Preparing for an OCR Audit: What is Expected of You · PDF filewebinar where Nicholas Heesters...
Transcript of Preparing for an OCR Audit: What is Expected of You · PDF filewebinar where Nicholas Heesters...
![Page 1: Preparing for an OCR Audit: What is Expected of You · PDF filewebinar where Nicholas Heesters from the Office for Civil Rights covered common findings associated to audit controls](https://reader034.fdocuments.net/reader034/viewer/2022051720/5a7823c57f8b9a9c548e8f07/html5/thumbnails/1.jpg)
Preparing for an OCR Audit: What is Expected of You
![Page 2: Preparing for an OCR Audit: What is Expected of You · PDF filewebinar where Nicholas Heesters from the Office for Civil Rights covered common findings associated to audit controls](https://reader034.fdocuments.net/reader034/viewer/2022051720/5a7823c57f8b9a9c548e8f07/html5/thumbnails/2.jpg)
Speakers
Chuck BurbankCISO and Director of Managed
Privacy ServicesFairWarning
Robert Mireles, CIPMSr. Healthcare Privacy Specialist
for Managed Privacy ServicesFairWarning
Kurt J. LongFounder and CEO
FairWarning
![Page 3: Preparing for an OCR Audit: What is Expected of You · PDF filewebinar where Nicholas Heesters from the Office for Civil Rights covered common findings associated to audit controls](https://reader034.fdocuments.net/reader034/viewer/2022051720/5a7823c57f8b9a9c548e8f07/html5/thumbnails/3.jpg)
AgendaThis webinar is a follow-up to our March 9th webinar where Nicholas Heesters from the Office for Civil Rights covered common findings associated to audit controls and access rights management.
• How to conduct an application risk analysis to create written documentation of why you monitor an application or not
• Key elements of your acceptable use policies for authorized users of your applications holding ePHI
• Key aspects of a successful awareness training program
• What generally to expect from an OCR Audit
• Insights into protecting your organization from affiliated staff
• Breakdown of the recent OCR audit control resolution agreement
![Page 4: Preparing for an OCR Audit: What is Expected of You · PDF filewebinar where Nicholas Heesters from the Office for Civil Rights covered common findings associated to audit controls](https://reader034.fdocuments.net/reader034/viewer/2022051720/5a7823c57f8b9a9c548e8f07/html5/thumbnails/4.jpg)
Application Risk Analysis
• Identify where all your ePHI resides
• Complete an application inventory
• Develop criteria to evaluate the risks involved
• Prioritize the order to integrate into FairWarning® based on the risk criteria
• Proactively monitor applications for inappropriate use
Understanding, Documenting and Mitigating Your Risk
![Page 5: Preparing for an OCR Audit: What is Expected of You · PDF filewebinar where Nicholas Heesters from the Office for Civil Rights covered common findings associated to audit controls](https://reader034.fdocuments.net/reader034/viewer/2022051720/5a7823c57f8b9a9c548e8f07/html5/thumbnails/5.jpg)
Documentation of Decisions• Document plan to integrate applications into FairWarning• Document criteria used to select applications holding ePHI• Executive sign-off on all documentation
You may reach out to your customer success manager to request educational materials
![Page 6: Preparing for an OCR Audit: What is Expected of You · PDF filewebinar where Nicholas Heesters from the Office for Civil Rights covered common findings associated to audit controls](https://reader034.fdocuments.net/reader034/viewer/2022051720/5a7823c57f8b9a9c548e8f07/html5/thumbnails/6.jpg)
Acceptable Use of ePHI
Policy Key Elements
• Set expectation that users have zero rights to privacy within organizations application systems
• Who is responsible for setting use and access?
• What is considered business appropriate?
• How can users access records for personal use? i.e. patient portal
• What happens if a user sees inappropriate behavior?
![Page 7: Preparing for an OCR Audit: What is Expected of You · PDF filewebinar where Nicholas Heesters from the Office for Civil Rights covered common findings associated to audit controls](https://reader034.fdocuments.net/reader034/viewer/2022051720/5a7823c57f8b9a9c548e8f07/html5/thumbnails/7.jpg)
Awareness Training • Evolving threat landscape requires evolving the human firewall
• Educate staff as new threats emerge• Empower them on how to prevent threats from happening
• Change users behavior with proactive training
• Reinforce organization’s expectations
• Train users to be ambassadors
• Document that all users are periodically trained
![Page 8: Preparing for an OCR Audit: What is Expected of You · PDF filewebinar where Nicholas Heesters from the Office for Civil Rights covered common findings associated to audit controls](https://reader034.fdocuments.net/reader034/viewer/2022051720/5a7823c57f8b9a9c548e8f07/html5/thumbnails/8.jpg)
FairWarning Educational Materials
Reach out to your customer success manager to request educational materials
![Page 9: Preparing for an OCR Audit: What is Expected of You · PDF filewebinar where Nicholas Heesters from the Office for Civil Rights covered common findings associated to audit controls](https://reader034.fdocuments.net/reader034/viewer/2022051720/5a7823c57f8b9a9c548e8f07/html5/thumbnails/9.jpg)
OCR Enforcement
June 2016 – Iliana Peters cited covered entities lacked appropriate auditing controls
January 2017 – OCR offers guidance on the importance of Audit Controls
February 16, 2017 – OCR issues first of its kind Resolution Agreement highlighting the importance of audit controls
February 20, 2017“We are going to continue to execute our enforcement authorities…business as usual”
- Deven McGraw, Deputy Director of HHS Office for Civil RightsTo hear more on 2017 OCR enforcement from Deven McGraw
![Page 10: Preparing for an OCR Audit: What is Expected of You · PDF filewebinar where Nicholas Heesters from the Office for Civil Rights covered common findings associated to audit controls](https://reader034.fdocuments.net/reader034/viewer/2022051720/5a7823c57f8b9a9c548e8f07/html5/thumbnails/10.jpg)
What to Expect - Initial Request • Assign individuals designated to work with the OCR
• Documentation of investigative reports for all incidents along with response to mitigate
• Copy of notification letters
• Evidence that the organization notified media of breach greater than 500
• Policies and procedures regarding security incidents
• Policies and procedures surrounding security awareness and training• Proof that staff completed training
• Policies and procedures for reviewing system activity
• Policies and procedures regarding access controls
• Policies and procedures detailing sanctions
• P&P for proper use of workstations
• Documentation that all staff trained for new members and anytime changes to P&P are made
![Page 11: Preparing for an OCR Audit: What is Expected of You · PDF filewebinar where Nicholas Heesters from the Office for Civil Rights covered common findings associated to audit controls](https://reader034.fdocuments.net/reader034/viewer/2022051720/5a7823c57f8b9a9c548e8f07/html5/thumbnails/11.jpg)
OCR/HIPAA Review/Audit Timeline
Notification Receipt
Timestamp or date of time
receipt
Document Discovery10 days to
supply
Review of Documents4-8 weeks for audit team to
review materials
Onsite Visits
They will notify you of dates (3-14 days onsite)
Preliminary Report
Provided at out brief last
day onsite
Final Report
10-14 days after onsite
Management Response14 days to
provide
Package to OCR
After the 14 day period
ends for management
response
![Page 12: Preparing for an OCR Audit: What is Expected of You · PDF filewebinar where Nicholas Heesters from the Office for Civil Rights covered common findings associated to audit controls](https://reader034.fdocuments.net/reader034/viewer/2022051720/5a7823c57f8b9a9c548e8f07/html5/thumbnails/12.jpg)
Don’t Be One of These – Lessons Learned• Do not recycle user ID’s
• Policies were not reviewed and do not support your program
• Staff not given any training prior to start of monitoring program
• No plan or process to follow-up on alerts for potentially unwanted behavior
• Zero tolerance policy day one
• No plan or process on how and where to document the follow-ups
• Turning on too many automated alerts at one time
• Leaving investigations “Open and Active” past notification deadlines
![Page 13: Preparing for an OCR Audit: What is Expected of You · PDF filewebinar where Nicholas Heesters from the Office for Civil Rights covered common findings associated to audit controls](https://reader034.fdocuments.net/reader034/viewer/2022051720/5a7823c57f8b9a9c548e8f07/html5/thumbnails/13.jpg)
Security Management Process
164.308(1)(i)Standard: Implement policies and procedures to prevent, detect, contain, and correct security violations.
(ii) Implementation specifications:(C) Sanction policy (Required). Apply appropriate sanctions against workforce members who fail to comply
with the security policies and procedures of the covered entity. (D) Information system activity review (Required). Implement procedures to regularly review records of
information system activity, such as audit logs, access reports, and security incident tracking reports.
![Page 14: Preparing for an OCR Audit: What is Expected of You · PDF filewebinar where Nicholas Heesters from the Office for Civil Rights covered common findings associated to audit controls](https://reader034.fdocuments.net/reader034/viewer/2022051720/5a7823c57f8b9a9c548e8f07/html5/thumbnails/14.jpg)
Access Control
164.312 (a)(1) Standard: Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in §164.308(a)(4).
(2) Implementation specifications: (i) Unique user identification (Required). Assign a unique name and/or number for identifying and tracking
user identity.
(b) Standard: Audit controls. Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.
![Page 15: Preparing for an OCR Audit: What is Expected of You · PDF filewebinar where Nicholas Heesters from the Office for Civil Rights covered common findings associated to audit controls](https://reader034.fdocuments.net/reader034/viewer/2022051720/5a7823c57f8b9a9c548e8f07/html5/thumbnails/15.jpg)
What You Need to Evidence• That you are using unique user IDs for all users
• That you are reviewing system activity in systems that contain ePHI
• That you are following up on potential violations
• That you are sanctioning employees that fail to comply with the policies
![Page 16: Preparing for an OCR Audit: What is Expected of You · PDF filewebinar where Nicholas Heesters from the Office for Civil Rights covered common findings associated to audit controls](https://reader034.fdocuments.net/reader034/viewer/2022051720/5a7823c57f8b9a9c548e8f07/html5/thumbnails/16.jpg)
The Evidence
![Page 17: Preparing for an OCR Audit: What is Expected of You · PDF filewebinar where Nicholas Heesters from the Office for Civil Rights covered common findings associated to audit controls](https://reader034.fdocuments.net/reader034/viewer/2022051720/5a7823c57f8b9a9c548e8f07/html5/thumbnails/17.jpg)
The Evidence
![Page 18: Preparing for an OCR Audit: What is Expected of You · PDF filewebinar where Nicholas Heesters from the Office for Civil Rights covered common findings associated to audit controls](https://reader034.fdocuments.net/reader034/viewer/2022051720/5a7823c57f8b9a9c548e8f07/html5/thumbnails/18.jpg)
The Evidence
![Page 19: Preparing for an OCR Audit: What is Expected of You · PDF filewebinar where Nicholas Heesters from the Office for Civil Rights covered common findings associated to audit controls](https://reader034.fdocuments.net/reader034/viewer/2022051720/5a7823c57f8b9a9c548e8f07/html5/thumbnails/19.jpg)
The Evidence
![Page 20: Preparing for an OCR Audit: What is Expected of You · PDF filewebinar where Nicholas Heesters from the Office for Civil Rights covered common findings associated to audit controls](https://reader034.fdocuments.net/reader034/viewer/2022051720/5a7823c57f8b9a9c548e8f07/html5/thumbnails/20.jpg)
The Evidence
![Page 21: Preparing for an OCR Audit: What is Expected of You · PDF filewebinar where Nicholas Heesters from the Office for Civil Rights covered common findings associated to audit controls](https://reader034.fdocuments.net/reader034/viewer/2022051720/5a7823c57f8b9a9c548e8f07/html5/thumbnails/21.jpg)
The Evidence
![Page 22: Preparing for an OCR Audit: What is Expected of You · PDF filewebinar where Nicholas Heesters from the Office for Civil Rights covered common findings associated to audit controls](https://reader034.fdocuments.net/reader034/viewer/2022051720/5a7823c57f8b9a9c548e8f07/html5/thumbnails/22.jpg)
Keys to Win Executive Support
• Greater trust between the patients
• Less likelihood of lawsuits
• Fewer patient complaints
• Less likelihood of OCR breach
Risk is Leaving the Business
![Page 23: Preparing for an OCR Audit: What is Expected of You · PDF filewebinar where Nicholas Heesters from the Office for Civil Rights covered common findings associated to audit controls](https://reader034.fdocuments.net/reader034/viewer/2022051720/5a7823c57f8b9a9c548e8f07/html5/thumbnails/23.jpg)
Breakdown of the Recent OCR Audit Control Resolution Agreement
• The protected health information (PHI) of 115,143 individuals was accessed by its employees and impermissibly disclosed to affiliated physician office staff.
• Failed to implement procedures with respect to reviewing, modifying and/or terminating users' right of access.
• Failed to regularly review records of information system activity on applications that maintain ePHI by workforce users and users at affiliated physician practices.
• The login credentials of a former employee of an affiliated physician's office had been used to access the ePHI on a daily basis without detection, affecting 80,000 individuals.
![Page 24: Preparing for an OCR Audit: What is Expected of You · PDF filewebinar where Nicholas Heesters from the Office for Civil Rights covered common findings associated to audit controls](https://reader034.fdocuments.net/reader034/viewer/2022051720/5a7823c57f8b9a9c548e8f07/html5/thumbnails/24.jpg)
Application Access Logs
Lawson + AD
FairWarning Dynamic Identity Intelligence
Discover Known Users Unmatched Users Dormant Users
Enables Access after termination Access Control Review Dynamic Identity on
Roles, Profiles, History Data Integrity
Foundational to FairWarning
Healthcare System Network:
ACCESSLOGS
LOCALUSERS
Non-Employees w/ AccessVendorsContractorsAffiliate Physicians
AD
Employees
ACCESSLOGS
LOCALUSERS
CernerACCESSLOGS
LOCALUSERS
ADLOCALUSERS
ACCESSLOGS
3rd Party Physicians and Diagnostics
Clinics, etc…
OthersACCESSLOGS
Prevalent Industry Challenges
![Page 25: Preparing for an OCR Audit: What is Expected of You · PDF filewebinar where Nicholas Heesters from the Office for Civil Rights covered common findings associated to audit controls](https://reader034.fdocuments.net/reader034/viewer/2022051720/5a7823c57f8b9a9c548e8f07/html5/thumbnails/25.jpg)
Dynamic Identity Intelligence
• Discover unmatched/unknown users
• Report on access after termination
• Reporting on HIPAA’s access rights management
![Page 26: Preparing for an OCR Audit: What is Expected of You · PDF filewebinar where Nicholas Heesters from the Office for Civil Rights covered common findings associated to audit controls](https://reader034.fdocuments.net/reader034/viewer/2022051720/5a7823c57f8b9a9c548e8f07/html5/thumbnails/26.jpg)
Managed Privacy Services
Trained and certified FairWarning staff members who review your potential incidents as well as guide you toward continual HIPAA compliance readiness
Patient Privacy Intelligence
• Monitors access to PHI in EHR's, app's, cloud and big data• Insider threats - OCR issued an advisory august 2016• HIPAA audit controls
Dynamic Identity Intelligence
• Identify and monitor affiliated, non-employee users• Reporting on HIPAA's access rights management
• Highest Services Levels• Ease of Use
• Secure• Affordable
Cloud
![Page 27: Preparing for an OCR Audit: What is Expected of You · PDF filewebinar where Nicholas Heesters from the Office for Civil Rights covered common findings associated to audit controls](https://reader034.fdocuments.net/reader034/viewer/2022051720/5a7823c57f8b9a9c548e8f07/html5/thumbnails/27.jpg)
Audit Control References
• HHS Announcement: Understanding the Importance of Audit Controls
• Review the NIST guidance on Risk Analysis
• FairWarning® Executive Webinar: Director of OCR Enforcement announced there would be an upcoming emphasis on Audit Controls
• FairWarning® Executive Webinar: Implications of OCR Audit Controls Enforcement and the Role of Audit Trails in Litigation
![Page 28: Preparing for an OCR Audit: What is Expected of You · PDF filewebinar where Nicholas Heesters from the Office for Civil Rights covered common findings associated to audit controls](https://reader034.fdocuments.net/reader034/viewer/2022051720/5a7823c57f8b9a9c548e8f07/html5/thumbnails/28.jpg)
Questions?Contact us
Chuck BurbankCISO and Director of Managed
Privacy ServicesFairWarning
Robert Mireles, CIPMSr. Healthcare Privacy Specialist
for Managed Privacy ServicesFairWarning
Kurt J. LongFounder and CEO
FairWarning