Amphion Medical Solutions Shaping the future of health document management PRESENTS Privacy and Security: OCR Announces New Audit Protocols Kelly McLendon, RHIA, CHPS Managing Director, CompliancePro Solutions © 2012 Amphion Medical Solutions

 Agenda  About Amphion  Today’s topic presented by Kelly McLendon  Presentation  Q&A  Wrap up by Amphion 2 Amphion Medical Solutions © 2012 Amphion Medical Solutions

 National, privately owned company  Over 200 integrated EHR/HIS clients  HQ in Madison, Wisconsin  Healthcare technology leader  Cloud-based technology platform  Speech Language Understanding 3 Amphion Medical Solutions © 2012 Amphion Medical Solutions

 Core offerings  Transcription services with CDA technology  Coding, quality and compliance  Core measure outsourcing  ICD-10 education and training 4 Amphion Medical Solutions © 2012 Amphion Medical Solutions

 Operational  Reduce costs  Preserve capital  Leverage enterprise applications  Manage resources  Improve departmental and personnel satisfaction 5  Sharing of clinical data  Systems interoperability  Interfaces/integrations  EHR adoption/incentives  Structured content w/o sacrificing narrative  MU Stage 2 Trends and Challenges © 2012 Amphion Medical Solutions

6  Founder of CompliancePro Solutions which has developed a state-of- the-art privacy product called PrivacyPro™.  President of Health Information Xperts, a consultancy specializing in healthcare privacy, security and HIM automation.  Currently serves as an analyst for AHIMA on issues ranging from HITECH privacy to meaningful use.  Recently publishing a new book for AHIMA entitled The Legal Health Record: Regulations, Policies and Guidelines.  He has been recognized with numerous awards including the 2003 AHIMA Visionary Award and the 2008 FHIMA Distinguished Member, as well as many literary awards. Kelly McLendon, RHIA, CPHS © 2012 Amphion Medical Solutions

By Presentation for Amphion Kelly McLendon, RHIA, CHPS Managing Director

8  No new Omnibus rule or updates for privacy yet  We expect an Omnibus rule or separate rules? Should be anytime.  Major changes will be laid out we expect, but what?  Enforcement will begin in earnest…  Nothing new expected for security except increased emphasis in Stage 2  HIPAA continues to expand, new AOD rules have been proposed  Breach Notification and other Final Rules expected soon, possibly by September  Meaningful Use requires Security Risk Analysis, promotes Privacy Risk Analysis too  State Attorney generals are now trained in HIPAA enforcement so watch out, state laws are tightening  Proactive monitors of audit logs and security systems being emphasized  KPMG gets contract working with Privacy Audits  Security and Privacy letters from OCR increasing 8

 The promised OCR / KPMG Audit Protocols have been released  I have prepared a document that summarizes the protocols, Privacy Breach and Security that are covered in the audit  77 and 88 protocols each are listed  Very comprehensive and detailed, they are meant to coincide with Security and Privacy Risk Analysis or Assessments  Security Risk Analysis has been published in the Federal Rules, Privacy never has, but still is crucial  I have built both types of Assessments for my company 9

 Under HIPAA an individual (typically a patient) has a right to, with notable exceptions: 1.Right to confidential communications 2.Right to access, view and receive (electronic if requested) copies of their PHI (protected health information) contained within the Covered Entities DRS (Designated Record Set) 3.Right to request an amendment to their PHI 4.Right to restrictions on disclosure of their PHI for operational and payment reasons, not treatment 5.Right to control PHI use for marketing, sales and research 6.Right to be noticed of privacy breaches that potentially could cause them financial, reputational or other harm 7.Right to be noticed of the CE’s privacy practices 8.Right to receive an accounting of disclosures from their DRS 9.Right to file a complaint with OCR (Office for Civil Rights) 10. Proposed Right to receive a Access Report from their electronic DRS – Not Yet! Soon? 10

 Markedly expands concepts of ‘secured ‘and ‘unsecured’ PHI  Secured PHI is a very important concept  Penalties for unauthorized disclosures are very steep and will be enforced  Breach Notification is in effect NOW!  Business Associates directly covered, need to incorporate new ARRA provisions into Business Associate Agreements  Patients able to restrict disclosures for self paid services or items  Accounting of Disclosures and Access Reports Rules proposed  Privacy & Security Audits are here! 11

 HIPAA’s criminal penalties now extends to individuals ◦ Fines of $50,000 to $250,000 ◦ 1 – 10 years in jail  Improved HIPAA enforcement, increases the amount of civil monetary penalties under HIPAA rules  Can impose violations even if CE or BA ‘Did Not know’ 30 days to cure, but very technical  In 2014 patient gets a cut 12  CATEGORIES OF VIOLATIONS AND RESPECTIVE PENALTY AMOUNTS AVAILABLE  (A) Did Not Know $100–$50,000 (each violation) up to $1,500,000  (B) Reasonable Cause $1,000–50,000 (each violation) up to $1,500,000  (C)(i) Willful Neglect—Corrected $10,000–50,000 (each violation) up to $1,500,000  (C)(ii) Willful Neglect—Not Corrected.....$50,000 (each violation) up to $1,500,000 12

 Increasingly important to perform Privacy & Security Risk Analysis (Assessments) and to document your findings  Privacy & Security Officers should work these two analysis in tandem because there are multiple interdependencies and co-dependences and many times Security Events drive Privacy Incidents  All hospitals and ambulatory practices need to be performing Security and Privacy Risk Assessments  Many physicians are starting to become concerned with doing these assessments as their attestation for MU depends upon it  Tools now exist to perform the tremendously detailed hospital IT Risk Analysis as well as less detailed physician office Risk Assessments. They both have the same scope, but granularity and depth changes considerably depending upon the sophistication of the IT shop and volume of systems. 13

 Two documents sum up HIPAA Security which is very complex, no new technologies have to be invented, rather existing technology applied – Federal Register/Vol. 74, No. 79/Monday, April 27, 2009/Rules and Regulations. Guidance Specifying the Technologies and Methodologies That Render Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals for Purposes of the Breach Notification Requirements Under Section of Title XIII (Health Information Technology for Economic and Clinical Health Act) of the American Recovery and Reinvestment Act of 2009 – NIST Special Publication Revision 1 14

15

 There have not been new HIPAA Security Rules issued; however there is a renewed emphasis  HIPAA Security Rule enforcement has been consolidated under the OCR (Office of Civil Rights); along with HIPAA Privacy Rule enforcement  HITECH Meaningful Use requires Security Risk Analysis for all participating CEs  Increase of penetration and percentage of PHI that is ePHI is dramatically increasing, as are threats, i.e. identity theft  Data exchange introduces new threats as well 16

 Information security is defined as the preservation of confidentiality, integrity and availability of electronic patient information used for treatment, payment or healthcare operations  HIPAA Security is the domain of the Security Officer (who must be formally designated), Compliance, Legal and IT  However; HIM and workforce members need to have a general understanding of the areas covered by HIPAA and how your organization addresses them, at least at a high level  HIM owns many of the Privacy functions that relate to Security as well. Many HIM professionals are Privacy Officers 17

 Proactive auditing and monitoring for Privacy and Security events, especially with rules based audit log monitors is beginning to be driven by HHS, although not required directly.  Be very careful not to ignore proactive monitors as this could lead to Willful Neglect penalties  Automation is the only credible way to manage large volumes of data within multiple audit logs, although a site could write their own, this is typically not easy.  Being proactive is key to preventing events, detected events tend to go down after the workforce is notified that proactive monitors are in place 18

 We call it an Assessment, means the same thing as Analysis, the details of how you perform the Risk calculations are important to recognize, as differing tools, utilize differing algorithms to determine and report upon risk  A review of all current policies, procedures, plans and other documentation that support an organizations’ HIPAA information security plan  A detailed organizational assessment based on NIST SP 800 – 66, An Introductory Resource Guide for Implementing the HIPAA Security Rule  Document key data and compliance measurements, identify gaps, assess risk, and mutually define a mitigation plan based on risk  Risk = Threat + Vulnerability + Impact 19

Show the CompliancePro Solutions SRA Sample 20

 Inventory of organizational IT assets ◦ Data, hardware, software, networks, facilities, users  Weakness or Vulnerabilities associated with those assets ◦ Internal, external, BAs  Threats that can exploit the Vulnerabilities ◦ Acts of nature, acts of man, internal, external, intentional, unintentional  Resulting Impacts ◦ Monetary, data corruption, penalties, fines, bad publicity, loss of physical assets  New risk analysis required when processes change, infrastructure changes, newly identified threats, new regulatory requirements 21

 OCR has now issued CMPs (Civil Monetary Penalties) for $4.3million and $1 million for wrongful disclosure and failure to produce medical records on request  UCLA fined $865,000 for unauthorized access from EHR based records. Source; complaint from two celebrities, investigation turned up more violations. ◦ Resolution agreement led to a 3 year Corrective Action Plan being imposed.  State Attorney Generals have been trained and can bring privacy based actions in Federal Court, this will mean more enforcement. This ups the stakes for all providers, especially if you are an on-going target of investigation  Texas has just signed a tough new law for privacy, Florida pre-occupied with pill mills and Medicaid reform, but privacy laws loom, no real downside and opportunity to raise revenue and enhance HIE and similar activities  Phoenix cardiology $100,000 a warning shot for ambulatory practices 22

 Used by OCR to determine liability for fines, corrective actions  But also for the depth of some measures implemented  The concept of what is ‘reasonable and appropriate’ is subjective ◦ But since EHR criteria calls for encryption (NIST FIPS publication for acceptable types) for ePHI created, maintained and exchanged shouldn’t encryption for data at rest and in transit be utilized?  Up to $1.5M per year fine for continuing violation if reasonable and acceptable not maintained – i.e. for not encrypting ◦ This represents a huge risk for healthcare providers 23

 Formalized audit functions which can assess penalties has been created  Language to be cognizant of (note HIM call out, not even in role as Privacy Officer): ◦ Site visits conducted as part of every audit would include interviews with leadership (e.g., CIO, Privacy Officer, legal counsel, health information management/medical records director) ◦ Examination of physical features and operations ◦ Consistency of process to policy- can we say ad hoc programs probably are not recommended ◦ Observation of compliance with regulatory requirements 24

 Covers all parts of the Physical, Technical and Administrative Safeguards, along with Organizational Requirements and Policies, Procedures and Documentation  Must perform a HIPAA Security Risk Assessment § (a)(1)(ii)(A)and be diligent about all aspects of your reviews and mitigations plans for areas found deficient 25

Show the OCR Audit Protocols 26

 Let’s take a look at the OCR Security Audit protocols embedded within a SRA  Copies of these protocols embedded in a SRA have been provided, but this is only a snippet from a full SRA 27

Show the OCR Audit Protocols Embedded Within a SRA 28

 Keep up with additional regulations and clarifications, and continue to learn about HIPAA – Watch for the Omnibus Privacy Rule  For Privacy be an advocate within your organization, start the dialogs now as these new regulations will be far reaching, especially AOD, breaches, notifications and postings  Understand and foster HIPAA Security compliance and analysis is also tied to Privacy compliance – be involved with Security Risk Analysis because your role in Privacy demands it  Consider getting credentialed with the CHPS (Certified in Healthcare Privacy and Security)…I am! 29

 Employees  Trained in security awareness upon hire.  Required to sign a confidentiality agreement  Security awareness refreshers are done periodically throughout length of employment.  Audit and accountability  All systems set by default to block all incoming Internet traffic from unknown sources.  VPN, firewall, and application audit logs regularly monitored for suspicious behavior  Firewalls configured for notification upon intrusion attempts. 30 Amphion Commitment to Privacy and Security © 2012 Amphion Medical Solutions

 Risk Assessment  Continuous risk analysis to identify when updates are needed  Formal risk assessments performed by an outside vendor  Findings reviewed and action plan is prepared to implement any changes  System and information integrity  Each transcriptionist setup with a unique user account  Installed version of the application is authenticated during each logon request using a private and public key combination  Reverse engineering prevention  All ePHI data is in use by the end user of the local workstation encrypted  All encrypted files deleted from the local workstation. 31 Amphion Commitment to Privacy and Security © 2012 Amphion Medical Solutions

Q & A 32 © 2012 Amphion Medical Solutions

 Your trusted partner in the evolving health documentation environment  Free up valuable IT resources  Innovative “right-sized” demand-based pricing model  Utilize our transcriptionists, yours or both  Integrate with your ADT and EHR solutions  CDA structured narrative, content codification, clinical concept indexing and EHR data interoperability 33 Amphion Value Proposition © 2012 Amphion Medical Solutions

34 Request copies of this presentation and more information from Copies and Contact information Kelly McLendon, RHIA, CHPS 34

Also by Kelly McLendon, RHIA, CHPS The Legal Health Record: Regulations, Policies, and Guidance Also Check-out Kelly’s Privacy Information Management Software at Enjoyed Today’s Presenter ? 35

Thank you for the opportunity to speak with you today For more information on Amphion’s solutions, contact Melinda Watman at x1456 or © 2012 Amphion Medical Solutions