surviving a hipaa audit: what you need to know now so you ...€¦ · 2015 hipaa audits •delayed...
TRANSCRIPT
Surviving a HIPAA Audit:What you need to know NOW
So you can cope THEN
Jonathan Krasnerwww.beinetworks.com
www.hipaasecurenow.com
Meaningful Use Incentives
EHR / Technology Implementations
30+ Million Patient Records Breached
Increased HIPAA Enforcement
Healthcare IT Landscape
Government Incentives
Regulation Enforcement
Technology Advances
HIPAA Violations• Over 1200 HIPAA violations of 500+ records since
2009• Violations occur for organizations of all sizes• Violations occur for lots of different reasons• Violations are increasing in size and scope
The complete list can be found at:https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
HOUSTON, WE HAVE A PROBLEM
2015 HIPAA Audits
• Delayed• 550-800 Covered Entities (CE) Contacted
• 350 Covered Entities Selected• 50 Business Associates (BA) – Phase 2
• Utilize HHS / OCR Portal to Upload Information• Letters Will Be Sent to CEs• 2 Weeks to Respond / Upload Information• Size, Location, Services, Other Information, BA
• Desk Audits and Onsite Audits
• Unlike Previous Audits, Fines are Expected to be Handed Out
Meaningful Use Audits
Meaningful Use Audits Are Occurring
• Audits targeted at up to 20% (1 in 5) of eligible providers• Organizations can be audited either pre or post payment of
incentive funds• Failed audits may require an organization to repay a full year of
incentive payments• Incentive fund repayments average ~$10,000 per eligible provider• Failed audit for 1 year could trigger an audit in another year• Incentive payments must be repaid within 30 days of MU audit
failure notice
HIPAA Enforcement
HIPAA Regulations are enforced by HHS-OCR
Enforcement Activities
• 2015 Random Audit Program
• Breach Investigations
• Covered entities
• Business Associates
• Complaint Investigations
• Dissatisfied patients
• Disgruntled employees
Cost of Breaches
Ponemon 2013 Cost of Data Breach Study:
Estimate $233 per record
# of records Cost 1 $233
10 $2,330 100 $23,300
1000 $233,000 10000 $2,330,000
Cost of Breaches
Ponemon 2013 Cost of Data Breach Study:
Estimate $233 per recordIndirect Costs
1. Turnover of existing customers - Loss of customers / patients
2. Diminished customer acquisition - customers / patients not using a practice (Reputation is damaged)
Direct Costs
1. Detection and escalation costs - forensics investigative activities, crisis management activities
2. Notification costs - IT activities to create contact database, determination of regulatory requirements, postage, etc.
3. Post data breach costs - help desk activities, inbound communications from customers, identity protection services, etc.
Cost of Breaches
Ponemon 2013 Cost of Data Breach Study:
Estimate $233 per record(Does not include HIPAA fines)
Damage to ReputationIndirect Costs
1. Turnover of existing customers - Loss of customers / patients
2. Diminished customer acquisition - customers / patients not using a practice
2012 Breaches – Categories
2012 Largest Breaches / Categories of HIPAA Breaches
1. Laptops and portable media – 40% of all breaches
2. Inappropriate access to patient information - 30% of all breaches
3. Email – Sending PHI unencrypted - 10% of all breaches
4. Hacking – 10% of all breaches
5. Loss of backup tapes - 10% of all breaches
Audit
An audit is the systematic examination of books, documents and other information of an
organization to ascertain whether they present a true and fair view of the subject matter. Audits
provide third party assurance to various stakeholders that the subject matter is
free from material misstatement.
How to survive an audit – Rule #1
Be compliant!
To be compliant, you need to
• Appoint a privacy and security officer
• Perform an annual security risk assessment
– Remediate gaps
• Have written policies and procedures
• Provide annual training to ALL employees
NOTE: This list is not exhaustive, but these are the major areas to focus on
How to survive an audit – Rule #2
Documentation!
How to document
• Be organized
• All documentation in one place
Examples:
- Paper file
- File share
- Web portal
What to document
• Policies and procedures• Risk Assessment• Work plan• Training
– Consider testing
• Business Associate agreements– BA Compliance
• Disaster recovery plans• Media disposal log• Security incidents
HIPAA Compliance is an ongoing process
• It is not “set it and forget it”
• But it does not have to be time consuming
• The security officer needs to budget a little time periodically for HIPAA compliance
HIPAA Compliance don’ts
• Don’t confuse having documentation with having good documentation
• Don’t buy a set of manuals on the Internet and think you are done
• Don’t perform a risk analysis via spreadsheet in 15 minutes
=> Auditors are looking for substance
What to expect when you are audited
• Most audits request documentation via mail
• You have 30 days to comply
• Don’t just blindly send all your documentation
– Review it first
– Consult a professional
• Compliance consultant
• Attorney
=> Don’t take it lightly
Audit Results
• Organizations with good documentation pass audits – HHS is not super picky. They are glad you have worked to comply
• If you have good documentation, but have suffered a breach, your penalties will be minimized
BUT……
Audit Results
If you have a breach (and yes, it can happen to you)
AND
Your documentation is bad, they can throw the book at you!
We’re here to help
• MCMS endorsed HIPAA compliance program
• 2,000 clients nationwide
• Have passed 50 CMS audits; no fails
• See BEI website (beinetworks.com) for details