How to prepare for OCR's upcoming phase 2 audits


HIPAA compliance §  Mandatory for 7 MILLION Covered Entities (CE) & Business

Associates (BA) §  70% of the market is NOT compliant!

HITECH/EHR incentive requires: §  Stage 1. Risk Assessment for Meaningful Use Core Measure 15 §  Stage 2. Illustrate corrective actions

Omnibus Rule §  Compliance date was September 2013 §  Requires CEs/BAs to be HIPAA compliant §  CE must have (BAAs) Business Associate Agreements

HIPAA Compliance


§  Only Covered Entities were audited §  ONLY 11% had no findings/observations §  98% of health care providers had at least one

negative finding §  Small-sized Covered Entities struggled with all three

HIPAA Standards

Phase 1 Audit Results


§  BOTH Covered Entities and Business Associates will be audited

§  Stricter audit protocols §  OCR (Office of Civil Rights) have started sending

Pre-Audit Screening surveys

Phase 2 Audits

…said no one ever


§  Randomly selected from National Provider Identifier (NPI) database and America’s Health Insurance Plans databases

§  A pool of 550 to 800 entities selected for surveys §  2 weeks to respond

Pre-Audit Screening Surveys


Phase 2 Pre-Audit Screening Surveys


Will focus on: §  Areas of greater risk to PHI §  Non-compliance issues observed during Phase 1

•  Risk Analysis/Assessments •  Breach Notifications •  Notice of Privacy Practices •  Workforce member training

§  Identifying best practices §  Uncover risks/vulnerabilities not yet identified

Phase 2 Audits


1.  Implementing written policies, procedures and standards of conduct.

2.  Designating a compliance officer and compliance committee.

3.  Conducting effective training and education. 4.  Developing effective lines of communication. 5.  Conducting internal monitoring and auditing. 6.  Enforcing standards through well-publicized disciplinary

guidelines. 7.  Responding promptly to detected offenses and undertaking

corrective action.

*Source HHS & OIG

The Seven Fundamental Elements of an

Effective Compliance Program


§  Confirm the organization has recently completed a comprehensive assessment Risk Assessment.

§  Confirm that all action items identified in the Risk Assessment have been completed or are on a reasonable timeline to completion.

§  Ensure that the organization has a complete inventory of BAs and their contact information for purposes of the Phase 2 Audit data requests.

§  If the organization has not implemented any of the Security Standards’ addressable implementation standards for any of its information systems, documentation requires:

(1) Why any such addressable implementation standard was not reasonable and appropriate, (2) All alternative security measures that were implemented

§  Ensure that the organization has implemented a breach notification policy that accurately reflects the content and deadline. requirements for breach notification under the Breach Notification Standards.

§  For health care provider and health plan covered entities, ensure that the organization has a compliant Notice of Privacy Practices and not just a website privacy notice.

Phase 2 Preparation Protocols


§  Ensure the organization has reasonable and appropriate safeguards in place for PHI that exists in any form, including paper and verbal PHI.

§  Confirm that workforce members have received training on the HIPAA Standards that are necessary or appropriate for workforce members to perform their job duties.

§  Confirm that the organization maintains an inventory of information system assets, including mobile devices (even in a bring-your-own-device environment).

§  Confirm all systems and software that transmit electronic PHI employ encryption technology, or that the organization has a documented risk analysis supporting the decision not to employ encryption.

§  Confirm the organization has adopted a facility security plan for each physical location that stores or otherwise has access to PHI, in addition to a security policy that requires a physical security plan.

§  Review the organization’s HIPAA security policies to identify any actions that have not been completed as required (physical security plan, disaster recovery plan, emergency access procedures, etc.).

Phase 2 Preparation Protocols (Cont.)


§  “HHS and OCR aren't interested in my practice.” §  “It’s really hard, complicated and I am better off ignoring it.” §  “HIPAA is just that form we have patients sign – That’s enough.” §  “All I need is a Risk Assessment.”

HIPAA Misconceptions


Step 1. Assess where you are against the regulation (GAP)

§  The key to a risk analysis is auditing yourself against the administrative, technical, and physical aspects of HIPAA

§  A risk analysis will help you attest to Meaningful Use Stage 1 Core Requirement 15

Step 2. Remediation Plan §  Prove that you remediated the deficiencies identified in

the risk analysis §  Policies & Procedures, Training, and Attestation

Compliance Plan


Step 3. How do you prove it? Successful compliance plans address:

§  Administration and Technical •  Policies and Procedures

§  IT security •  Devices installed and maintained within your organization

§  Physical •  Security within physical locations of your practice(s)

(Meaningful Use Stage 2 Core Requirement 9 requires remediation of found deficiencies during the risk analysis to be documented and completed) Step 4. Maintain your compliance

§  As the regulations, staff, and practice changes

Compliance Plan (Continued)


HIPAA Education Series sponsored by:

www.compliancy-group.com 855.85 HIPAA (855.854.4722)

Compliance In 3 Steps!

To find out more call: 855.854.4722or email: [email protected]

TheGuard

OutsideConsultant

Manualsor

Templates

RiskAssessment

Provider

OtherCompliance

Software


Questions?

For more information, contact:

Sales & Demo Scheduling Ques3ons Marc Haskelson

855.854.4722 ext 507 [email protected]

HIPAA Ques3ons Bob Grant

855.854.4722 ext 502 [email protected]

How to prepare for OCR's upcoming phase 2 audits

Health & Medicine

Transcript of How to prepare for OCR's upcoming phase 2 audits