Karen D. Smith, Esq. Partner Bricker & Eckler LLP 100 S. Third Street Columbus, OH (614)

 HITECH Background  Phase 1 review  Phase 2 preview  Recommendations 2

 Increased enforcement under HITECH  Increased penalties  State AG enforcement  Public records of breach notifications  BAs directly subject to penalties  HHS audits Background 3

 HITECH Act requires HHS to conduct HIPAA audits (42 USC §17490)  “The Secretary shall provide for periodic audits to ensure that covered entities and business associates that are subject to the requirements of this subtitle and subparts C and E of part 164 of title 45, Code of Federal Regulations, as such provisions are in effect as of the date of enactment of this Act, comply with such requirements.” Background 4

 OCR sought a comprehensive and flexible process for analyzing entity efforts to provide regulatory protections and individual rights  Identify  (1) best practices and  (2) uncover risks  not identified through other enforcement tools  Encourage consistent attention to compliance activities 5

 115 performance audits conducted through December 2012  Initial 20 audits to test original audit protocol  Final 95 audits using modified audit protocol Phase 1 6

 For every finding cited in the audit reports, audit identified a “cause”  Most common across all entities: entity unaware of requirement.  30% (289 of 980 findings) 39% (115 of 293) of Privacy 27% (163 of 593) of Security 12% (11) of Breach Notification  Most of these related to elements of the Rules that stated what a covered entity had to do to comply  Other causes, included but not limited to:  Lack of application of sufficient resources  Incomplete implementation  Complete disregard 7

 Privacy  notice of privacy practices  access of individuals  minimum necessary  authorizations  Security  risk analysis  media movement and disposal  audit controls and monitoring Phase 1 Cause Analysis: Top Elements 8

 Implement a risk-based approach  would allow OCR to determine areas of the Rules that require implementation of controls, which, if not implemented effectively, would pose the greatest risk to the protection of PHI  OCR should consider a multi-tiered audit approach that can be tailored based on entity type, area or a hybrid Phase 1 9

 Any covered entity  Health plans of all types  Health care clearinghouses  Individual and organizational providers of all sizes  Any business associate  Selection through covered entities’ identification of their business associates Phase 2 10

 Have selected a pool of covered entities eligible for audit  Used resources developed through Booz Allen Hamilton contract  Health care providers selected through NPI database  Clearinghouses & Health Plans from external databases (e.g., AHIP)  Random selection used when possible within types  Wide range (e.g., group health plans, physicians and group practices, behavioral health, dental, hospitals, laboratories) Phase 2 11

 Available entity databases lack data for entity stratification  Survey currently being processed through Paperwork Reduction Act clearance  Questions address  size measures  location  services  best contacts  OCR will conduct address verification with entities this spring  Entities will receive link to online screening “pre-survey” this summer; Expect to contact entities  OCR will use results of survey to select a projected 350 covered entities to audit Phase 2 12

 Primarily internally staffed  Selected entities will receive notification and data requests in fall 2014  Entities will be asked to identify their business associates and provide their current contact information  Will select business associate audit subjects for 2015 first wave from among the BAs identified by covered entities  Desk audits of selected provisions  Comprehensive on-site audits as resources allow Phase 2 13

PeriodActivity Spring 2014CE address verification Summer 2014Pre-audit surveys link sent to covered entity pool Fall 2014Notification and data request letters to selected entities Two weeksPeriod for entity response October June 2015 CE audit reviews 2015Business associate audits Phase 2 14

 Data request will specify:  content and file organization  file names  any other document submission requirements  Requested data will only be assessed if it is submitted on time  Documentation must be current as of request date Phase 2 15

 Documents must accurately reflect the program  Auditors will NOT have the opportunity to contact the entity for clarifications, or to seek out additional information  Do not submit extraneous information: OCR says it may increase difficulty for auditor to find and assess required items  Failing to respond to requests may lead to referral for regional compliance review Phase 2 16

 Very little detail provided by HHS  “Comprehensive on-site audits as resources allow”  Interviews with key personnel  Observations of processes and operations  3-10 days (in round 1)  Length of audit depends on complexity of CE Phase 2 17

 Auditors will assess entity efforts via an updated protocol  New criteria will reflect the omnibus rule changes, more specific test procedures  Sampling methodology will be used in many provisions to assess compliance efforts  Provisions that resulted in a high quantity of compliance failures in the pilot audits will be targeted through the desk audits  The website will include the updated protocol for the entities’ use Phase 2 18

2014  Covered Entities  Security: Risk analysis and risk management  Breach: Content and timeliness of notifications  Privacy: Notice and access Phase 2 19

2015  Round 1: Business Associates  Security: Risk analysis and risk management  Breach: Breach reporting to CE  Round 2: Covered Entities (Projected)  Security: Device and media controls, transmission security  Privacy: Safeguards, training Phase 2 20

2016  Projected  Security: Encryption and decryption Facility access control (physical) Other areas of high risk as identified by 2014 audits, breach reports and complaints Phase 2 21

 Risk Analysis  Review most recent Risk Analysis  Consider conducting new Risk Analysis  Consider obtaining third-party review of Risk Analysis  Business Associates  Review and update BA list  Review template BAA  Amend BAAs for Omnibus Rule compliance by Sept. 23  Engage BAs in dialogue on compliance (e.g., BAs should conduct own risk analyses) Phase 2 22

 Breach Documentation  Review breach log  Review template notice and timeliness of past notices  Review files associated with breaches  Per OCR, files should include: Documentation of root cause of breach Documentation of compliance gap resulting in breach Documentation that root cause was addressed Phase 2 23

 Notice of Privacy Practices  Review for Omnibus Rule compliance  Confirm distribution/posting requirements are being met  Patient Access  Review policy and procedure  Review related documentation  Security Rule  Review policies and procedures on transmission security, devices (focus on mobile devices), and facility access control  OCR recommends reviewing mobile device policy “at least annually” Phase 2 24

 Policies and Procedures  Review policies against current OCR protocol (and new protocol once available)  Confirm that Omnibus Rule changes have been incorporated as applicable  Supporting Documentation  Confirm that documentation required by policies is actually being kept on file  Review documentation against current OCR protocol (and new protocol once available) Phase 2 25

 Audits  Conduct self audit  Obtain third party mock audit  Training  Review and update training program as necessary  Review documentation of training  Provide annual training and remedial training Phase 2 26

27