OfficeoftheSecretary OfficeforCivilRights(OCR)

2012HIPAAPrivacyandSecurityAudits

LindaSanches OCRSeniorAdvisor,HealthInformationPrivacy Lead,HIPAAComplianceAudits

OCR

Agenda

OCR

Background Structure AuditSubjectSelection Process&Timeline Initial20Auditees

2

HITECHActImpact
HITECHAct(ofAmericanRecoveryandReinvestmentAct) of2009 Establishesbreachnotificationrequirements EstablishesNewPenaltyLevels Establishescompliancerequirementsforbusiness associates ExtendedEnforcementauthoritytoStateAttorneys General Mandatesperformanceofprivacyandsecurityaudits
OCR 3

Background
TheAmericanRecoveryandReinvestmentActof2009, in Section13411oftheHITECHAct,requiresHHStoprovidefor periodicauditstoensurecoveredentitiesandbusiness associatesarecomplyingwiththeHIPAAPrivacyandSecurity RulesandBreachNotificationstandards Toimplementthismandate,OCRispilotingaprogramto performupto115auditsofcoveredentitiestoassessHIPAA privacy,securityandbreachnotificationperformance Auditsareconductedintwophases initialauditstotestthe newlydevelopedprotocolandfinalpilotauditsthrough December2012
OCR 4

ProgramObjective
Auditspresentanewopportunityto: Examinemechanismsforcompliance Identifybestpractices Discoverrisksandvulnerabilitiesthatmaynothavecometo lightthroughcomplaintinvestigationsandcompliance reviews Encouragerenewedattentiontocomplianceactivities

OCR

ProgramGoal
Toimprovecoveredentityandbusinessassociatecompliance withtheHIPAAstandards. Widelypublicizingauditprogram&auditresultswillspur coveredentities,businessassociatestoassessandcalibrate theirprivacyandsecurityprotections. OCRwillsharebestpracticesgleanedthroughtheaudit processandguidancetargetedtoobservedcompliance challenges.Suchtechnicalassistancewillassistthoseentities thatareseekinginformationtoframetheirongoing complianceefforts.
OCR 6

AuditPlan
Description
Auditprogram development study Coveredentity&business associateidentificationand catalog Developauditprotocoland conductaudit Evaluationofaudit program
OCR

Vendor
BoozAllen Hamilton Booz Allen Hamilton KPMG,Inc. TBD

Status/ Timeframe
Closed 2010 Closed 2012 Open 20112012 ToBeAwarded Concludein2013
7

ProtocolDesign&Program
PerformanceContract

Goal:investigateandassesswhetheraCEisincompliance withRules DevelopinaccordancewithGAOauditingstandards Protocolcomprehensive,modulestopermittargetingof issuesandentitytypesdesignedforfutureusebyOCRor others Provideassessmentofpolicies,practices,operationsand infrastructure

OCR 8

WhoWillbeAudited?
Everycoveredentityiseligibleforanaudit For20112012,OCRseekstoauditaswidearangeof typesandsizesofcoveredentitiesaspossiblewhich includes: Healthplansofalltypes Healthcareclearinghouses Individualandorganizationalproviders BusinessAssociatesinlaterauditwave

OCR

AuditeeSelectionCriteria
OCRidentifiedapoolofcoveredentities Specificcriteriaincludesbutisnotlimitedto: PublicversusPrivate Entityssize,e.g.,levelofrevenues/assets,number ofpatientsoremployees,useofHIT Affiliationwithotherhealthcareorganizations Geographiclocation Typeofentityandrelationshiptopatientcare
OCR 10

TimelinefortheAuditProgram
KPMGcontractintoeffectJune2011;nowstandingupthe programactivities.Pilotauditprogramathreestepprocess. 1. WorkingwithKPMGtodevelopthedraftauditprotocols. CompletedNovember2011 2. Aninitialroundofauditstestedtheprotocols.Resultsoffield testingprovidedfeedbackforfinalprotocoldesign. FieldworkcompletedMarch1st FinalprotocoldesigncompletedApril2012 3. Rollingoutthefullrangeofauditsandevaluationprocess. AllauditswillbecompletedbyDecember,2012.
OCR 11

HowwilltheAuditProgramWork?
Entitiesselectedforanauditwillreceiveanotificationletter fromOCRandaskedtoprovidedocumentationtotheauditor Everyauditwillincludeasitevisitandresultinanauditreport KPMGwillrecommendsuggestedmodificationstotheprotocol KPMGwillsummarizefindings&results,highlightconsistent issues Finalreport howtheauditwasconducted; whatthefindingswereand; whatactionsthecoveredentityistakinginresponsetothose findings.
OCR 12

WhatwillbetheOutcome ofanAudit?
Auditsareatypeofreviewthatservesmoreasa complianceimprovementtoolthenaninvestigationof aparticularviolationthatmayleadtosanctionsand penalties.Anauditmayuncovervulnerabilitiesand weaknessesthatcanbeappropriatelyaddressed throughcorrectiveactiononthepartoftheentity. Itispossiblethatanauditcouldindicateserious complianceissuesthatmaytriggeraseparate enforcementinvestigationbyOCR.
OCR 13

WhatisaPerformanceAudit?
Measureperformanceagainstestablishedcriteria Privacy,SecurityandBreach,theRulesweremadeauditable andmeasureablebydevelopingperformancecriteriatoexecute theseaudits Usedbyregulatorstounderstandhowindustryiscomplyingwith asetofregulations ConductedunderGAGAS,GenerallyAcceptedGovernment AuditingStandards,aka,YellowBookStandards Allowforrenderinganopinionofwhetherentityhaskeycontrols andprocessestoallowentitytomaintainorachievecompliance withtheRules Notintendedtobepunitive,butrathermeasurecompliancewith regulations
OCR 14

OverviewofHIPAAAuditProject
2011 - 2012
July Aug Sept Oct Nov Dec Jan Feb Mar
Initial Protocol Development

2012
Apr May Dec.

Test of Initial 20 Audits

Auditee Selection

Auditee Notification Test of Protocol Period of Review/ Adjustment of Protocols

-Audit Execution Remaining Audits - Protocol Updates As Needed

OCR

15

BreakdownofFirst20Auditees
Level1Entities LargeProvider/HealthPlan ExtensiveuseofHIT complicatedHIT enabledclinical/businesswork streams Revenuesandorassetsgreaterthan $1billion Level2Entities Largeregionalhospitalsystem(310 hospitals/region)/RegionalInsurance Company PaperandHITenabledworkflows Revenuesandorassetsbetween$300 millionand$1billion

Level3Entities Communityhospitals,outpatient surgery,regionalpharmacy/AllSelf Insuredentitiesthatdontadjudicate theirclaims SomebutnotextensiveuseofHIT mostlypaperbasedworkflows Revenuesbetween$50Millionand$300 million

OCR

Level4Entities SmallProviders(10to50Provider Practices,Communityorrural pharmacy) LittletonouseofHIT almost exclusivelypaperbasedworkflows Revenueslessthan$50million

16

First20AuditeesbyEntityType
Level1 Level2 Level3 Level4 HealthPlans Healthcare Providers Healthcare Clearinghouses 2 2 1 5 3 2 1 6 1 2 0 3 2 4 0 6 Total 8 10 2 20
17

Total
OCR

First20PlansandProviders
HealthPlans Medicaid SCHIP GroupHealth Health Insurance Issuer 1 1 3 3 HealthCareProviders
Allopathic& Osteopathic Physicians Hospitals Laboratories Dental Nursing& CustodialCare Facilities Pharmacy
OCR

3 3 1 1 1 1
18

Initial20FindingsAnalysis Overview

OCR

19

Initial20FindingsAnalysis Overview

OCR

20

Initial20FindingsAnalysis Overview

OCR

21

Initial20FindingsAnalysis PrivacyIssues

OCR

22

Initial20FindingsAnalysis PrivacyIssues

OCR

23

Initial20FindingsAnalysisPrivacy: UsesandDisclosures

OCR

24

Initial20FindingsAnalysis Privacy:NoticeandAccess

OCR

25

InitialFindingsAnalysisPrivacy: AdministrativeRequirements

OCR

26

Initial20FindingsAnalysisSecurity Issues

OCR

27

Initial20FindingsAnalysis SecurityIssues

OCR

28

Initial20FindingsSecurityIssues

OCR

29

Initial20Findings SecurityTopIssues

OCR

30

PreliminaryObservations
PoliciesandProcedures PriorityHIPAAcomplianceprograms Smallproviders Largerentitiessecuritychallenges ConductofRiskAssessments Managingthirdpartyrisks Privacychallengesarewidelydispersedthroughout theprotocol nocleartrendsbyentitytypeorsize
31

OCR

FutureofAudit
AllauditsinpilottoendDecember2012 Findingswillbeusedtolookfortrends Evaluationcontracttoconductanalysisof2011 and2012activities Pilotexperienceandreportswillfeedinto decisionsreongoingauditprogram
Structure,focus,size

OCR

32

FutureofAudit
TBD:BusinessAssociates moredecisions BAProtocolDevelopment WhotoAudit howtoidentifyBAs Whoisabusinessassociate?Howtoidentifyinthe population? Location;lineofbusiness;timelinessofinformation; subcontractors? WhattoAudit LimitedrequirementsforBAs
OCR 33

NonComplianceRisks
LossofContracts CriminalandCivilinvestigation Federalpenalties,Statefines PublicHarmandReputationalRisk LegalCosts CostofNotification

OCR

34

NextStepstoConsider
Conductarobustreview&assessment DetermineLinesofBusinessaffectedby HIPAA Map/FlowPHImovementwithinyour organization,aswellasflowsto/fromthird parties FindallofyourPHI SeeguidanceavailableonOCRwebsite
OCR 35