Presentation is loading. Please wait.

Presentation is loading. Please wait.

Office of Civil Rights Audits and Updates

Published byAudra Mills Modified over 6 years ago

Similar presentations

Presentation on theme: "Office of Civil Rights Audits and Updates"— Presentation transcript:

1 Office of Civil Rights Audits and Updates

2 Agenda Evolution of audits Phase I Phase II Preparing for an audit
Resources

3 Mandate – HITECH Act, Section 13411 - Audits
The American Recovery and Reinvestment Act of requires Health & Human Services (HHS) to provide periodic audits to ensure covered entities and business associates comply with HIPAA Privacy, Security Rules and Breach Notification Standards Opportunities Examine mechanisms for compliance Identify best practices Discover risks and vulnerabilities that may not have come to light through complaints and compliance reviews Encourage renewed attention to compliance activities

4 Evolution of Audits Health Information Technology for Economic and Clinical Health Act (HITECH) Health & Human Services to perform audits HIPAA Privacy, Security and Breach Notification Rules Who is effected Covered entities Business associates Office of Civil Rights (OCR) Enforces Rules Establishes pilot audit program, 2011 Audit protocol created

5 Phase I Three step process
Develop audit protocols Limited number of audits Full range of audits Wide range of healthcare providers, health plans & clearinghouses Completed by December 2012

6 2012 Implementation Created comprehensive, flexible process for analyzing entity efforts to provide regulatory protections and individual rights Initial Protocol Development Test of Initial 20 Audits Auditee Selection Auditee Notification Protocol Test Review/ Protocol Adjustment Audit Execution 95 final audits

7 2012 Auditees Level 1 Entities Large provider/health plan
Extensive use of health information technology (HIT) enabled clinical/business streams Revenues and/or assets > $1 billion Level 2 Entities Large regional hospital systems (3-10)/regional insurance companies Paper & HIT enabled work flows Revenues and/or assets $300 million - $1 billion Level 3 Entities Community hospitals, outpatient surgery, regional pharmacies, self insured entities that do not adjudicate claims Mostly paper based work flows, some use of HIT Revenues $50 – 300 million Level 4 Entities Small providers (10-50 provider practices), community or rural pharmacies Little to no use of HIT Revenues < $50 million

8 Health Care Clearinghouses
2012 Auditees Level 1 Level 2 Level 3 Level 4 TOTAL Health Plans 13 12 11 47 Health Care Providers 16 10 24 61 Health Care Clearinghouses 2 3 1 7 26 31 22 36 115

9 Phase I Findings & Observations
No findings or observations for 13 entities, 11$ 2 providers 9 health plans 2 clearinghouses Security accounted for 60% of findings and observations Providers had greater proportion of findings & observations 65% Smaller Level 4 entities struggle with all three areas

10 Phase I Findings & Observations Entity Level

11 Phase I Findings & Observations Covered Entity

12 Phase I Findings & Observations Rule

13 Phase I Findings & Observations Area of Focus

14 Phase I Findings & Observations Security
58 of 59 providers had at least one Security finding or observation No complete & accurate risk assessment in 2/3 of entities 47 of 49 providers 20 of 35 health plans 2of 7 clearinghouse Security addressable implementation specifications: Almost every entity without a finding or observation met by fully implementing the addressable specification

15 Phase I Findings & Observations Security

16 Phase I Findings & Observations Breach Notification

17 Phase I Overall Analysis
For every finding and observation cited in reports audit identified a cause Most common across all entities Unaware of requirement 39% privacy 27% Security 12 Breach Notification Most related to elements of Rules that explicitly state what covered entity must do to comply Other causes Insufficient resources Incomplete implementation Complete disregard

18 Phase I Cause Analysis Privacy Security Notice of Privacy Practices;
Access of individuals; Minimum necessary; and Authorizations Risk Analysis; Media movement & disposal; and Audit controls & monitoring

19 Phase II Privacy, Security & Breach Notification Rules
Commenced audits >200 desk All covered entities eligible – 167 chosen Providers Health plans Clearinghouses Business associates Random, type & size of entity Desk & onsite

20 Phase II Process 2 Email Notifications -Notice & instructions
-Webinar & BA list 10 days to respond if desk Review of documents; draft findings to auditee 10 days to respond to draft Final report within 30 days of auditee response

21 Desk Audits 3 areas of focus 7 controls Security Rule Privacy Rule
2 Privacy Rule 3 Breach Notification Rule

22 Requirements Selected for Desk Audit Review
Phase II Desk Audit Requirements Selected for Desk Audit Review Privacy Rules Notice of Privacy Practices & Content Requirements   [§ (a)(1) & (b)(1)] Provision of Notice – Electronic Notice   [§ (c)(3)] Right to Access  [§ (a)(1), (b)(1), (b)(2), (c)(2), (c)(3),  (c)(4), (d)(1), (d)(3)] Breach Notification Rule Timeliness of Notification  [§ (b)] Content of Notification  [§ (c)(1)] Security Rule Security Management Process --  Risk Analysis  [§ (a)(1)(ii)(A)] Security Management Process -- Risk Management  [§ (a)(1)(ii)(B)]

23 Preparing For An Audit Review Phase II audit protocol
Review Phase II requested documents Review policies, procedures and safeguards List of business associates Focus on OCR authority & investigation areas

24 A little more about the Office of Civil Rights…

25 Enforcement OCR is responsible for enforcement of HIPAA Rules
In addition to Audits, the OCR may initiate an investigation based on: Complaints Breaches

26 Complaints Must be in writing to OCR 180 days to file a complaint
(online portal available) 180 days to file a complaint (may be waived by the OCR) Anyone can file a complaint Patient Someone on behalf of a patient Disgruntled employee Complaints Considerations by the OCR during intake and review of complaints The alleged action must have taken place after the date the Rules took effect. The compliant must be filed against a covered entity. The compliant must allege an activity that would violate the Privacy or Security Rule. The compliant must be filed within 180 days of when the person knew or should have known about the violation. (OCR can waive this time limit) Process OCR will notify the person who filed the compliant and the covered entity. Both are asked to provide information about the incident. If the action could violate the criminal provision of HIPAA, OCR may refer the compliant to the Department of Justice.

27 Complaints Received by Calendar Year

28 1 2 3 Breaches of 500 or More Prompts an investigation
Requires notice to media (if 500 or more in same state) 3 CE or BA posted on the “Wall of Shame”

29 Over 155 million individuals
Notification Process Patient Notification Written notice no later than 60 days after discovery Must be sent by first class mail or , if requested Notification to Others Annual reporting to HHS for breaches less than 500 HHS and local media within 60 days for 500+ 1600+ Breaches Over 155 million individuals

30 OCR Announces Investigations of Breaches Fewer than 500
Beginning August 2016 Investigations conducted by Regional Offices Factors considered for investigation Size of breach Theft or improper disposal of unencrypted PHI Breaches that involve unwanted intrusions to IT systems (hacking) Amount, nature and sensitivity of PHI involved Instances of numerous breach reports from a covered entity or business associate Since the passage of the Health Information Technology for Economic and Clinical Health Act of 2009 and the subsequent implementation of the Health Insurance Portability and Accountability Act (HIPAA) Breach Notification Rule, OCR has prioritized investigation of reported breaches of protected health information (PHI).  The root causes of breaches may indicate entity-wide and industry-wide noncompliance with HIPAA’s regulations, and investigation of breaches provides OCR with an opportunity to evaluate an entity’s compliance programs, obtain correction of any deficiencies, and better understand compliance issues in HIPAA-regulated entities more broadly.  OCR’s Regional Offices investigate all reported breaches involving the PHI of 500 or more individuals.  Regional Offices also investigate reports of smaller breaches (involving the PHI of fewer 500 individuals), as resources permit.  Recent settlements of cases where OCR’s investigated smaller breach reports include Catholic Health Care Services ( Triple-S ( St. Elizabeth’s Medical Center ( QCA Health Plan, Inc. ( and Hospice of North Idaho ( Beginning this month, OCR, through the continuing hard work of its Regional Offices, has begun an initiative to more widely investigate the root causes of breaches affecting fewer than 500 individuals.  Regional Offices will still retain discretion to prioritize which smaller breaches to investigate, but each office will increase its efforts to identify and obtain corrective action to address entity and systemic noncompliance related to these breaches.  Among the factors Regional Offices will consider include:  The size of the breach; Theft  of or improper disposal of unencrypted PHI; Breaches that involve unwanted intrusions to IT systems (for example, by hacking); The amount, nature and sensitivity of the PHI involved;  or Instances where numerous breach reports from a particular covered entity or business associate raise similar issues.   Regions may also consider the lack of breach reports affecting fewer than 500 individuals when comparing a specific covered entity or business associate to like-situated covered entities and business associates.  For more information about OCR’s compliance and enforcement work with regard to breaches, and with regard to the many other incidents that OCR investigates, please visit:

31 Stolen Unencrypted Laptop Result in Breach of 441
Lack of Safeguards Hospice of North Idaho Stolen unencrypted laptop Contained PHI of 441 individuals $50,000 settlement HHS announces first HIPAA breach settlement involving less than 500 patients Hospice of North Idaho settles HIPAA security case for $50,000 The Hospice of North Idaho (HONI) has agreed to pay the U.S. Department of Health and Human Services’ (HHS) $50,000 to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule.  This is the first settlement involving a breach of unsecured electronic protected health information (ePHI) affecting fewer than 500 individuals. The HHS Office for Civil Rights (OCR) began its investigation after HONI reported to HHS that an unencrypted laptop computer containing the electronic protected health information (ePHI) of 441 patients had been stolen in June  Laptops containing ePHI are regularly used by the organization as part of their field work.  Over the course of the investigation, OCR discovered that HONI had not conducted a risk analysis to safeguard ePHI.  Further, HONI did not have in place policies or procedures to address mobile device security as required by the HIPAA Security Rule.  Since the June 2010 theft, HONI has taken extensive additional steps to improve their HIPAA Privacy and Security compliance program. “This action sends a strong message to the health care industry that, regardless of size, covered entities must take action and will be held accountable for safeguarding their patients’ health information.” said OCR Director Leon Rodriguez. “Encryption is an easy method for making lost information unusable, unreadable and undecipherable.” The Health Information Technology for Economic and Clinical Health (HITECH) Breach Notification Rule requires covered entities to report an impermissible use or disclosure of protected health information, or a “breach,” of 500 individuals or more to the Secretary of HHS and the media within 60 days after the discovery of the breach.  Smaller breaches affecting less than 500 individuals must be reported to the Secretary on an annual basis. 

32 Stolen Mobile Device Results in Breach of 412
Lack of Safeguards Catholic Health Care Services Stolen mobile device Contained PHI of 412 individuals $650,000 settlement Business Associate’s Failure to Safeguard Nursing Home Residents’ PHI Leads to $650,000 HIPAA Settlement Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS) has agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule after the theft of a CHCS mobile device compromised the protected health information (PHI) of hundreds of nursing home residents.  CHCS provided management and information technology services as a business associate to six skilled nursing facilities. The total number of individuals affected by the combined breaches was 412.  The settlement includes a monetary payment of $650,000 and a corrective action plan.

33 Stolen Laptop Result in Breach of 599
Lahey Hospital and Medical Center Laptop stolen from an unlocked treatment room Contained PHI of 599 individuals $850,000 settlement HIPAA Settlement Reinforces Lessons for Users of Medical Devices Lahey Hospital and Medical Center (Lahey)  has agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules with the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR).  Lahey will pay $850,000 and will adopt a robust corrective action plan to correct deficiencies in its HIPAA compliance program.  Lahey is a nonprofit teaching hospital affiliated with Tufts Medical School, providing primary and specialty care in Burlington, Massachusetts. Lahey notified OCR that a laptop was stolen from an unlocked treatment room during the overnight hours on August 11, 2011.  The laptop was on a stand that accompanied a portable CT scanner; the laptop operated the scanner and produced images for viewing through Lahey’s Radiology Information System and Picture Archiving and Communication System.  The laptop hard drive contained the protected health information (PHI) of 599 individuals.  Evidence obtained through OCR’s subsequent investigation indicated widespread non-compliance with the HIPAA rules, including: Failure to conduct a thorough risk analysis of all of its ePHI; Failure to physically safeguard a workstation that accessed ePHI; Failure to implement and maintain policies and procedures regarding the safeguarding of ePHI maintained on workstations utilized in connection with diagnostic/laboratory equipment; Lack of a unique user name for identifying and tracking user identity with respect to the workstation at issue in this incident; Failure to implement procedures that recorded and examined activity in the workstation at issue in this incident; and Impermissible disclosure of 599 individuals’ PHI. “It is essential that covered entities apply appropriate protections to workstations associated with medical devices such as diagnostic or laboratory equipment,” said OCR Director Jocelyn Samuels. “Because these workstations often contain ePHI and are highly portable, such ePHI must be considered during an entity’s risk analysis, and entities must ensure that necessary safeguards that conform to HIPAA’s standards are in place.” In addition to the $850,000 settlement, Lahey must address its history of noncompliance with the HIPAA Rules by providing OCR with a comprehensive, enterprise-wide risk analysis and corresponding risk management plan, as well as reporting certain events and providing evidence of compliance.

34 Lack of Device Controls
Cancer Care Group, P.C. Laptop bag containing unencrypted backup media stolen from an employee’s car Contained PHI of approximately 55,000 individuals $750,000 settlement Text Resize A A A  Print   Share    Search News Releases View archive FOR IMMEDIATE RELEASE September 2, 2015 Contact: HHS Press Office $750,000 HIPAA settlement emphasizes the importance of risk analysis and device and media control policies Cancer Care Group, P.C. agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules with the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR). Cancer Care paid $750,000 and will adopt a robust corrective action plan to correct deficiencies in its HIPAA compliance program. Cancer Care Group is a radiation oncology private physician practice, with 13 radiation oncologists serving hospitals and clinics throughout Indiana. On August 29, 2012, OCR received notification from Cancer Care regarding a breach of unsecured electronic protected health information (ePHI) after a laptop bag was stolen from an employee’s car. The bag contained the employee’s computer and unencrypted backup media, which contained the names, addresses, dates of birth, Social Security numbers, insurance information and clinical information of approximately 55,000 current and former Cancer Care patients. OCR’s subsequent investigation found that, prior to the breach, Cancer Care was in widespread non-compliance with the HIPAA Security Rule. It had not conducted an enterprise-wide risk analysis when the breach occurred in July Further, Cancer Care did not have in place a written policy specific to the removal of hardware and electronic media containing ePHI into and out of its facilities, even though this was common practice within the organization. OCR found that these two issues, in particular, contributed to the breach, as an enterprise-wide risk analysis could have identified the removal of unencrypted backup media as an area of significant risk to Cancer Care’s ePHI, and a comprehensive device and media control policy could have provided employees with direction in regard to their responsibilities when removing devices containing ePHI from the facility. “Organizations must complete a comprehensive risk analysis and establish strong policies and procedures to protect patients’ health information,” said OCR Director Jocelyn Samuels. “Further, proper encryption of mobile devices and electronic media reduces the likelihood of a breach of protected health information.” Cancer Care has taken corrective action with regard to the specific requirements of the Privacy and Security Rules that are at the core of this enforcement action, as well as actions to come into compliance with the other provisions of the HIPAA Rules. The Resolution Agreement and Corrective Action Plan (CAP) can be found on the OCR website at: HHS offers guidance on how your organization can conduct a HIPAA Risk Analysis: To learn more about non-discrimination and health information privacy laws, your civil rights, and privacy rights in health care and human service settings, and to find information on filing a complaint, visit us at 

35 Civil Monetary Penalties
Did Not Know $100 - $50,000 Reasonable Cause $1,000 - $50,000 Willful Neglect Corrected $10,000 - $50,000 Not Corrected $50,000 Up to $1.5 million per violation, per year Enforced by the Office of Civil Rights

36 Enforced by Department of Justice
Criminal Penalties Curiosity and/or gossiping $50k, 1 year jail Lying to obtain information $100k, 5 years jail Personal gain/malicious harm $250k, 10 years jail Loretta Discuss slide Enforced by Department of Justice

37 Resources Phase II Audit Pre-Screening Questionnaire, enforcement/audit/questionnaire/index.html HIPAA Privacy, Security and Breach Notification Audit Program, professionals/compliance-enforcement/audit/index.html July 22, 2016 Phase II Webinar, eningMeetingWebinar.pdf Zinethia L. Clemmons, Audit Program Manager , (202)

38 Questions Stephen A. Dickens, JD, FACMPE
Senior Consultant in Organizational Dynamics Medical Practice Services

Download ppt "Office of Civil Rights Audits and Updates"

Similar presentations

THE DEPARTMENT OF HEALTH AND HUMAN SERVICES (HHS) OFFICE FOR CIVIL RIGHTS (OCR) ENFORCES THE HIPAA PRIVACY, SECURITY, AND BREACH NOTIFICATION RULES HIPAA.

THE DEPARTMENT OF HEALTH AND HUMAN SERVICES (HHS) OFFICE FOR CIVIL RIGHTS (OCR) ENFORCES THE HIPAA PRIVACY, SECURITY, AND BREACH NOTIFICATION RULES HIPAA.
HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.

HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.
HIPAA Basics Brian Fleetham Dickinson Wright PLLC.

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
HIPAA Basics November 1, 2014.

HIPAA Basics November 1, 2014.
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.

HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
Health Insurance Portability and Accountability Act HIPAA Education for Volunteers and Students.

Health Insurance Portability and Accountability Act HIPAA Education for Volunteers and Students.
National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.

National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.
Changes to HIPAA (as they pertain to records management) Health Information Technology for Economic Clinical Health Act (HITECH) – federal regulation included.

Changes to HIPAA (as they pertain to records management) Health Information Technology for Economic Clinical Health Act (HITECH) – federal regulation included.
What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,

What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.

Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
Key Changes to HIPAA from the Stimulus Bill (ARRA) Children’s Health System Department Leadership Meeting October 28, 2009 Kathleen Street Privacy Officer/Risk.

Key Changes to HIPAA from the Stimulus Bill (ARRA) Children’s Health System Department Leadership Meeting October 28, 2009 Kathleen Street Privacy Officer/Risk.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.

Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.
HIPAA Regulations What do you need to know?.

HIPAA Regulations What do you need to know?.
COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.

COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.
2014 HIPAA Refresher Omnibus Rule & HIPAA Security.

2014 HIPAA Refresher Omnibus Rule & HIPAA Security.
HIPAA HIPAA Health Insurance Portability and Accountability Act of 1996.

HIPAA HIPAA Health Insurance Portability and Accountability Act of 1996.
Karen D. Smith, Esq. Partner Bricker & Eckler LLP 100 S. Third Street Columbus, OH 43215 (614) 227-2313.

Karen D. Smith, Esq. Partner Bricker & Eckler LLP 100 S. Third Street Columbus, OH (614)
Walking Through the Breach Notification Process - Beginning to End HIPAA COW Presentation and Panel April 8, 2011.

Walking Through the Breach Notification Process - Beginning to End HIPAA COW Presentation and Panel April 8, 2011.
Electronic Health Records Danielle P. Berthelot, RHIA Director, Health Information Management and Cancer Registry Privacy Officer Woman’s Hospital.

Electronic Health Records Danielle P. Berthelot, RHIA Director, Health Information Management and Cancer Registry Privacy Officer Woman’s Hospital.

Similar presentations

Ads by Google