Preparing for an OCR Audit: What is Expected of You

Speakers

Chuck BurbankCISO and Director of Managed

Privacy ServicesFairWarning

Robert Mireles, CIPMSr. Healthcare Privacy Specialist

for Managed Privacy ServicesFairWarning

Kurt J. LongFounder and CEO

FairWarning

AgendaThis webinar is a follow-up to our March 9th webinar where Nicholas Heesters from the Office for Civil Rights covered common findings associated to audit controls and access rights management.

• How to conduct an application risk analysis to create written documentation of why you monitor an application or not

• Key elements of your acceptable use policies for authorized users of your applications holding ePHI

• Key aspects of a successful awareness training program

• What generally to expect from an OCR Audit

• Insights into protecting your organization from affiliated staff

• Breakdown of the recent OCR audit control resolution agreement

Application Risk Analysis

• Identify where all your ePHI resides

• Complete an application inventory

• Develop criteria to evaluate the risks involved

• Prioritize the order to integrate into FairWarning® based on the risk criteria

• Proactively monitor applications for inappropriate use

Understanding, Documenting and Mitigating Your Risk

Documentation of Decisions• Document plan to integrate applications into FairWarning• Document criteria used to select applications holding ePHI• Executive sign-off on all documentation

You may reach out to your customer success manager to request educational materials

Acceptable Use of ePHI

Policy Key Elements

• Set expectation that users have zero rights to privacy within organizations application systems

• Who is responsible for setting use and access?

• What is considered business appropriate?

• How can users access records for personal use? i.e. patient portal

• What happens if a user sees inappropriate behavior?

Awareness Training • Evolving threat landscape requires evolving the human firewall

• Educate staff as new threats emerge• Empower them on how to prevent threats from happening

• Change users behavior with proactive training

• Reinforce organization’s expectations

• Train users to be ambassadors

• Document that all users are periodically trained

FairWarning Educational Materials

Reach out to your customer success manager to request educational materials

OCR Enforcement

June 2016 – Iliana Peters cited covered entities lacked appropriate auditing controls

January 2017 – OCR offers guidance on the importance of Audit Controls

February 16, 2017 – OCR issues first of its kind Resolution Agreement highlighting the importance of audit controls

February 20, 2017“We are going to continue to execute our enforcement authorities…business as usual”

- Deven McGraw, Deputy Director of HHS Office for Civil RightsTo hear more on 2017 OCR enforcement from Deven McGraw

What to Expect - Initial Request • Assign individuals designated to work with the OCR

• Documentation of investigative reports for all incidents along with response to mitigate

• Copy of notification letters

• Evidence that the organization notified media of breach greater than 500

• Policies and procedures regarding security incidents

• Policies and procedures surrounding security awareness and training• Proof that staff completed training

• Policies and procedures for reviewing system activity

• Policies and procedures regarding access controls

• Policies and procedures detailing sanctions

• P&P for proper use of workstations

• Documentation that all staff trained for new members and anytime changes to P&P are made

OCR/HIPAA Review/Audit Timeline

Notification Receipt

Timestamp or date of time

receipt

Document Discovery10 days to

supply

Review of Documents4-8 weeks for audit team to

review materials

Onsite Visits

They will notify you of dates (3-14 days onsite)

Preliminary Report

Provided at out brief last

day onsite

Final Report

10-14 days after onsite

Management Response14 days to

provide

Package to OCR

After the 14 day period

ends for management

response

Don’t Be One of These – Lessons Learned• Do not recycle user ID’s

• Policies were not reviewed and do not support your program

• Staff not given any training prior to start of monitoring program

• No plan or process to follow-up on alerts for potentially unwanted behavior

• Zero tolerance policy day one

• No plan or process on how and where to document the follow-ups

• Turning on too many automated alerts at one time

• Leaving investigations “Open and Active” past notification deadlines

Security Management Process

164.308(1)(i)Standard: Implement policies and procedures to prevent, detect, contain, and correct security violations.

(ii) Implementation specifications:(C) Sanction policy (Required). Apply appropriate sanctions against workforce members who fail to comply

with the security policies and procedures of the covered entity. (D) Information system activity review (Required). Implement procedures to regularly review records of

information system activity, such as audit logs, access reports, and security incident tracking reports.

Access Control

164.312 (a)(1) Standard: Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in §164.308(a)(4).

(2) Implementation specifications: (i) Unique user identification (Required). Assign a unique name and/or number for identifying and tracking

user identity.

(b) Standard: Audit controls. Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.

What You Need to Evidence• That you are using unique user IDs for all users

• That you are reviewing system activity in systems that contain ePHI

• That you are following up on potential violations

• That you are sanctioning employees that fail to comply with the policies

The Evidence

The Evidence

The Evidence

The Evidence

The Evidence

The Evidence

Keys to Win Executive Support

• Greater trust between the patients

• Less likelihood of lawsuits

• Fewer patient complaints

• Less likelihood of OCR breach

Risk is Leaving the Business

Breakdown of the Recent OCR Audit Control Resolution Agreement

• The protected health information (PHI) of 115,143 individuals was accessed by its employees and impermissibly disclosed to affiliated physician office staff.

• Failed to implement procedures with respect to reviewing, modifying and/or terminating users' right of access.

• Failed to regularly review records of information system activity on applications that maintain ePHI by workforce users and users at affiliated physician practices.

• The login credentials of a former employee of an affiliated physician's office had been used to access the ePHI on a daily basis without detection, affecting 80,000 individuals.

Application Access Logs

Lawson + AD

FairWarning Dynamic Identity Intelligence

Discover Known Users Unmatched Users Dormant Users

Enables Access after termination Access Control Review Dynamic Identity on

Roles, Profiles, History Data Integrity

Foundational to FairWarning

Healthcare System Network:

ACCESSLOGS

LOCALUSERS

Non-Employees w/ AccessVendorsContractorsAffiliate Physicians

AD

Employees

ACCESSLOGS

LOCALUSERS

CernerACCESSLOGS

LOCALUSERS

ADLOCALUSERS

ACCESSLOGS

3rd Party Physicians and Diagnostics

Clinics, etc…

OthersACCESSLOGS

Prevalent Industry Challenges

Dynamic Identity Intelligence

• Discover unmatched/unknown users

• Report on access after termination

• Reporting on HIPAA’s access rights management

Managed Privacy Services

Trained and certified FairWarning staff members who review your potential incidents as well as guide you toward continual HIPAA compliance readiness

Patient Privacy Intelligence

• Monitors access to PHI in EHR's, app's, cloud and big data• Insider threats - OCR issued an advisory august 2016• HIPAA audit controls

Dynamic Identity Intelligence

• Identify and monitor affiliated, non-employee users• Reporting on HIPAA's access rights management

• Highest Services Levels• Ease of Use

• Secure• Affordable

Cloud

Audit Control References

• HHS Announcement: Understanding the Importance of Audit Controls

• Review the NIST guidance on Risk Analysis

• FairWarning® Executive Webinar: Director of OCR Enforcement announced there would be an upcoming emphasis on Audit Controls

• FairWarning® Executive Webinar: Implications of OCR Audit Controls Enforcement and the Role of Audit Trails in Litigation

Questions?Contact us

Chuck BurbankCISO and Director of Managed

Privacy ServicesFairWarning

Robert Mireles, CIPMSr. Healthcare Privacy Specialist

for Managed Privacy ServicesFairWarning

Kurt J. LongFounder and CEO

FairWarning