2012 Audits of Covered Entity Compliance with HIPAA Privacy, Security and Breach Notification Rules Initial Analysis February 2013.

Slides:



Advertisements
Similar presentations
H = P = A = HIPAA DEFINED HIPAA … A Federal Law Created in 1996 Health
Advertisements

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
An Overview for In-Home Service Providers Legal advice must be tailored to specific circumstances. Information provided in this presentation should not.
Presented by Elena Chan, UCSF Pharm.D. Candidate Tiffany Jew, USC Pharm.D. Candidate March 14, 2007 P HARMACEUTICAL C ONSULTANTS, I NC. P RO P HARMA HIPAA.
HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
OCR Updates Susan McAndrew, J.D. Deputy Director for Health Information Privacy Office for Civil Rights HIT Policy Committee December 4, 2013.
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
Health Insurance Portability and Accountability Act HIPAA Education for Volunteers and Students.
HIPAA Privacy Training Your Name Here. © 2004 MHM Resources Inc.2 HIPAA Background Health Insurance Portability and Accountability Act of 1996.
HIPAA What’s New? What Is HIPAA Health Insurance Portability and Accountability Act of 1996 Health Insurance Portability and Accountability Act.
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
Managing Access to Student Health Information per Federal HIPAA Guidelines Joan M. Kiel, Ph.D., CHPS Duquesne University Pittsburgh, Penna
HIPAA CHANGES: HITECH ACT AND BREACH NOTIFICATION RULES February 3, 2010 Kristen L. Gentry, Esq. Catherine M. Stowers, Esq.
Where to start Ben Burton, JD, MBA, RHIA, CHP, CHC.
ITEC 6324 Health Insurance Portability and Accountability (HIPAA) Act of 1996 Instructor: Dr. E. Crowley Name: Victor Wong Date: 2 Sept
CHAPTER © 2011 The McGraw-Hill Companies, Inc. All rights reserved. 2 The Use of Health Information Technology in Physician Practices.
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.
HIPAA Regulations What do you need to know?.
HIPAA Privacy Rule Compliance Training for YSU April 9, 2014.
© 2011 The McGraw-Hill Companies, Inc. All rights reserved. 2.5 HIPAA Legislation and its Impact on Physician Practices 2-15 The Health Insurance Portability.
COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.
2014 HIPAA Refresher Omnibus Rule & HIPAA Security.
Are you ready for HIPPO??? Welcome to HIPAA
Karen D. Smith, Esq. Partner Bricker & Eckler LLP 100 S. Third Street Columbus, OH (614)
Health Insurance Portability Accountability Act of 1996 HIPAA for Researchers: IRB Related Issues HSC USC IRB.
© Copyright 2014 Saul Ewing LLP The Coalition for Academic Scientific Computation HIPAA Legal Framework and Breach Analysis Presented by: Bruce D. Armon,
HIPAA COMPLIANCE IN YOUR PRACTICE MARIBEL VALENTIN, ESQUIRE.
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.
Privacy and Security Tiger Team Subgroup Discussion: MU3 RFC July 29, 2013.
The Use of Health Information Technology in Physician Practices
HIPAA PRIVACY AND SECURITY AWARENESS.
California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. :: 1 NEW OBLIGATIONS.
“ Technology Working For People” Intro to HIPAA and Small Practice Implementation.
Privacy and Security Tiger Team Today’s Discussion: MU3 RFC Comments May 8, 2013.
Quality Integrity Stewardship Courtesy Care Accountability Medical Records ARMA Florida Gulf Coast Chapter Michael Spake Lakeland Regional Medical Center.
Copyright ©2011 by Pearson Education, Inc. Upper Saddle River, New Jersey All rights reserved. Health Information Technology and Management Richard.
Update on Federal HIT Legislation Kirsten Beronio Mental Health America.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
HIPAA Michigan Cancer Registrars Association 2005 Annual Educational Conference Sandy Routhier.
Privacy and Security Risks to Rural Hospitals John Hoyt, Partner December 6, 2013.
LeToia Crozier, Esq., CHC Vice President, Compliance & Regulatory Affairs Corey Wilson Director of Technical Services & Security Officer Interactive Think.
Copyright © 2009 by The McGraw-Hill Companies, Inc. All Rights Reserved. McGraw-Hill Chapter 6 The Privacy and Security of Electronic Health Information.
Understanding HIPAA (Health Insurandce Portability and Accountability Act)
Eliza de Guzman HTM 520 Health Information Exchange.
FleetBoston Financial HIPAA Privacy Compliance Agnes Bundy Scanlan Managing Director and Chief Privacy Officer FleetBoston Financial.
The Culture of Healthcare Privacy, Confidentiality, and Security Lecture d This material (Comp2_Unit9d) was developed by Oregon Health and Science University,
Working with HIT Systems
Copyright ©2014 by Saunders, an imprint of Elsevier Inc. All rights reserved 1 Chapter 02 Compliance, Privacy, Fraud, and Abuse in Insurance Billing Insurance.
Component 8/Unit 6aHealth IT Workforce Curriculum Version 1.0 Fall Installation and Maintenance of Health IT Systems Unit 6a System Security Procedures.
Welcome….!!! CORPORATE COMPLIANCE PROGRAM Presented by The Office of Corporate Integrity 1.
HIPAA Security Final Rule Overview
Copyright © 2015 by Saunders, an imprint of Elsevier Inc. All rights reserved. Chapter 3 Privacy, Confidentiality, and Security.
Top 10 Series Changes to HIPAA Devon Bernard AOPA Reimbursement Services Coordinator.
Configuring Electronic Health Records Privacy and Security in the US Lecture b This material (Comp11_Unit7b) was developed by Oregon Health & Science University.
The Health Insurance Portability and Accountability Act (HIPAA) requires Plumas County to train all employees in covered departments about the County’s.
PHASE II OF HIPAA AUDIT PROGRAM June 2016 Presented by John P. Murdoch II, Esq. of Wilentz, Goldman & Spitzer, P.A. Two Industrial Way West Two Industrial.
HIPAA: So You Think You’re Compliant September 1, 2011 Carolyn Heyman-Layne, J.D.
Health Insurance Portability and Accountability Act of 1996
UNDERSTANDING WHAT HIPAA IS AND IS NOT
Health Information Privacy & Security
HIPAA Administrative Simplification
Understanding HIPAA Dr. Jennifer Lu.
By: Eamon Callahan and Wilston Johnston
Disability Services Agencies Briefing On HIPAA
HIPAA Privacy and Security Summit 2018 HIPAA Privacy Rule: Compliance Plans, Training, Internal Audits and Patient Rights Widener University Delaware.
Lesson 1  7 Basic Components of an Effective Compliance Plan
HIPAA SECURITY RULE Copyright © 2008, 2006, 2004 by Saunders an imprint of Elsevier Inc. All rights reserved.
Presentation transcript:

2012 Audits of Covered Entity Compliance with HIPAA Privacy, Security and Breach Notification Rules Initial Analysis February 2013

Program Background HITECH Act, Section Audits – This section of The American Recovery and Reinvestment Act of 2009, requires HHS to provide for periodic audits to ensure covered entities and business associates are complying with the HIPAA Privacy and Security Rules and Breach Notification Standards. Resulting Audit Program – Conducted 115 performance audits through December 2012 to identify findings in regard to adherence with standards. Two phases: Initial 20 audits to test original audit protocol Final 95 audits using modified audit protocol February 20132

Auditee Selection Criteria OCR identified a pool of covered entities Specific criteria includes but is not limited to: Public versus Private Entity’s size, e.g., level of revenues/assets, number of patients or employees, use of HIT Affiliation with other health care organizations Geographic location Type of entity February 20133

Breakdown of Auditees Level 1 Entities Large Provider / Health Plan Extensive use of HIT - complicated HIT enabled clinical /business work streams Revenues and or assets greater than $1 billion Level 2 Entities Large regional hospital system (3-10 hospitals/region) / Regional Insurance Company Paper and HIT enabled work flows Revenues and or assets between $300 million and $1 billion Level 2 Entities Large regional hospital system (3-10 hospitals/region) / Regional Insurance Company Paper and HIT enabled work flows Revenues and or assets between $300 million and $1 billion Level 3 Entities Community hospitals, outpatient surgery, regional pharmacy / All Self- Insured entities that don’t adjudicate their claims Some but not extensive use of HIT – mostly paper based workflows Revenues between $50 Million and $300 million Level 4 Entities Small Providers (10 to 50 Provider Practices, Community or rural pharmacy) Little to no use of HIT – almost exclusively paper based workflows Revenues less than $50 million February 20134

Auditees by Type & Size February 20135

Audit Protocol Overview Privacy Rule Breach Notification Rule Privacy Audit Protocol Security Rule Security Audit Protocol Notice of Privacy Practices Rights to Request Privacy Protection of PHI Access of Individuals to PHI Administrative Requirements Uses and Disclosures of PHI Amendment of PHI Accounting of Disclosures Breach Notification Rule Administrative Safeguards Physical Safeguards Technical Safeguards 11 Modules February 20136

Audit Protocol Components 1)Established Criteria - Privacy, Security, and Breach Notification Rule criteria against which compliance is to be evaluated and assessed. 2)Audit Testing Procedures – Procedures executed to assess compliance with the criteria. 3)Workpaper Reference – Reference to workpaper documenting results of testing for the corresponding criteria. 4)Applicability - Whether or not the criteria/audit procedures are applicable for the Covered Entity. February 20137

Exceptions Affect Audit Scope What did we audit? Varied by type of entity. Exceptions to certain requirements applied to several audited entities 6 of the 7 clearinghouses asserted they only act as a business associate to other covered entities; in accordance with § (b) few privacy procedures applied 8 of the 47 heath plans asserted they were fully insured group health [lans, so only one privacy procedure applied. 2 of the 61 providers and 4 of the 47 health plans asserted they do not create, receive or retain electronic Protected Health Information (ePHI), so security protocol was not executed. February 20138

Overall Findings & Observations Total 979 audit findings and observations – 293 Privacy – 592 Security – 94 Breach Notification No findings or observations for 13 entities (11%) 2 Providers, 9 Health Plans, 2 Clearinghouses Security accounted for 60% of the findings and observations—although only 28% of potential total. Providers had a greater proportion of findings and observations (65%)than would be reflected purely by their proportion of the total set (53%). Of course, they also have much more operational exposure to potential violations. Smaller, Level 4 entities struggle with all three areas February 20139

Audit Findings and Observations Audit Findings and Observations by Rule Audit Findings and Observations by Type of Covered Entity Audit Findings and Observations by Level February

Element Exposure Audit Findings and Observations Distribution February

Privacy Findings & Observations Percentage of Findings and Observations by Area of Focus February

Privacy Results by EntityType Findings and Observations by Area and Type of Entity February

Privacy Results by Entity Size Findings and Observations by Level February

Privacy Administrative Elements Administrative Requirements Findings and Observations February

Privacy -- Uses and Disclosures Uses and Disclosures of PHI Findings and Observations February

Security Results 58 of 59 providers had at least one Security finding or observation No complete and accurate risk assessment 47 of 59 providers, 20 out of 35 health plans and 2 out of 7 clearinghouses Security addressable implementation specifications: Almost every entity without a finding or observation met by fully implementing the addressable specification. February

Security Elements Percentage of Audit Findings and Observations by Area of Focus February

Overall Cause Analysis For every finding and observation cited in the audit reports, audit identified a “Cause.” Most common across all entities: entity unaware of the requirement. in 30% (289 of 980 findings and observations) 39% (115 of 293) of Privacy 27% (163 of 593) of Security 12% (11) of Breach Notification Most of these related to elements of the Rules that explicitly state what a covered entity must do to comply. Other causes noted included but not limited to: Lack of application of sufficient resources Incomplete implementation Complete disregard February

Cause Analysis – Unaware of the Requirement Top areas ready for spreading awareness Privacy Notice of Privacy Practices; Access of Individuals; Minimum Necessary; and, Authorizations. Security Risk Analysis; Media movement and disposal; and, Audit controls and monitoring. February

Next Steps Formal Program Evaluation Internal analysis of leading practices, audit results Developing Options for ongoing program design and focus Creation of technical assistance based on results Determine where entity follow up is appropriate February

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.