Copyright Notice€¦ · “The protocol should assess whether such entities have, consistent with...

© Clearwater Compliance | All Rights Reserved

1

Copyright Notice

Copyright Notice. All materials contained within this document are protected by United Statescopyright law and may not be reproduced, distributed, transmitted, displayed, published, orbroadcast without the prior, express written permission of Clearwater Compliance LLC. You may notalter or remove any copyright or other notice from copies of this content.

For reprint permission and information, please direct your inquiry to [email protected]

mailto:[email protected]


2

Legal Disclaimer

Legal Disclaimer. This information does not constitute legal advice and is for educational purposes only. Thisinformation is based on current federal law and subject to change based on changes in federal law orsubsequent interpretative guidance. Since this information is based on federal law, it must be modified toreflect state law where that state law is more stringent than the federal law or other state law exceptionsapply. This information is intended to be a general information resource regarding the matters covered, andmay not be tailored to your specific circumstance. YOU SHOULD EVALUATE ALL INFORMATION, OPINIONSAND RECOMMENDATIONS PROVIDED HEREIN IN CONSULTATION WITH YOUR LEGAL OR OTHER ADVISOR, ASAPPROPRIATE. The existence of a link or organizational reference in any of the following materials should notbe assumed as an endorsement by Clearwater Compliance LLC.


How to Prepare For An OCR Audit Or Investigation

November 13, 2015


4

Our Passion

We’re excited about what we do because…

…we’re helping organizations improve patient safety and the quality of care by safeguarding the very personal and private healthcare information of millions of fellow Americans…

… And, keeping those same organizations off the Wall of

Shame…!


5

Awards and Recognition

#11 - 2015

Exclusive Sole Source Provider

Software Used by NSA/CAEs


6

About Your Speaker: Michelle Caswell,JD

• Senior Director, Legal & Compliance – Clearwater Compliance, LLC• More than 15 years healthcare experience• Extensive experience in HIPAA Privacy, Security and Breach Notification

Rules• Experienced Principal Healthcare Privacy/Security Consultant,

conducting compliance audits and risk assessments; drafting policies and procedures; training staff and assisting with remediation efforts

• Former HIPAA Investigator for the U.S. Department of Health and Human Services, Office for Civil Rights

• Licensed attorney in Georgia and Tennessee• Frequent national speaker on healthcare compliance and security

Michelle Caswell, JD

[email protected]

mailto:[email protected]


7

Our Goal Is To Help You Become As Self-Sufficient As You Wish To Be

This empowering philosophy underpins everything we do. Commitment to educational resources for our

audiences Ongoing support and training for our customers Thought-, service-, methodology- and software-

leadership


8

Some Ground Rules1. Slide materials

A. Check “Download” area on GoToWebinar Control panel to copy/paste link and download materials

2. Questions in “Question Area” on GTW Control Panel

3. In case of technical issues, check “Chat Area”

4. All Attendees are in Listen Only Mode5. Please complete Exit Survey, when you

leave session6. Recorded version and final slides within 48

hours


9

We are not attorneys! Ensure Competent Counsel

The Omnibus has arrived!Welcome Aboard, BAs!

Lots of different interpretations! Please, Ask Lots of Questions!

But FIRST!


10

Overview

“How to Prepare for an OCR Audit or Investigation”

Instructional Module Duration = 45 Minutes

1. Why Bother to Prepare?2. Where are the Gaps in Compliance?3. What to do About It?

Learning Objectives Addressed in This Module:


11

1. Why Bother To Prepare?


12

What type of organization do you represent?

Hospital / Health System

Other CE

Business Associate

HYBRIDDon’t Know

Pause and Quick Poll


13

Sample Data Request Letter


14

Three Pillars Of HIPAA-HITECH Compliance…

HITECH

HIPAA

Privacy Final Rule• 75 pages / 27K words• 56 Standards• 54 Implementation Specs

Security Final Rule• 18 pages / 4.5K words• 22 Standards• 50 Implementation Specs

Breach Notification 6 pages / 2K words• 4 Standards• 9 Implementation Specs

OMNIBUS FINAL RULE


15

2012 Privacy Audit Highlights

Review process for denials and failure to provide access to records

Disclosures to Personal Representatives

Lack of policies and procedures

Use and disclosure of decedent information

Business Associate Agreements


16

2012 OCR Audit Contract Language

“The protocol should assess whether such entities have, consistent with these regulations, comprehensive policies and procedures to address critical requirements to which the entity is subject and to determine whether routine operations implement these policies and procedures consistently with the Rules.

The audit protocol should provide for comprehensive assessment of policies, procedures, practices, systems, operations and Infrastructure.”

1Task Order: HHSP233201100252GContract: GS-3F-8127H Page 6 of 26


17

Phase 2 Audits

• OCR recently transmitted HIPAA pre-audit screening surveys to CEs that may be selected for the 2nd phase of audits

• Focus on greater risk to the security of PHI and pervasive non-compliance based on OCR’s Phase 1 Audit findings

• OCR will use the Phase 2 Audit findings to identify technical assistance that it should develop for CEs and BAs

• If an audit reveals a serious concern, OCR may initiate a compliance review


18

In The Meantime… Practice!


19

And It’s Not Just The Audits… What About Complaints?


20

Look How Easy It Is


21

HIPAA Complaint

??

1.Complaint

2.Breach Notice

3.SAG HITECH Action

4.FTC Action

5.Whistleblower

6.State Action (e.g., DHCS)

7.OCR Audit

http://www.hhs.gov/ocr/privacy/hipaa/enforcement/process/index.html

Avoid the following…

Complaint

Intake & Review

Possible Privacy Rule or Security Rule Violation

Possible Criminal Violation

InvestigationResolution

• OCR finds no violation

• OCR voluntary compliance, corrective action, or other agreement

• OCR issues formal finding of violation

RESOLUTION

• The violation did not occur after April 14, 2003

• Entity is not covered by the Privacy Rule

• Complaint was not filed within 180 days and an extension was not granted

• The incident described in the complaint does no violate the Privacy Rule

DOJ Accepted by DOJ

http://www.hhs.gov/ocr/privacy/hipaa/enforcement/process/index.html


22

Pause and Quick Poll

Have you seen / read an OCR Investigation Letter and Initial Data Request?


And, Please Do Not Forget OIG’s “Internal Audit” Role

This just in…

http://oig.hhs.gov/oei/reports/oei-09-10-00510.asp





24

Final Omnibus Rule: New Civil Monetary Penalty System


25

2. Where Are The Gaps in Compliance?


26

HHS “Wall Of Shame”

7.9%

• Inadequate workforce access controls

• Inadequate policies & procedures

• Inadequate training• Inadequate or inconsistent

sanctions• Inadequate safeguards (e.g.

disposal)


27

Root Causes Of Breaches

9%14%

30%33%

41%

49%

10%15%

20%

31%

45%41%

0%

10%

20%

30%

40%

50%

60%

Snooping Malicious Insider Criminal Attack TechnicalSystems Glitch

UnintentionalEmployee Action

Lost or StolenComputing

Device

2011 2010


28

Complaints… What Are People Saying?

http://www.hhs.gov/ocr/privacy/hipaa/enforcement/data/top5issues.html

http://www.hhs.gov/ocr/privacy/hipaa/enforcement/data/top5issues.html


29

Who’s Responsible?


30

Who’s to Blame?

Case Examples• Access• Authorizations• Confidential Communications• Disclosures to Avert a Serious Threat to Health or Safety• Impermissible Uses and Disclosures• Minimum Necessary• Safeguards

Common Causes• Theft of Laptop, Servers, Backup Tapes, Mobile Devices• Loss of Laptop, Servers, Backup Tapes, Mobile Devices• Improper Disposal • Misdirected Communications• Post to Public Websites• Missing Firewalls• Successful Phishing

hhttp://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/index.html


31

Covered Entities On “Wall of Shame”

• Hospitals• Community Clinics• Specialty Clinics• Mental Health Clinics• State Health Plans• Private Practices• Research Organizations• Medical Centers

• Life Insurance• Emergency Responders• Health Systems• Health Plans• Employee Health Plans• Dental Practices• Physician Networks• University

Clinics/Hospitals


32

Business Associates On “Wall of Shame”

• Consultants• Plan Administrators• Social Services• Transcription Companies• Collection Services

• Medical Management• Revenue Cycle Mgmt• Disease Management• Outsourced Computing• Other CEs


33

3. What To Do About It?


34

Safeguards – Administrative Requirements § 164.530(c)(1) Standard: Safeguards. A covered entity must have in place appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information.(2) (i) Implementation specification: Safeguards. A covered entity must reasonably safeguard protected health information from any intentional or unintentional use or disclosure that is in violation of the standards, implementation specifications or other requirements of this subpart.

(ii) A covered entity must reasonably safeguard protected health information to limit incidental uses or disclosuresmade pursuant to an otherwise permitted or required use or disclosure.


35

Safeguards – Audit Procedures

• Inquire of management as to whether administrative, technical and physical safeguards are in place to protect all PHI

• Please refer to the HIPAA Security Compliance Protocols for details on how to test the administrative, technical and physical safeguards over ePHI

• Obtain and review procedures and policies and evaluate the content to determine if administrative, technical and physical safeguards are in place to protect all PHI

• Observe and verify whether the safeguards in place are appropriate


36

Mitigation – Administrative Requirements § 164.530(f)

(1) A covered entity must mitigate, to the extent practicable, any harmful effect that is known to the covered entity of a use or disclosure of protected health information in violation of its policies and procedures or the requirements of this subpart by the covered entity or its business associate.


37

Mitigation – Audit Procedures• Obtain and review PnPs in place to determine if the CE

mitigates any harmful effect that is known of a use or disclosure of PHI in violation of its PnPs

• Obtain and review documentation to determine if a monitoring process is in place to help management ensure corrective action/mitigation plans are developed pursuant to relevant PnPs

• From a population of instances of non-compliance within the audit period, obtain and review documentation to determine whether corrective action/mitigation plans were developed and applied pursuant to relevant PnPs

• Obtain and review evidence that the PnPs are updated appropriately and conveyed to the workforce


38

Workforce Access To PHI – Minimum Necessary § 164.514(d)(2)

Standard: minimum necessary requirementsi. A covered entity must identify:

A. Those persons or classes of persons, as appropriate, in its workforce who need access to protected health information to carry out their duties; and

B. For each such person or class of persons, the category or categories of protected health information to which access is needed and any conditions appropriate to such access.

ii. A covered entity must make reasonable efforts to limit the access of such persons or classes identified in paragraph (d)(2)(i)(A) of this section to protected health information consistent with paragraph (d)(2)(i)(B) of this section.


39

Workforce Access To PHI – Audit Procedures• Obtain and review a sample of workforce members with

access to PHI for their corresponding job title and description to determine appropriateness

• Obtain and review PnPs and evaluate the content relative to the specified criteria for terminating access to PHI

• Select a sample listing of former employees to confirm that access to PHI was terminated

NOTE: The Rule requires that the class/job functions that need to use or disclose PHI be determined, and the information be limited to what is needed for that job classification


40

Workforce Access Work Sheet• System/Application/Database• Data Description• Data Type (e.g. sensitive) or Data Classification• Functional Access• Department Access • Purpose of Access• Job Titles/Job Codes with Access• Management Authorization for Access

Initiation or Termination


41

Sanctions – Administrative Requirement § 164.530(e)(1) Standard. A covered entity must have and apply appropriate sanctions against members of its workforce who fail to comply with the privacy policies and procedures of the covered entity or the requirements of this subpart.

(2) Implementation specification: Documentation. As required by paragraph (j) of this section, a covered entity must document the sanctions that are applied, if any.


42

Sanctions – Audit Procedures• Obtain and review formal or informal PnPs to determine if

sanctions are identified and/or described in the event members of the workforce do not comply with the entity’s privacy practices

• From a population of instances of individual/employee non-compliance within the audit period, obtain and review documentation to determine whether appropriate sanctions were applied


43

Tiered Approach to Sanctions

• Nature of the incident informs severity of sanctions:

• Was the violation unintentional? Or Intentional?• What was the motivation?• Was this the employee’s first violation?• What was the content of the PHI disclosed?• Was there further disclosure or not?• What was done to mitigate further disclosure?

• Examples of Sanctions• Additional Training or Counseling• Verbal Warning• Note in Personnel File• Suspension without Pay• Reassignment or Demotion• Termination

Maintain sufficient flexibility in your Policy to allow for undefined situations

Apply consistently


44

Complaints – Administrative Requirements §164.530(d)

• Standard. A covered entity must provide a process for individuals to make complaints concerning the covered entity’s policies and procedures required by this subpart and subpart D of this part or its compliance with such policies and procedures or the requirements of this subpart or subpart D of this part.• Implementation specification: Documentation of complaints. As required by paragraph (j) of this section, a covered entity must document all complaints received, and their disposition, if any.


45

Complaints – Audit Procedures• Inquire of management as to whether formal or informal PnPs

exist for receiving and processing complaints over the entity’s privacy practices

• Obtain and review formal or informal PnPs to determine how complaints are received, processed, and documented

• From a population of complaints received within the audit period, obtain and review documentation of each complaint


46

Reporting And Responding To Complaints

No Intimidation or Retaliatory Acts

Accept Complaints Investigate Resolution Respond Document

Determine For Each: Who, How, When, Resolution


47

Insider Tips

• If you receive a complaint, do due diligence and investigate allegations

• Keep written records• Make contact with your OCR investigator• Know where your policies and procedures reside• Read the complaint thoroughly• Respond to each request in the data request letter• Even if you do not have something in place, say that and show

other ‘reasonable and appropriate’ safeguards


48

Insider Tips

• If you have questions, or need technical assistance, reach out to your investigator

• Remember, OCR does not represent the Complainant• If you need additional time to respond to the Complaint,

request that from your investigator• Don’t wait until the last minute


49

Insider Tips

• When drafting your response, keep everything in numbered order, per the data request letter

• Don’t staple every individual item• Remember, there are humans at the other end that have to

use a staple remover• Follow up once you submit your response to ensure delivery• If you haven’t heard from your investigator for awhile once

you have already confirmed delivery, follow up• But be aware, there are a very limited amount of investigators


50

In Summary

• Policies and Procedures• Sanctions Policy• Complaint Process• Incident Reporting and Mitigation Process• Minimum Necessary Workforce Access Procedures• Appropriate and Reasonable Safeguards• Business Associate Management Program• Establish a Breach Risk Assessment Framework


51

Clearwater HIPAA Compliance and Information Risk Management BootCamp™

Take Your HIPAA Privacy and Security Program to a Better

Place, Faster …

Earn up to 10.8 CPE Credits!

http://clearwatercompliance.com/bootcamps/

Designed for busy professionals, the Clearwater Information Risk Management BootCamp™ distills into one action-packed day, the critical information you need to know about the HIPAA Privacy and Security Final Rules and the HITECH Breach Notification Rule.

Join us for our next virtual, web-based events…Three, 3hr sessions:

• February 11th, 18th, 25th 2016 • May 5th, 12th, 19th 2016

Join us for our next Live Event: April 21, 2015 - Orlando





52

Other Upcoming Clearwater Events

Visit https://clearwatercompliance.com/webinars/for more info!

November 20, 2015Complimentary

WebinarHow to Conduct NIST-based Risk Response

to Comply with HIPAA & Other Regulations

December 3, 2015Complimentary

WebinarHow to Calculate the

Cost of a Data Breach and How to Get the Budget for Your HIPAA-HITECH

Compliance Program

December 8, 2015Complimentary

WebinarHow to Mature Your

Information Risk Management

ProgramDecember 10, 2015

Complimentary Webinar

How to Implement a Strong, Proactive HIPAA Business Associate Risk

Mangement Plan

https://clearwatercompliance.com/webinars/


53

NEW – Education Tracks

Register For Our NEW Educational Tracks: https://clearwatercompliance.com/hipaa-education/educational-tracks/

https://clearwatercompliance.com/hipaa-education/educational-tracks/

Questions?

Copyright Notice€¦ · “The protocol should assess whether such entities have, consistent with...

Documents

Transcript of Copyright Notice€¦ · “The protocol should assess whether such entities have, consistent with...