1. Karen D. Smith, Esq. Partner Bricker & Eckler LLP 100 S. Third Street Columbus, OH 43215 ksmith@bricker.com (614) 227-2313

2.  HITECH Background  Phase 1 review  Phase 2 preview  Recommendations 2

3.  Increased enforcement under HITECH  Increased penalties  State AG enforcement  Public records of breach notifications  BAs directly subject to penalties  HHS audits Background 3

4.  HITECH Act requires HHS to conduct HIPAA audits (42 USC §17490)  “The Secretary shall provide for periodic audits to ensure that covered entities and business associates that are subject to the requirements of this subtitle and subparts C and E of part 164 of title 45, Code of Federal Regulations, as such provisions are in effect as of the date of enactment of this Act, comply with such requirements.” Background 4

5.  OCR sought a comprehensive and flexible process for analyzing entity efforts to provide regulatory protections and individual rights  Identify  (1) best practices and  (2) uncover risks  not identified through other enforcement tools  Encourage consistent attention to compliance activities 5

6.  115 performance audits conducted through December 2012  Initial 20 audits to test original audit protocol  Final 95 audits using modified audit protocol Phase 1 6

7.  For every finding cited in the audit reports, audit identified a “cause”  Most common across all entities: entity unaware of requirement.  30% (289 of 980 findings) 39% (115 of 293) of Privacy 27% (163 of 593) of Security 12% (11) of Breach Notification  Most of these related to elements of the Rules that stated what a covered entity had to do to comply  Other causes, included but not limited to:  Lack of application of sufficient resources  Incomplete implementation  Complete disregard 7

8.  Privacy  notice of privacy practices  access of individuals  minimum necessary  authorizations  Security  risk analysis  media movement and disposal  audit controls and monitoring Phase 1 Cause Analysis: Top Elements 8

9.  Implement a risk-based approach  would allow OCR to determine areas of the Rules that require implementation of controls, which, if not implemented effectively, would pose the greatest risk to the protection of PHI  OCR should consider a multi-tiered audit approach that can be tailored based on entity type, area or a hybrid Phase 1 9

10.  Any covered entity  Health plans of all types  Health care clearinghouses  Individual and organizational providers of all sizes  Any business associate  Selection through covered entities’ identification of their business associates Phase 2 10

11.  Have selected a pool of covered entities eligible for audit  Used resources developed through Booz Allen Hamilton contract  Health care providers selected through NPI database  Clearinghouses & Health Plans from external databases (e.g., AHIP)  Random selection used when possible within types  Wide range (e.g., group health plans, physicians and group practices, behavioral health, dental, hospitals, laboratories) Phase 2 11

12.  Available entity databases lack data for entity stratification  Survey currently being processed through Paperwork Reduction Act clearance  Questions address  size measures  location  services  best contacts  OCR will conduct address verification with entities this spring  Entities will receive link to online screening “pre-survey” this summer; Expect to contact 550-800 entities  OCR will use results of survey to select a projected 350 covered entities to audit Phase 2 12

13.  Primarily internally staffed  Selected entities will receive notification and data requests in fall 2014  Entities will be asked to identify their business associates and provide their current contact information  Will select business associate audit subjects for 2015 first wave from among the BAs identified by covered entities  Desk audits of selected provisions  Comprehensive on-site audits as resources allow Phase 2 13

14. PeriodActivity Spring 2014CE address verification Summer 2014Pre-audit surveys link sent to covered entity pool Fall 2014Notification and data request letters to selected entities Two weeksPeriod for entity response October 2014 - June 2015 CE audit reviews 2015Business associate audits Phase 2 14

15.  Data request will specify:  content and file organization  file names  any other document submission requirements  Requested data will only be assessed if it is submitted on time  Documentation must be current as of request date Phase 2 15

16.  Documents must accurately reflect the program  Auditors will NOT have the opportunity to contact the entity for clarifications, or to seek out additional information  Do not submit extraneous information: OCR says it may increase difficulty for auditor to find and assess required items  Failing to respond to requests may lead to referral for regional compliance review Phase 2 16

17.  Very little detail provided by HHS  “Comprehensive on-site audits as resources allow”  Interviews with key personnel  Observations of processes and operations  3-10 days (in round 1)  Length of audit depends on complexity of CE Phase 2 17

18.  Auditors will assess entity efforts via an updated protocol  New criteria will reflect the omnibus rule changes, more specific test procedures  Sampling methodology will be used in many provisions to assess compliance efforts  Provisions that resulted in a high quantity of compliance failures in the pilot audits will be targeted through the desk audits  The website will include the updated protocol for the entities’ use Phase 2 18

19. 2014  Covered Entities  Security: Risk analysis and risk management  Breach: Content and timeliness of notifications  Privacy: Notice and access Phase 2 19

20. 2015  Round 1: Business Associates  Security: Risk analysis and risk management  Breach: Breach reporting to CE  Round 2: Covered Entities (Projected)  Security: Device and media controls, transmission security  Privacy: Safeguards, training Phase 2 20

21. 2016  Projected  Security: Encryption and decryption Facility access control (physical) Other areas of high risk as identified by 2014 audits, breach reports and complaints Phase 2 21

22.  Risk Analysis  Review most recent Risk Analysis  Consider conducting new Risk Analysis  Consider obtaining third-party review of Risk Analysis  Business Associates  Review and update BA list  Review template BAA  Amend BAAs for Omnibus Rule compliance by Sept. 23  Engage BAs in dialogue on compliance (e.g., BAs should conduct own risk analyses) Phase 2 22

23.  Breach Documentation  Review breach log  Review template notice and timeliness of past notices  Review files associated with breaches  Per OCR, files should include: Documentation of root cause of breach Documentation of compliance gap resulting in breach Documentation that root cause was addressed Phase 2 23

24.  Notice of Privacy Practices  Review for Omnibus Rule compliance  Confirm distribution/posting requirements are being met  Patient Access  Review policy and procedure  Review related documentation  Security Rule  Review policies and procedures on transmission security, devices (focus on mobile devices), and facility access control  OCR recommends reviewing mobile device policy “at least annually” Phase 2 24

25.  Policies and Procedures  Review policies against current OCR protocol (and new protocol once available)  Confirm that Omnibus Rule changes have been incorporated as applicable  Supporting Documentation  Confirm that documentation required by policies is actually being kept on file  Review documentation against current OCR protocol (and new protocol once available) Phase 2 25

26.  Audits  Conduct self audit  Obtain third party mock audit  Training  Review and update training program as necessary  Review documentation of training  Provide annual training and remedial training Phase 2 26

27. 27