Update on Audits of Entity Compliance with the … on Audits of Entity Compliance with the HIPAA...

28
Update on Audits of Entity Compliance with the HIPAA Rules Linda Sanches Office for Civil Rights (OCR) U.S. Department of Health and Human Services September, 2017

Transcript of Update on Audits of Entity Compliance with the … on Audits of Entity Compliance with the HIPAA...

Page 1: Update on Audits of Entity Compliance with the … on Audits of Entity Compliance with the HIPAA Rules Linda Sanches Office for Civil Rights (OCR) U.S. Department of Health and Human

Update on Audits of Entity Compliance with the HIPAA Rules

Linda SanchesOffice for Civil Rights (OCR)

U.S. Department of Health and Human Services

September, 2017

Page 2: Update on Audits of Entity Compliance with the … on Audits of Entity Compliance with the HIPAA Rules Linda Sanches Office for Civil Rights (OCR) U.S. Department of Health and Human

2

Presentation Topics

Purpose

Phase 2 Audit Program Status, Process, Protocol

Preliminary Findings

Guidance

Page 3: Update on Audits of Entity Compliance with the … on Audits of Entity Compliance with the HIPAA Rules Linda Sanches Office for Civil Rights (OCR) U.S. Department of Health and Human

3

Audit Program Purpose

• Identify best practices; uncover risks & vulnerabilities; detect areas for technical assistance; encourage consistent attention to compliance– Intended to be non-punitive, but OCR can open up

compliance review (for example, if significant concerns are raised during an audit or an entity fails to respond)

• Learn from this phase in structuring permanent audit program

• Develop tools and guidance for industry self-evaluation and breach prevention

Support Improved Compliance

Page 4: Update on Audits of Entity Compliance with the … on Audits of Entity Compliance with the HIPAA Rules Linda Sanches Office for Civil Rights (OCR) U.S. Department of Health and Human

4

Audit Program Status

• Desk audits of covered entities complete

• Desk audits of business associates underway

• Business associate selection pool largely drawn from over 20,000 entities identified by audited CEs

• On-site audits of both CEs and BAs after completion of the desk audit process, to evaluate against a comprehensive selection of controls in protocols

• Desk audit subject may be subject to on-site audit

Page 5: Update on Audits of Entity Compliance with the … on Audits of Entity Compliance with the HIPAA Rules Linda Sanches Office for Civil Rights (OCR) U.S. Department of Health and Human

5

# of Audits by Type & Provision

CE Audits (166) • Privacy and Breach (103)• Security (63)

BA Audits (41)• Breach and Security

Page 6: Update on Audits of Entity Compliance with the … on Audits of Entity Compliance with the HIPAA Rules Linda Sanches Office for Civil Rights (OCR) U.S. Department of Health and Human

6

Audited Covered Entities

Provider90%

Health Plan8.7%

Health Care Clearinghouse

1%

2016 Audited Covered Entities

Page 7: Update on Audits of Entity Compliance with the … on Audits of Entity Compliance with the HIPAA Rules Linda Sanches Office for Civil Rights (OCR) U.S. Department of Health and Human

7

# of Audits by Region

Page 8: Update on Audits of Entity Compliance with the … on Audits of Entity Compliance with the HIPAA Rules Linda Sanches Office for Civil Rights (OCR) U.S. Department of Health and Human

8

Desk Audit Reporting: Process

After review of submitted documentation• draft findings

shared with the entity,

• Entity may respond in writing

Final audit reports will • describe how the

audit was conducted,

• present any findings, and

• contain any written entity responses to the draft

Under OCR’s separate, broad authority to open compliance reviews, OCR could decide to open a separate compliance review in a circumstance where significant threats to the privacy and security of PHI are revealed through the audit

Page 9: Update on Audits of Entity Compliance with the … on Audits of Entity Compliance with the HIPAA Rules Linda Sanches Office for Civil Rights (OCR) U.S. Department of Health and Human

9

Failure to Respond

Email notice to verify contact information

Pre-audit screening questionnaire

Document request notification

Entities who fail to respond, remain in the audit pool & may be subject to compliance review

Page 10: Update on Audits of Entity Compliance with the … on Audits of Entity Compliance with the HIPAA Rules Linda Sanches Office for Civil Rights (OCR) U.S. Department of Health and Human

10

Covered Entity Desk Audit Controls

Privacy Rule Controls

Notice of Privacy Practices & Content Requirements[§164.520(a)(1) & (b)(1)]

Provision of Notice – Electronic Notice[§164.520(c)(3)]

Right to Access[§164.524(a)(1), (b)(1), (b)(2), (c)(2), (c)(3), (c)(4), (d)(1), (d)(3)]

Breach Notification Rule Controls

Timeliness of Notification[§164.404(b)]

Content of Notification[§164.404(c)(1)]

Security Rule Controls

Security Management Process -- Risk Analysis[§164.308(a)(1)(ii)(A)]

Security Management Process -- Risk Management[§164.308(a)(1)(ii)(B)]

Page 11: Update on Audits of Entity Compliance with the … on Audits of Entity Compliance with the HIPAA Rules Linda Sanches Office for Civil Rights (OCR) U.S. Department of Health and Human

11

Business Associate Desk Audit Controls

Breach Notification Rule Controls

Notification by a Business Associate [§164.410, with reference to Content of Notification§164.404(c)(1)]

Security Rule Controls

Security Management Process -- Risk Analysis[§164.308(a)(1)(ii)(A)]

Security Management Process -- Risk Management[§164.308(a)(1)(ii)(B)]

Page 12: Update on Audits of Entity Compliance with the … on Audits of Entity Compliance with the HIPAA Rules Linda Sanches Office for Civil Rights (OCR) U.S. Department of Health and Human

12

Document Requests: Privacy and Breach Audits

• Notice of Privacy Practices Copy of all notices including URL of notice posted on the entity web

site, electronic notice policy and procedures

• Right to Access Access requests, extensions to access requests, access requests

templates/forms, NOPP, access policies and procedures

• Timeliness of Notification Documentation for five small and large breaches incidents

• Content of Notification Five large breach incidents, breach template/form, copy of a single

written notice

Page 13: Update on Audits of Entity Compliance with the … on Audits of Entity Compliance with the HIPAA Rules Linda Sanches Office for Civil Rights (OCR) U.S. Department of Health and Human

13

Document Requests: Security Audits

• Risk Analysis Current and prior risk analysis and resultsPolicies and procedures of the risk analysis processPolicies and procedures related to the implementation of risk

analysis 6 years prior to the date of audit notificationDocumentation from the previous year demonstrating

implementation of risk analysis process, how it is available to persons responsible for process and evidence the documentation is periodically reviewed and updated, as needed

Page 14: Update on Audits of Entity Compliance with the … on Audits of Entity Compliance with the HIPAA Rules Linda Sanches Office for Civil Rights (OCR) U.S. Department of Health and Human

14

Document Requests: Security Audits

• Risk Management Documentation demonstrating the security measures implemented

to reduce risks as a result of the current risk analysis or assessment Documentation demonstrating the efforts used to manage risks

from the previous calendar year Policies and procedures of the risk management process Policies and procedures related to the implementation of risk

management for the prior 6 years of the date of audit notification Documentation demonstrating the current and ongoing risks

reviewed and updated Documentation from the previous year demonstrating

implementation of the risk management process, how it is available to persons responsible for the risk management process and evidence the documentation is periodically reviewed and updated, as needed

Page 15: Update on Audits of Entity Compliance with the … on Audits of Entity Compliance with the HIPAA Rules Linda Sanches Office for Civil Rights (OCR) U.S. Department of Health and Human

15

Effort Ratings

Compliance Effort Ratings—Legend

Rating Description

1 The audit results indicate the entity is in compliance with both goals and objectives of the selected standards and implementation specifications.

2 The audit results indicate that the entity substantially meets criteria; it maintains appropriate policies and procedures, and documentation and other evidence of implementation meet requirements.

3 Audit results indicate entity efforts minimally address audited requirements; analysis indicates that entity has made attempts to comply, but implementation is inadequate, or some efforts indicate misunderstanding of requirements.

4 Audit results indicate the entity made negligible efforts to comply with the audited requirements - e.g. policies and procedures submitted for review are copied directly from an association template; evidence of training is poorly documented and generic.

5 The entity did not provide OCR with evidence of serious attempt to comply with the Rules and enable individual rights with regard to PHI.

Page 16: Update on Audits of Entity Compliance with the … on Audits of Entity Compliance with the HIPAA Rules Linda Sanches Office for Civil Rights (OCR) U.S. Department of Health and Human

16

Anatomy of an Audit Report

Introduction Audit Objective Background Scope and Methodology Results of Review Auditor Ratings Legend Summary of Auditor Ratings Auditor Analysis & Findings

Element #Auditor’s AnalysisEffectFindingRatingsEntity Response

Page 17: Update on Audits of Entity Compliance with the … on Audits of Entity Compliance with the HIPAA Rules Linda Sanches Office for Civil Rights (OCR) U.S. Department of Health and Human

17

Draft Findings to Date

Page 18: Update on Audits of Entity Compliance with the … on Audits of Entity Compliance with the HIPAA Rules Linda Sanches Office for Civil Rights (OCR) U.S. Department of Health and Human

18

Ratings

Rating PolesBreach T 103 5 Rating 1 Rating

Timeliness of Notification 15 67

Content of Notification 9 14

Privacy T 103

Access 11 1

Notice Content 16 2

eNotice 15 59

Security T 63

Risk Analysis 13 0

Risk Management 17 1

Page 19: Update on Audits of Entity Compliance with the … on Audits of Entity Compliance with the HIPAA Rules Linda Sanches Office for Civil Rights (OCR) U.S. Department of Health and Human

19

Breach Notification

65%6%

2%9%

11%7%

BNR 12 -- Timeliness of Notification

12345N/A

Ratings

Page 20: Update on Audits of Entity Compliance with the … on Audits of Entity Compliance with the HIPAA Rules Linda Sanches Office for Civil Rights (OCR) U.S. Department of Health and Human

20

Breach Notification Content Ratings

14%

14%

23%

37%

7% 5%

BNR 13 -- Content of Notification

12345N/A

Ratings

Page 21: Update on Audits of Entity Compliance with the … on Audits of Entity Compliance with the HIPAA Rules Linda Sanches Office for Civil Rights (OCR) U.S. Department of Health and Human

21

NPP Content Ratings

2%

33%

39%

11%

15%

P55 -- Notice of Privacy Practices -- Content

12345

Ratings

Page 22: Update on Audits of Entity Compliance with the … on Audits of Entity Compliance with the HIPAA Rules Linda Sanches Office for Civil Rights (OCR) U.S. Department of Health and Human

22

Web Site Posting of NPP Ratings

57%

15%

4%6%

15%3%

P58 - Provision of Notice

12345N/A

Ratings

Page 23: Update on Audits of Entity Compliance with the … on Audits of Entity Compliance with the HIPAA Rules Linda Sanches Office for Civil Rights (OCR) U.S. Department of Health and Human

23

Access Ratings

1

10

27

54

11

P65 -- Right to Access

1

2

3

4

5

Ratings

Page 24: Update on Audits of Entity Compliance with the … on Audits of Entity Compliance with the HIPAA Rules Linda Sanches Office for Civil Rights (OCR) U.S. Department of Health and Human

24

Risk Analysis Ratings

08

19

23

13

S 2 Security Risk Analysis Ratings63 Covered Entities

12345

Ratings

Page 25: Update on Audits of Entity Compliance with the … on Audits of Entity Compliance with the HIPAA Rules Linda Sanches Office for Civil Rights (OCR) U.S. Department of Health and Human

25

Risk Management Ratings

13

13

29

17

S 3 Risk Management Ratings

12345

Ratings

Page 26: Update on Audits of Entity Compliance with the … on Audits of Entity Compliance with the HIPAA Rules Linda Sanches Office for Civil Rights (OCR) U.S. Department of Health and Human

26

Posted Audit Guidance

OCR Audit Website: http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/index.html

Selected protocol elements with associated document submission requests and related Q&As

Slides from audited covered entity webinar held July 13, 2016

Comprehensive question and answer listing

Page 27: Update on Audits of Entity Compliance with the … on Audits of Entity Compliance with the HIPAA Rules Linda Sanches Office for Civil Rights (OCR) U.S. Department of Health and Human

27

http://www.hhs.gov/hipaa

Join us on @hhsocr

More Information

Page 28: Update on Audits of Entity Compliance with the … on Audits of Entity Compliance with the HIPAA Rules Linda Sanches Office for Civil Rights (OCR) U.S. Department of Health and Human

For additional information contact:Zinethia L. Clemmons

HIPAA Compliance Audit Program [email protected]