camera at one of the entrances), it also provided access to the area to workforce not authorized to access ephi. OCR s investigation revealed Children s noncompliance with HIPAA Rules, specifically, a failure to implement risk management plans, contrary to prior external recommendations to do so, and a failure to deploy encryption or an equivalent alternative measure on all of its laptops, work stations, mobile devices and removable storage media until April 9, Despite Children's knowledge about the risk of maintaining unencrypted ephi on its devices as far back as 2007, Children's issued unencrypted BlackBerry devices to nurses and allowed its workforce members to continue using unencrypted laptops and other mobile devices until 2013.

25 LACK OF TIMELY ACTION RISKS SECURITY AND COSTS MONEY - FEBRUARY 1, Unencrypted cellphone device lost at an airport Contained EPHI of 3800 patients years later had an unencrypted device stolen from location Contained EPHI of 2462 patients Entity issued warnings as far back as 2007 about encrypting devices They didn t learn from their mistakes! Continued to issue unencrypted devices to staff members Failed to encrypt workstations, laptops, removable storage media, etc. Cost = $3.2mm

26 HIPAA SETTLEMENT DEMONSTRATES IMPORTANCE OF IMPLEMENTING SAFEGUARDS FOR EPHI The U.S. Department of Health and Human Services, Office for Civil Rights (OCR), has announced a Health Insurance Portability and Accountability Act of 1996 (HIPAA) settlement based on the impermissible disclosure of unsecured electronic protected health information (ephi). MAPFRE Life Insurance Company of Puerto Rico (MAPFRE) has agreed to settle potential noncompliance with the HIPAA Privacy and Security Rules by paying $2.2 million and implementing a corrective action plan. With this resolution amount, OCR balanced potential violations of the HIPAA Rules with evidence provided by MAPFRE with regard to its present financial standing. MAPFRE is a subsidiary company of MAPFRE S.A., a global multinational insurance company headquartered in Spain. MAPFRE underwrites and administers a variety of insurance products and services in Puerto Rico, including personal and group health insurance plans. On September 29, 2011, MAPFRE filed a breach report with OCR indicating that a USB data storage device (described as a pen drive ) containing ephi was stolen from its IT department, where the device was left without safeguards overnight. According to the report, the USB data storage device included complete names, dates of birth and Social Security numbers. The report noted that the breach affected 2,209 individuals. MAPFRE informed OCR that it was able to identify the breached ephi by reconstituting the data on the computer on which the USB data storage device was attached. OCR s investigation revealed MAPFRE s noncompliance with the HIPAA Rules, specifically a failure to conduct its risk analysis and implement risk management plans, contrary to its prior representations, and a failure to deploy encryption or an equivalent alternative measure on its laptops and removable storage media until September 1, MAPFRE also failed to implement or delayed implementing other corrective measures it informed OCR it would undertake.

27 HIPAA SETTLEMENT DEMONSTRATES IMPORTANCE OF IMPLEMENTING SAFEGUARDS FOR EPHI USB data storage device stolen from the IT department in an unsecured area Contained EPHI of 2209 individuals Failed to perform a SRA and implement a risk management plan even though they stated they had one in place Failure to implement physical safeguards (lock the door!) Delayed implementing other safeguards identified by the OCR Cost = $2.2mm

28 FIRST HIPAA ENFORCEMENT ACTION FOR LACK OF TIMELY BREACH NOTIFICATION SETTLES FOR $475,000 The U.S. Department of Health and Human Services, Office for Civil Rights (OCR), has announced the first HIPAA settlement based on the untimely reporting of a breach of unsecured protected health information. Presence Health has agreed to settle potential violations of the HIPAA Breach Notification Rule by paying $475,000 and agreeing to implement a corrective action plan. Presence Health is one of the largest health care networks serving Illinois and consists of approximately 150 locations, including 11 hospitals and 27 long-term care and senior living facilities. Presence also has multiple physicians offices and health care centers in its system and offers home care, hospice care, and behavioral health services. With this settlement amount, OCR balanced the need to emphasize the importance of timely breach reporting with the desire not to disincentive breach reporting altogether. On January 31, 2014, OCR received a breach notification report from Presence indicating that on October 22, 2013, Presence discovered that paper-based operating room schedules, which contained the PHI of 836 individuals, were missing from the Presence Surgery Center at the Presence St. Joseph Medical Center in Joliet, Illinois. The information consisted of the affected individuals names, dates of birth, medical record numbers, dates of procedures, types of procedures, surgeon names, and types of anesthesia. OCR s investigation revealed that Presence Health failed to notify, without unreasonable delay and within 60 days of discovering the breach, each of the 836 individuals affected by the breach, prominent media outlets (as required for breaches affecting 500 or more individuals), and OCR.

29 FIRST HIPAA ENFORCEMENT ACTION FOR LACK OF TIMELY BREACH NOTIFICATION SETTLES FOR $475,000 OCR received breach notification on 1/31/2014 that occurred on 10/22/13 Operating room documents containing PHI of 836 patients were missing Had no ability to locate missing docs and a breach was recognized What did they do wrong? Failed to provide timely written notification to the OCR & affected individuals OCR requires notice in 60 days of breach affecting 500+ individuals Notification must be made to the OCR as well as the affected individuals or media outlet Cost = $475k

30 THE GOOD STUFF: The OCR prefers to settle cases and assist entities in implementing corrective action plans, a lack of risk management not only costs individuals the security of their data, but it can also cost covered entities a sizable fine. Most fines that are being imposed could have been fixed with nothing more than a corrective action plan There are several entities providing HIPAA compliance training coupled with consulting and help completing the SRA although it can be pricey There are several software based options that allow providers to implement and maintain HIPAA compliance

31 BRIEF SUMMARY: You re HIPAA compliance program is an ongoing effort and must be addressed and updated on a regular basis The time to get started is right now! Any effort is better than doing nothing Safeguard against willful neglect Finalize policies & procedures and make sure all employees are aware Have all BAA s, finalized P&P s, HIPAA policies, SRA s, etc. in one easily accessible location

32 WHAT DOES ACU-SERVE USE

33 REMEMBER THIS? CORNERSTONE PRINCIPLES OF HIPAA COMPLIANCE: Identify compliance team Employee training Review & update P&P s Review & update BAA s Update SRA

34 Identify compliance team SIMPLY GO TO THE COMPLIANCE TEAM MODULE FROM THE DASHBOARD AND ENTER YOUR COMPLIANCE TEAM MEMBERS

35 Review & update P&P s SELECT THE POLICIES AND PROCEDURES MODULE, PERSONALIZE, REVIEW, & ADOPT

36 Update SRA COMPLETE THE QUICK ASSESSMENT TO GET A JUMP START ON YOUR COMPLETE SECURITY AND RISK ANALYSIS

37 Review & update BAA s FILL IN THE SHEET WITH BUSINESS ASSOCIATE AND COVERED ENTITY INFORMATION TO STORE ALL OF YOUR BAA S IN ONE CONVENIENT LOCATION

38 ANY QUESTIONS?