DisclaimerThis webinar may be recorded. This webinar presents a sampling of best practices and overviews, generalities, and some laws. This should not be used as legal advice. Itentive recognizes that there is not a “one size fits

all” solution for the ideas expressed in this webinar; we invite you to follow up directly with us for more personalized information as it pertains

to your specific practice and issues.

Thank you, and enjoy the webinar.

About Us

Our passion is to provide solutions for our healthcare provider partners which help them improve patient care, enhance the patient experience and maintain a financially healthy practice.

Since 2003 we have specialized in NextGen®

Healthcare services including:

• Consulting

• Hosting

• Customization

• And productivity tools such as ChartGuard® and RefundManager®

Upcoming Webinars:

Last webinar in our 3 part series

Improving Federal Security Initiatives: The True Impact

July 27th – MACRA: Breaking Down the Proposed Rule

HIPAA Audits:

What Phase II Means For You

Introductions

Kathy Thompson

Managing Consultant

Cindi Kincade

Vice President, Consulting Solutions

Lindsey Lanning

Healthcare Informatics Coordinator

HIPAA Audits:

What Phase II Means For You

Attention:• Phase Two of OCR's HIPAA audit program officially has begun

• OCR has sent selected covered entities notification letters

• Email notification letters were delivered on Monday, July 11, 2016 to 167 health plans, healthcare providers and healthcare clearinghouses (covered entities)

• Covered entities should monitor their spam filtering and junk mail folders for emails from OSOCRAudit@hhs.gov.

• Entities ONLY have 10 business days, until July 22, 2016, to respond to the document requests.

• Desk audits of business associates will follow this fall

Today’s Webinar

• HIPAA Review

• The Audit Process

• New Audit Protocol

• The Elements to an Effective Compliance Program

Headlines

• OCR Releases New HIPAA Audit Protocol

• HIPAA Compliance Audit Prioritized in 2017 Fiscal Budget

• Business Associates: More Than a Checkbox

• Holy MACRA! – Being HIPAA Compliant is Part of How Physicians get Paid

• Business Associate Agrees to $650K OCR HIPAA Settlement

HIPAA Enforcement

• Settlements in 2016 have totaled more than any other year at $8,664,800

• Consequences include:

High fines

Prison sentences

Medical License revoked

Image taken from Compliancygroup.com

What is Causing Increased Enforcement?

• Large Breaches

Anthem Blue Cross

• New OCR Director in 2015

“While the first years of HIPAA were about education, the years ahead are going to firmly stress enforcement”

• Phase 2 Audits

New Audit Protocol

Expanded pool of auditees

Federal program overlap

• Increased Budget

HIPAA Review

Regulation Overview

• HIPAA

Goal: Protect PHI while increasing patient access and control over information

• Omnibus

Goal: Extend protection of PHI by requiring Business Associates to comply with HIPAA

• HITECH/Meaningful Use

Goal: Increase the adoption of EHRs

HIPAA

HITECH / Meaningful

Use

Omnibus

HIPAA Overview

• HIPAA has 3 parts:

Privacy Rule

Security Rule

Breach Notification Rule

• Who has to comply with HIPAA?

Covered Entities

Business Associates

HIPAA Security Rule

• The HIPAA Security Rule is in place to ensure the confidentiality, integrity, and availability of all electronic protected health information (ePHI) that a CE or BA creates, maintains, or transmits.

• The Security Rule lays out 3 sets of safeguards

Administrative

Technical

Physical

HIPAA Privacy Rule

Two “pods” of the HIPAA privacy rule:

• “Access”

Greater for patients

Limited for others

• Patient “rights”

Increased rights

Greater control over their own information

The Difference Between Privacy and Security

The HIPAA Privacy Rule describes what

information is protected and how protected

information can be used and disclosed.

v.s

The HIPAA Security Rule describes what

safeguards must be in place to ensure

appropriate protection of electronic protected

health information.

The Audit Process

Program Objective

The audit program is an important part of OCR’s overall health information privacy, security, and breach notification compliance activities.

OCR uses the audit program to assess the HIPAA compliance efforts of a range of entities covered by HIPAA regulations.

The audits present an opportunity to examine mechanisms for compliance, identify best practices, discover risks and vulnerabilities that may not have come to light through OCR’s ongoing complaint investigations and compliance reviews, and enable OCR to get out in front of problems before they result in breaches.

OCR will broadly identify best practices collected through the audit process and will provide guidance targeted to identified compliance challenges.

OCR HIPAA Audits

• The Office for Civil Rights (OCR)

is conducting audits to make

sure providers are HIPAA

compliant.

Phase 1 Audits in 2011-2012

Phase 2 Audits in 2015-2016

OCR Phase 2 Audits

Phase 2 Audits focuses on:

• Covered Entities and their Business Associates

• Non-compliant standards discovered during Phase 1

• Risk analysis

• Risk management

• Security Standards’ encryption and decryption requirements

• Facility access control

• Breach notification

Key Things to Point Out

• OCR has issued and finalized a new audit protocol for Phase 2 OCR Audits

• Phase 2 will include Covered Entities & Business Associates

• Phase 2 of OCR’s HIPAA audit program is currently underway. Selected covered entities received notification letters Monday, July 11, 2016. Business associate audits will commence in the fall.

• OCR has contracted with FCi Federal to conduct the audits in conjunction with OCR staff

• These audits will proceed throughout 2016 and beyond

• A pool of potential audit targets will be identified and out of this pool several hundred will be selected for audits

Who Can Be Audited?

Covered Entities

Health Plans

Healthcare Clearinghouses

Healthcare Providers

Business Associates

Selected through Covered Entities

Phase 2 Audit Distribution Projections

Information taken from Compliancygroup.com

Entity Type Privacy Breach Security

Covered Entities 100 100 150

Health Plans 33 31 45

Providers 67 65 100

Clearinghouses - 4 5

Business Associates 0 0 50

IT Related - - 35

Non-IT Related - - 15

Total Audits by Protocol 100 100 200

How Will Auditees Be Selected?

• For this phase of the audit program, OCR is identifying pools of covered entities and business associates that represent a wide range of health care providers, health plans, health care clearinghouses and business associates.

• Sampling criteria for auditee selection will include size of the entity, affiliation with other healthcare organizations, the type of entity and its relationship to individuals, whether an organization is public or private, geographic factors, and present enforcement activity with OCR.

• OCR will not audit entities with an open complaint investigation or that are currently undergoing a compliance review.

Audit Phases

• Phase One: Desk Audit of Covered Entities

Request for Gap and Remediation Report

• Phase Two: Desk Audit of Business Associates

• Phase Three: Onsite Audit targeting both Covered Entities and BA’s and with a broader scope of coverage

Looking for a complete compliance plan

• Results: Corrective Action Plan and Fines

Desk Audits

Requirements Selected for Desk Audit Review:

• Privacy Rule

Notice of Privacy Practices & Content Requirements

Provision of Notice – Electronic Notice

Right to Access

• Breach Notification Rule

Timeliness of Notification

Content of Notification

• Security Rule

Security Management Process – Risk Analysis

Security Management Process – Risk Management

The Audit Process–Desk Audit

1. Address Verification Email

2. Pre-screening questionnaire

3. Identify Business Associates

4. Auditees will be notified of their selection

5. Document request letter which will include the type of audit (Privacy, Security or Breach)

6. Those being audited will be required to upload requested documents via a secure portal (within 10 days)

7. Auditors prepare draft findings and send to auditees

8. Those being audited may prepare a response to draft within 10 days

9. Preparation and sending of final report

The Audit Process–Onsite Audit

1. Entities will be notified of their selection

2. OCR auditors will schedule an entrance conference and provide information about audit process and expectations

3. The audit will be conducted over three to five days on-site

4. A draft report will be prepared and shared with entity

5. The entity will have 10 days to review findings and provide written comments to auditor

6. Final audit report will be completed within 30 business days

7. OCR will share a copy of the final report with entity

Address Verification EmailOCR conducted address verification this spring to confirm contact information to identify covered entities and business associates of various types and determine which are appropriate to be included in potential auditee pools.

Communications from OCR will be sent via email and may be incorrectly classified as spam.

If your entity’s spam filtering and virus protection are automatically enabled, we expect you to check your junk or spam email folder for emails from OCR: OSOCRAudit@hhs.gov.

Pre-screening Questionnaire

The questionnaire is made up of 4 parts:

1. Instructions

2. Contact/Entity Info

3. Questions

4. Review & Submit

Pre-screening Questionnaire

There are 5 sections of questions found in the questionnaire:

1. Basic Description Information About Your Organization

2. Healthcare Providers

3. Healthcare Clearinghouse

4. Health Plans

5. Business Associates

Selection Email

If you are selected you will receive two emails:

• One e-mail includes a notification letter which will introduce the audit team, explain the audit process and discuss OCR’s expectations in more detail. It will also provide instructions for responding to the desk audit document request, the timeline for response, and a unique link for each organization to submit documents via OCR's secure online portal.

• A second email contains an additional request to provide a listing of the entity's business associates.

Identify Business Associate

• Selected auditees will be requested by OCR to identify and provide detailed information regarding their business associates. The information collected by OCR will be used to help identify business associates for the Phase 2 audits.

• Covered entities should provide the requested information to the best of their knowledge and include the name and types of services provided by each business associate.

• OCR has developed a template which covered entities may find helpful to use when responding to the business associate list request.

Business Associate Information Requested

• Business Associate Name

• Type of Service(s) provided

• 1st Point of Contact Title, First Name, and Last Name

• 1st Point of Contact Address, City, State, Zip

• 1st Point of Contact Phone and extension (if needed), Contact Fax, and Contact Email

• 2nd Point of Contact Title, First Name, and Last Name

• 2nd Point of Contact Address, City, State, Zip

• 2nd Point of Contact Phone and extension (if needed), Contact Fax, and Contact Email

• Website URL

Final Audit Report

• The Final Audit Report will contain:

Stage of Audit conducted

Findings of Audit

Entity responses to draft findings

• OCR will use the audit reports to determine what types of technical assistance should be developed and what types of corrective action would be most helpful. Through the information gathered from the audits, OCR will develop tools and guidance to assist the industry in compliance self-evaluation and in preventing breaches.

Audit Timeline

• OCR will have notified Covered Entities by July 11th if they were selected for an audit

• The CE being audited must submit requested documentation within 10 business days

Or if it is an onsite audit it will be conducted over 3-5 business days onsite, depending on the size of the entity.

• After these documents are received, the auditor will review the information submitted and provide the auditee with draft findings.

• Auditees will have 10 business days to review and return written comments, if any, to the auditor.

• The auditor will complete a final audit report for each entity within 30 business days after the auditee’s response

What Causes A HIPAA Audit?

Audit

Business Associates

Random

Meaningful Use Failed

AuditReported

Breach Notification

Meaningful Use and SRA

• Just because your Security Risk Analysis passed for Meaningful Use DOES NOT mean you are HIPAA compliant, however if your SRA is HIPAA compliant then it will pass for MU.

• HIPAA SRA criteria is more stringent than MU criteria

Does HIPAA Satisfy

Meaningful Use?

HIPAA Meaningful Use

The ‘Wall of Shame’

• The OCR has an entire “Wall of Shame” listing health data breaches affecting 500 or more individuals.

• Breach notification rule

500+ individuals affected go on the wall due to obligation to notify HHS immediately

Less then 500 individuals affected need to be reported for whole year by deadline

Business Associates

• 59% of Business Associates reported a data breach in the last two years that resulted in loss/theft of PHI.

• If one of your Business Associates is not HIPAA compliant, the chances of OCR selecting you for an audit increases significantly.

Ramifications of Failing

• A compliance review for further investigation

• Large fines and penalties

• Increased chances for future audits

Meaningful Use

OCR HIPAA

• Criminal charges

Real World Consequences

• Catholic Health Care Services in Philadelphia (CHCS) agreed to pay $650,000 as part of its settlement following a mobile device theft that exposed patient PHI

• CHCS provided management and information technology services as a BA to six skilled nursing facilities

• OCR found that from the compliance date of the HIPAA Security Rule to the present, CHCS had not conducted “an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of e-PHI held by CHCS”

• The BA also did not “implement appropriate security measures sufficient to reduce the risks and vulnerabilities to a reasonable and appropriate level to comply” with the HIPAA Security Rule

The New Audit Protocol

New Audit Protocol

• The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) released an updated Audit Protocol that it plans to use while investigating healthcare entities for HIPAA compliance.

• The biggest change to the audit protocol is the distinction that OCR has made between what’s required of Business Associates (BAs) versus what’s required of Covered Entities (CEs). The guidance is extensive and covers each type of audit along with precisely what action needs to be taken and by whom.

Audit Protocol Coverage• OCR established a comprehensive audit protocol that contains the

requirements to be assessed through audits. The entire audit protocol is organized around elements of privacy, security, and breach notification. The combination of these multiple requirements may vary based on the type of covered entity selected for review.

• The audit protocol covers Privacy Rule requirements for:

notice of privacy practices for PHI,

rights to request privacy protection for PHI,

access of individuals to PHI,

administrative requirements,

uses and disclosures of PHI,

amendment of PHI, and

accounting of disclosures.

• The protocol also covers Security Rule requirements for administrative, physical, and technical safeguards.

Protocol Framework

• Printed out the protocol is 350+ pages long

• Column Headers

Audit Type – Security / Privacy / Breach

Section – Code of Federal Regulation (CFR) reference

Key Activity - Describes the category of the relevant rules

Established Performance Criteria - Verbiage from the subparts of the CFR

Audit Inquiry - Questions and Data being requested

Required/Addressable

• Primarily four types of entries for audit inquiry

Questions

Inquire of management

Obtain/ Review

Evaluate

Column Headers

General Instructions

• Where the document says entity, it means both covered entities and business associates unless identified as one or the other;

• Management refers to the appropriate privacy, security, and breach notification official(s) or person(s) designated by the covered entity or business associate for the implementation of policies and procedures and other standards;

• Entities must provide only the specified documents, not compendiums of all entity policies of procedures. The auditor will not search for relevant documentation that may be contained within such compilations;

• Unless otherwise specified, all document requests are for versions in use as of the date of the audit notification and document request;

General Instructions

• Unless otherwise specified, selected entities should submit documents via OCR's secure online web portal in PDF, MS Word or MS Excel formats;

• If the requested number of documentations of implementation is not available, the entity must provide instances from equivalent previous time periods to complete the sample. If no documentation is available, the entity must provide a statement to that effect.

• Workforce members include entity employees, on-site contractors, students, and volunteers; and,

• Information systems include hardware, software, information, data, applications, communications, and people.

Audit Type: Privacy Example

Audit Type: Security Example

Audit Type: Breach Example

Elements of an Effective Compliance Program

7 Elements of a Compliance Program

According to HHS an effective compliance program has 7 elements:

1. Implementing written policies, procedures and standards of conduct

2. Designating a compliance officer and compliance committee

3. Conducting effective training and education

4. Developing effective lines of communication

5. Conducting internal monitoring and auditing

6. Enforcing standards through well-publicized disciplinary guidelines

7. Responding promptly to detected offenses and undertaking corrective action

Compliance Means…

• Having policies and procedures in place that directly coordinate to regulations and demonstrate the results of your security risk analysis

• While being able to prove with a paper trail or other forms of evidence that your workforce follows these policies and procedures

Preparing for an Audit

How to prepare:

• Complete your annual security risk assessment; make sure it is comprehensive per HIPAA regulations

• Document action plans with reasonable target completion dates for deficiencies discovered in your assessment

• Have a complete inventory of your business associates with their current contact information and up-to-date BAA on file

• Implement a breach notification policy per the Breach Notification Standards

• Have a compliant Notice of Privacy Practices (NPP)

• Review your HIPAA-related policies and procedures; perform any items that are past due

Key QuestionsCovered entities should ask themselves:

• Does my business have written policies and protocols in place to address HIPAA standards?

• Is my business performing and documenting regular risk assessments?

• Does my business have an established data security policy?

• Does my business have a BYOD security and use policy?

• Are the business associates affiliated with my organization HIPAA compliant?

• Does my business have an effective incident response plan to handle a breach if it occurs?

• Are my employees required to complete regular HIPAA training programs?

What We Learned from 2015 Audits

• Small facilities are not exempt from OCR oversight

• Timely detection and response time is essential

• No risk analysis can lead to data security oversights

• Basic adherence to Privacy, Security rules is key

• Reviewing policies and performing regular updates is necessary to maintain compliance

Mandatory

• Adjective

Obligatory; required or commanded by authority.

Of, being or relating to a mandate.

• Synonyms

compulsory

obligatory

MACRA and HIPAA

HIPAA is a mandatory part of MACRA

MACRA states:

“We would require the MIPS eligible clinician to meet the requirement to protect patient health information (Complete an SRA) created or maintained by certified EHR technology to earn any score within the advancing care information performance category; failure to do so would result in a base score of zero, a performance score of zero, and an advancing care information performance category score of zero.”

Next Steps

• Visit us Itentive.com

• Sign-up for our informative webinars and blog

• Consider our 3 security risk analysis options:

Self- Assessment

Remote Security Risk Analysis

Onsite Security Risk Analysis

Itentive HIPAA Risk AnalysisItentive can assist you in performing a thorough and accurate HIPAA Security Risk Analysis

• Itentive will manage your HIPAA Security Risk Analysis and guide you, step-by-step through the entire process

• Our methodology leverages the proven and tested HIPAA One software platform which includes a comprehensive set of compliance questions and acts as a repository for maintaining the interview responses, supporting documentation and remediation action plan

• We will:

Review your interview responses and supporting materials and identify areas which need additional information or clarification

Identify threats/vulnerabilities and analyze controls in place

Guide the development of your remediation plan prioritizing risks by likelihood and impact

Help you track and document your ongoing remediation efforts throughout the year

Be available as a resource to answer your HIPAA and Meaningful Use compliance related questions

Questions• Lindsey Lanning

Healthcare Informatics Coordinator

llanning@Itentive.com

224-220-5621

• Cindi Kincade

Vice President, Client Solutions

ckincade@Itentive.com

224-220-5575

• Kathy Thompson

Managing Consultant

kthompson@itentive.com

224-220-5531

Thank you