Surviving a HIPAA Audit:What you need to know NOW

So you can cope THEN

Jonathan Krasnerwww.beinetworks.com

www.hipaasecurenow.com

Meaningful Use Incentives

EHR / Technology Implementations

30+ Million Patient Records Breached

Increased HIPAA Enforcement

Healthcare IT Landscape

Government Incentives

Regulation Enforcement

Technology Advances

HIPAA Violations• Over 1200 HIPAA violations of 500+ records since

2009• Violations occur for organizations of all sizes• Violations occur for lots of different reasons• Violations are increasing in size and scope

The complete list can be found at:https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf

HOUSTON, WE HAVE A PROBLEM

2015 HIPAA Audits

• Delayed• 550-800 Covered Entities (CE) Contacted

• 350 Covered Entities Selected• 50 Business Associates (BA) – Phase 2

• Utilize HHS / OCR Portal to Upload Information• Letters Will Be Sent to CEs• 2 Weeks to Respond / Upload Information• Size, Location, Services, Other Information, BA

• Desk Audits and Onsite Audits

• Unlike Previous Audits, Fines are Expected to be Handed Out

Meaningful Use Audits

Meaningful Use Audits Are Occurring

• Audits targeted at up to 20% (1 in 5) of eligible providers• Organizations can be audited either pre or post payment of

incentive funds• Failed audits may require an organization to repay a full year of

incentive payments• Incentive fund repayments average ~$10,000 per eligible provider• Failed audit for 1 year could trigger an audit in another year• Incentive payments must be repaid within 30 days of MU audit

failure notice

HIPAA Enforcement

HIPAA Regulations are enforced by HHS-OCR

Enforcement Activities

• 2015 Random Audit Program

• Breach Investigations

• Covered entities

• Business Associates

• Complaint Investigations

• Dissatisfied patients

• Disgruntled employees

Cost of Breaches

Ponemon 2013 Cost of Data Breach Study:

Estimate $233 per record

# of records Cost 1 $233

10 $2,330 100 $23,300

1000 $233,000 10000 $2,330,000

Cost of Breaches

Ponemon 2013 Cost of Data Breach Study:

Estimate $233 per recordIndirect Costs

1. Turnover of existing customers - Loss of customers / patients

2. Diminished customer acquisition - customers / patients not using a practice (Reputation is damaged)

Direct Costs

1. Detection and escalation costs - forensics investigative activities, crisis management activities

2. Notification costs - IT activities to create contact database, determination of regulatory requirements, postage, etc.

3. Post data breach costs - help desk activities, inbound communications from customers, identity protection services, etc.

Cost of Breaches

Ponemon 2013 Cost of Data Breach Study:

Estimate $233 per record(Does not include HIPAA fines)

Damage to ReputationIndirect Costs

1. Turnover of existing customers - Loss of customers / patients

2. Diminished customer acquisition - customers / patients not using a practice

2012 Breaches – Categories

2012 Largest Breaches / Categories of HIPAA Breaches

1. Laptops and portable media – 40% of all breaches

2. Inappropriate access to patient information - 30% of all breaches

3. Email – Sending PHI unencrypted - 10% of all breaches

4. Hacking – 10% of all breaches

5. Loss of backup tapes - 10% of all breaches

Audit

An audit is the systematic examination of books, documents and other information of an

organization to ascertain whether they present a true and fair view of the subject matter. Audits

provide third party assurance to various stakeholders that the subject matter is

free from material misstatement.

How to survive an audit – Rule #1

Be compliant!

To be compliant, you need to

• Appoint a privacy and security officer

• Perform an annual security risk assessment

– Remediate gaps

• Have written policies and procedures

• Provide annual training to ALL employees

NOTE: This list is not exhaustive, but these are the major areas to focus on

How to survive an audit – Rule #2

Documentation!

How to document

• Be organized

• All documentation in one place

Examples:

- Paper file

- File share

- Web portal

What to document

• Policies and procedures• Risk Assessment• Work plan• Training

– Consider testing

• Business Associate agreements– BA Compliance

• Disaster recovery plans• Media disposal log• Security incidents

HIPAA Compliance is an ongoing process

• It is not “set it and forget it”

• But it does not have to be time consuming

• The security officer needs to budget a little time periodically for HIPAA compliance

HIPAA Compliance don’ts

• Don’t confuse having documentation with having good documentation

• Don’t buy a set of manuals on the Internet and think you are done

• Don’t perform a risk analysis via spreadsheet in 15 minutes

=> Auditors are looking for substance

What to expect when you are audited

• Most audits request documentation via mail

• You have 30 days to comply

• Don’t just blindly send all your documentation

– Review it first

– Consult a professional

• Compliance consultant

• Attorney

=> Don’t take it lightly

Audit Results

• Organizations with good documentation pass audits – HHS is not super picky. They are glad you have worked to comply

• If you have good documentation, but have suffered a breach, your penalties will be minimized

BUT……

Audit Results

If you have a breach (and yes, it can happen to you)

AND

Your documentation is bad, they can throw the book at you!

We’re here to help

• MCMS endorsed HIPAA compliance program

• 2,000 clients nationwide

• Have passed 50 CMS audits; no fails

• See BEI website (beinetworks.com) for details

Thank you and have a compliant day!

www.beinetworks.com