HIPAA Audit Program Phase II – Have You Been Selected?

HIPAAAuditProgram

Phase II of the HIPAA Audit Program has begun, with many covered entities and business associates receiving a “Audit Entity Contact Verification” message from the Department of Health and Human Services (HHS) and the Office of Civil Rights (OCR). The communication requires the individual recipient to verify that he or she is the primary contact for the HIPAA Audit Program.

Does the receipt of this form mean that your entity has been selected for an audit? Not necessarily.

Although receipt of the communication is not a guarantee of an audit,  it is the first step in a process that may lead to a comprehensive HIPAA compliance audit of your entity.  According to OCR, the process for the HIPAA Audit Program is as follows:

  1. Contact Verification: OCR will send the Audit Entity Contact Verification to a covered entity or business associate to determine the entity’s primary contact for HIPAA purposes. Covered entities and business associates who receive the form should respond and not ignore the OCR’s request for verification.  The OCR has made it clear that entities who do not respond could still be subject to an audit.
  1. Questionnaire: After the entity’s contact information is verified, the OCR will send a questionnaire to each covered entity and business associate to determine the size, type, and operations of the entity.  Covered Entities will also be required to identify each of their business associates. OCR will use this data to develop the pool of potential auditees for the HIPAA Audit Program.
  1. Selection: OCR will then randomly select entities from the pool for audit.  If selected, the entity will have to visit an OCR web site and upload its HIPAA privacy policies, security policies, and most recent risk assessment. Based on the information uploaded, it is possible that OCR will arrange for an on-site visit of the entity.

The bottom line is that your receipt of the Audit Entity Contact Verification message does not necessarily mean that your entity will be selected for a HIPAA audit.  However, your entity will likely be placed into the pool from which OCR will select entities to audit.

If nothing else, the receipt of the Audit Entity Contact Verification communication should motivate your entity to review current HIPAA privacy and security policies and ensure that they conform to the requirements of HIPAA and the HITECH Act.  In addition, your entity should perform an updated risk analysis to uncover and address gaps in your HIPAA security policies and procedures.

A basic risk analysis should include the following components:

  1. Inventory: An inventory listing all of your information assets that contain health information (e.g. computers, laptops, smartphones, etc.);
  2. Threats: Potential threats to the security of your information assets;
  3. Controls: Current controls to safeguard the assets against the threats;
  4. Vulnerabilities: Any vulnerabilities in the controls;
  5. Likelihood: The likelihood that the threats will exploit the vulnerabilities;
  6. Impact: The impact if the vulnerabilities are exploited (e.g. how much health information is at risk); and
  7. Risk: The overall risk of a threat based the likelihood and potential impact of the threat’s exploitation of a vulnerability.

It is important to develop policies and procedures to address any risks that your entity uncovers as a result of the risk analysis.

Although the HIPAA Audit Program can be a source of anxiety for covered entities and business associates, it can also be a great opportunity to update HIPAA policies and procedures and ensure that your entity is doing everything possible to safeguard health information.

For more information about the HIPAA Audit Program and HIPAA compliance issues, please contact Casey Moriarty.

Steep Price Tag for Not Entering a Business Associate Agreement

North Memorial Health Care of Minnesota (“North Memorial”) recently agreed to settle charges that it violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules by essentially failing to enter into a Business Associate Agreement. Pursuant to the settlement, North Memorial agreed to pay $1,550,000. This settlement is a reminder of the importance of executing business associate agreements before sharing protected health information.

The U.S. Department of Health and Human Services Office of Civil Rights (“OCR”) initiated an investigation of North Memorial following their receipt of a breach report. The report indicated that a password protected laptop had been stolen from a locked vehicle belonging to an employee of North Memorial’s business associate, Accretive Health, Inc. (“Accretive”). The laptop contained electronic protected health information on 9,497 individuals.

OCR’s investigation revealed that North Memorial failed to enter into a business associate agreement with Accretive. Pursuant to the HIPAA Privacy and Security Rules, covered entities are required to enter into business associate agreements with all business associates to whom they provide protected health information. The investigation further revealed that North Memorial failed to complete a risk analysis for the electronic protected health information that it maintained, accessed, and transmitted across its IT infrastructure. Such an analysis, may have revealed the vulnerability posed by permitting protected health information to be stored on an unencrypted laptop.

Takeaways from this settlement:

  • Do not share protected health information with business associates without a valid business associate agreement in place. A valid business associate agreement almost certainly would have reduced North Memorial’s liability in this case.
  • Covered entities and business associates should perform HIPAA security risk analyses as required under the HIPAA Privacy and Security rules. Such analyses may uncover vulnerabilities that can be easily addressed.
  • Electronic Protected Health Information should be safeguarded with encryption technology. A high percentage of all breaches stem from lost or stolen portable devices. Encryption provides strong protection to covered entities and business associates in the case of a breach.

Ready for an OIG Security Audit?

At HIMSS15 in Chicago I had the pleasure of speaking with my colleague, Dave Schoolcraft, regarding the OIG Security Audits. These in depth security audits conducted not by the OCR or CMS, but rather the Office of Inspector General, delve into the security systems of Eligible Hospitals (and potentially Eligible Professionals) participating in the EHR Incentive Program.

Background

The OIG in its 2014 and 2015 Work Plans identified its plan to audit participants in the EHR Incentive Programs and their business associates, including cloud service providers, “to determine whether they adequately protected electronic health information created or maintained by certified EHR technology.” This audit stretches beyond a typical meaningful use audit and is not only centered on the security of ePHI stored in the CEHRT, but also looks at relationships with downstream service providers. Though EPs and EHs that participate in the EHR Incentive Program are aware of pending audits from CMS (via Figliozzi & Company), including the necessary documentation and security risk analysis requirements, these audits may come as quite a surprise – especially the level of thoroughness the OIG pursues in these audits. Though the OIG identifies the targeted entities due to their participation in the EHR Incentive Program, these audits look nothing like a CMS audit but instead are an in-depth HIPAA security audit.

The Audit

The audit itself is conducted by OIG investigators that are knowledgeable about security infrastructure as well as HIPAA requirements. The OIG commences the audit with a phone call followed by a formal letter notifying the recipient entity of the audit. As stated in its letter “the objective of [the] audit is to assess if the [hospital’s] meaningful use requirements have protected the confidentiality, integrity and availability of electronic protected health information (ePHI) in its EHR systems.” The OIG sends out a document request/questionnaire with approximately 17 categories and subcategories that it is investigating. In addition to reviewing the responses to the document requests the OIG auditors come on-site for 2-3 weeks to conduct interviews and personally review the security infrastructure.

Sample audit questions include:

  • Review of the EHR network diagram that shows EHR network architecture including external connections.
  • Provision of a description of internal or external web sites associated with the EHR system including patient portals.
  • Analysis of existing HIPAA policies and procedures, including patch management and access controls.
  • Detailed description of EHR network devices including the manufacturer and model number, software version and primary function.

As stated in the OIG Workplan, the target of the investigation is not only the covered entity itself, but also the relationships with business associates and downstream cloud service providers.

Audit Readiness Plan

It is unknown how many audits OIG will conduct and the ultimate goal of these audits. We believe that the OIG plans on creating a roll-up report to describe the findings of these audits, rather than publishing individual reports – however this has not been verified because the OIG has denied Freedom of Information Act requests.

We recommend that covered entities prepare for these audits as follows:

  • Gather information regarding existing security infrastructure in place, including relationships about sharing PHI with business associates and downstream providers.
  • Evaluate health IT vendors to determine if they are compliant with business associate agreements – this may include asking the business associate to provide you with evidence and results from a security risk assessment.
  • Identify team members that will respond to an OIG audit request.
  • Conduct a mock audit to fully assess security.

Additional Audits

 The OIG Work Plans also identify three other related types of audits.

 

  1. OIG Audits of Medicare EHR Incentive Program. Earlier this month the OIG issued a number of multi-year audits of EHR Incentive Program participants. These audits are very similar to the CMS Meaningful Use audits conducted by Figliozzi, but are in fact not conducted by CMS. Unlike the CMS audits however, the OIG audits are multi-year and may request information from both Stage 1 and Stage 2 attestations.

 

  1. OIG Audits of Medicaid EHR Incentive Programs. OIG has conducted at least three audits of states issuing Medicaid EHR Incentive Program dollars: Louisiana, Massachusetts and Florida. Of the three audited, only Florida was found to have issued the EHR Incentive Program dollars correctly. The OIG has instructed the other states to reimburse the federal government for the incorrectly distributed funds and adjust the payment calculations for the hospitals going forward.

 

  1. OIG Audits of Contingency Plans. Pursuant to the HIPAA Security Rule, covered entities must have contingency plans in place in case of a disaster or other occurrence that damages systems that contain ePHI (45 CFR 164.308). The OIG plans to compare hospitals’ contingency plans with “government and industry recommend practices.”
  2. OIG Audits of AIU Participants.  OIG has recently issued new audits investigating AIU attestations.  For further detail related to these audits go to:  http://meaningfuluseaudits.com/oig-escalates-meaningful-use-audits-of-hospitals/.

 

Preparing for these OIG audits can be accomplished during your own internal Security Risk Analysis and can be a useful tool for verifying the accuracy and thoroughness of your own process. For more information about the OIG Security Audits or other OIG audits please contact Elana Zana or Dave Schoolcraft.

 

BAAs and Beyond: Meeting the 9-22 HIPAA Deadline

Reprinted blog post from DocuSign. Interview between Jennifer Royer of DocuSign and Dave Schoolcraft.

In under two weeks, Covered Entities and Business Associates are required to complete renewed Business Associate Agreements (BAA) to comply with more stringent HIPAA regulations for BAAs that were in place prior to January 2013. We sat down with Dave Schoolcraft, who leads the healthcare law practice at Ogden Murphy Wallace, to help our healthcare and technology partners navigate HIPAA legislation and complete these BAA renewals on time. As Dave explains, digital workflow solutions transform the task at hand from a daunting ordeal to a manageable process, all while reducing time, money and fear associated with 11th hour deadline blues.

What is the significance of the September 22nd BAA deadline?

Simply put, the BAA invokes business operations where Protected Health Information (PHI) is handed over to an outside vendor. For example, say I am the managing physician in a small medical clinic and I decide to hire a consultant and help us figure out how we can efficiently manage billing and reimbursement. I provide this consultant with a spreadsheet of PHI (protected health information). This act requires a BAA, which protects the PHI and the medical clinic against any liabilities. Without the updated BAA, the medical clinic and the consultant directly violate HIPAA. Even if I have longstanding relationship, I still need to sign an updated agreement.

The process – an additional 6 or 7 different paragraphs — is admittedly an administrative burden as most BAAs span multiple pages. If the agreement only covers what HIPAA requires, the process is fairly straightforward. However, BAAs are heavily negotiated and include indemnification provisions. Therefore, manually executing all updated agreements slows down the process as each existing vendor contract must be signed and completed.

What is the most common inquiry you receive from clients regarding the updated BAA requirements?

With the deadline a blink away, I consistently hear, “Do we really have to update all our BAA contracts?”

The answer is a resounding “yes,” because our digital habits and business environment led to an updated and strengthened HIPAA (let’s call this HIPAA 2.0) back in 2009. With the release of the new HIPAA rules in January 2013, healthcare providers have had ample time to coordinate new BAAs with outside vendors whose services involve PHI.

As we inch closer towards September 22nd, it is important to remember that even if a healthcare provider has a longstanding relationship with a vendor, the new BAA, as part of HIPAA 2.0, offers enhanced language that strengthens risk management against ‘cyber-spillage.’ Specifically, the new HIPAA language requires that the Business Associate comply with the HIPAA Security Rule and provide notice of a breach of unsecured PHI. In short, this is smart business.

Risk management sounds like a great idea. Would you explain what you mean by “smart business?”

Sure, let’s use a common situation as our example. When a healthcare provider engages with an outside vendor – perhaps a SaaS company – that analyzes or works with PHI, there is risk of mishandling or ‘spillage.’ If you handed over 10,000 records of patient data to a digital marketing vendor, you need to both protect the data and yourself from the probability that the marketing vendor will send the PHI to sub-contractors for portions of the scope of work.

The new BAA is a bulwark against unforeseen security breaches: you add armor to the trust you place in vendors and their teams. While you may deem renewing all BAAs a hassle, consider this an opportunity to audit all your vendors and evaluate the risks and value from that relationship.

If you do not follow this approach, then you honestly proceed at your own peril.

What happens if healthcare providers don’t comply with the new BAA requirements and fail to update their BAA contracts on time?

That is actually the second most frequently asked question that we field. Technically a healthcare practice faces statutory penalties for any improperly used or leaked PHI. For example, if a healthcare provider contracts with a medical billing vendor without an updated BAA, they face stiff penalties should there be any improper use of PHI. And with the data breaches in the news recently, you really don’t want to take that risk.

Let’s look closer at a data breach scenario. Say a vendor lost a thumb drive containing a high volume of PHI. Per HIPAA 2.0, it is now the vendor’s responsibility to notify the healthcare provider. A vendor needs to self-confess the data breach, regardless of who is at fault, per the new BAA standards. When the government officials arrive to investigate, they will ask if an updated BAA was in place. Healthcare providers shouldn’t rely on trust with vendors. Mistakes happen. And if a bad one occurs, like the theft of an unencrypted laptop containing thousands of patient records, the healthcare provider and the vendor will be held responsible by the government for both the data breach and the failure to comply with the BAA requirements.

Updating your BAAs is a risk management strategy, and it allows you to add additional protection clauses, such as stipulations about the use of data and operations in the Cloud – an increasing trend for providers and payers. The previous HIPAA requirements for a BAA didn’t place direct liability and responsibility on the vendor for failure to sufficiently secure and protect the patient data. With the proliferation of Cloud vendors and third parties working with healthcare providers, the new BAAs provide a mechanism to not only require the safeguarding of PHI and the reporting of a breach, but the sharing of responsibility when a breach does occur. Renewal of these BAAs also give healthcare providers the opportunity to ensure that there are sufficient indemnification and insurance provisions in place so that if a breach does occur the healthcare provider can expect reimbursement and defense from the responsible party.

How Can DocuSign assist in the process of updating all BAAs?

There is an administrative burden to getting these documents signed. When we talk about redoing all existing BAAs, that’s the classic e-mail/print/sign/scan/fax headache. Multiply one process by the number of vendors. That’s an unreasonable burden, and an expensive one if you think about the time and money that one might spend overnighting documents.

For all businesses handling such an exceptional volume of paperwork, a Digital Transaction Management platform, like DocuSign’s, simplifies the process by automating the retrieval of signatures and storing all documents in a single, secure Cloud-based portal. Furthermore, it is crucial to be able to access compliance documents, like BAAs and provider agreements, within a click of a mouse, should there be an audit. The alternative is hiring lawyers to spend a month in your document basement – we have been there with clients, and that is an expensive, tedious, and stressful process for all parties involved.

Any final words or digital best practices for providers and payers?

It’s important to remember that HIPAA dates all the way back to the mid ‘90s – think about the evolution and revolution that has occurred in terms of digital platforms! There has been a great acceleration – on the clinical data side – in moving from paper to digital. The rules that led to the updated BAAs were passed in conjunction with approximately $20billion in stimulus funds directed towards health information technology. Those funds are being used to incentivize healthcare providers’ digital adoption, as part of the “Meaningful Use” regulations. A large portion of these funds have also been earmarked to enforce the new and more stringent HIPAA regulations that were put in place when the government recognized additional risks posed by digital adoption.

In essence, the government decided to add more teeth to HIPAA enforcement. They have hired additional enforcement agents, and as such, more healthcare providers have inquiries and audits – a striking evolution from the old days of HIPAA 1.0. Offenders now face more serious penalties: now, more than ever, it is crucial to comply with the renewed HIPAA regulations. What was once a slap on the wrist is now quite serious – around the $1 million mark depending on the egregiousness of the incident.

Essentially, you don’t want to be out of HIPAA compliance should there be an incident or a proactive audit – and one of the first questions HIPAA enforcement agents ask is whether you have an updated BAA with your vendors.

If you face an administrative burden or are losing sleep over getting your BAAs completed on time, consider Digital Transaction Management to simplify the process now and moving forward.

Thank you, Dave for explaining the implications of the updated HIPAA legislation and offering tips for beating the BAA deadline.

For more information about the September 22 deadline and Digital Transaction Management contact Elana Zana or Dave Schoolcraft or:

HHS Releases Security Risk Assessment Tool

Need help performing your HIPAA/Meaningful Use Security Risk Assessment?  Good news, HHS has released a tool to help!  In partnership with the Office of the National Coordinator, HHS created a tool, user guide, software, tutorial, videos and even an iOS App to help HIPAA covered entities and business associates perform the required HIPAA Risk Analysis.

The HIPAA Security Rule specifically requires (this is not an addressable specification) a Security Risk Analysis:

“Risk analysis (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.”  45 CFR 164.308(a)(1)

In addition, those hospitals and eligible professionals seeking to meet meaningful use in order to receive the EHR Incentive dollars or avoid the Medicare payment adjustments must fulfill a HIPAA Security Risk Assessment.

Stage 1

Stage 2

Objective. Protect electronic health information created or maintained by the certified EHR technology through the implementation of appropriate technical capabilities.Measure. Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1) and implement security updates as necessary and correct identified security deficiencies as part of its risk management process. Objective. Protect electronic health information created or maintained by the Certified EHR Technology through the implementation of appropriate technical capabilities.Measure. Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1), including addressing the encryption/security of data stored in Certified EHR Technology in accordance with requirements under 45 CFR 164.312(a)(2)(iv) and 45 CFR 164.306(d)(3), and implement security updates as necessary and correct identified security deficiencies as part of the EP’s risk management process.

For those hospitals and eligible professionals looking to meet meaningful use, the Security Risk Assessment tool will generate a report that can be provided to auditors.  However, the report alone is likely insufficient because both the auditors and the  meaningful use requirements (above) require the correction of security deficiencies – so merely running a Security Risk Assessment without taking actions to remedy the problem will not suffice.  To read more about meaningful use audits and security risk assessments click here

In addition to releasing the Security Risk Assessment tool, HHS has created a helpful true/false statement with the Top 10 Myths of Security Risk Analysis.  This document highlights the misconceptions regarding the risk assessment requirements, including that all covered entities and business associates (regardless of the size) must conduct a risk assessment pursuant to HIPAA.  Importantly, though only eligible professionals & hospitals are eligible for meaningful use incentives and Medicare payment adjustments, business associates must also comply with the HIPAA Security Rule pursuant to the HITECH Act.  Therefore, business associates must also conduct security risk assessments, and per recent guidance from HHS, business associates are likely part of the next round of HIPAA audits.

For more information about HIPAA, security risk assessments, and meaningful use please contact Elana Zana.

Upcoming HIPAA Audits Will Include Business Associates

On February 24, 2014, the Department of Health and Human Services (“HHS”) published a notice of its proposed collection of information in connection with its HIPAA audit efforts.  Comments on the proposed collection request must be submitted by April 25, 2014.

The notice indicates HHS’s intent to survey up to 1,200 organizations, including both covered entities and business associates, to determine the organizations’ suitability for HIPAA audits by HHS.  The survey will seek information about an organization’s patient visits, use of electronic information, revenue, and business locations, among other things.  The notice hints that some sort of technology will be used to complete the survey, as HHS’s time estimate of 30-60 minutes to complete the survey includes the time needed to “develop, acquire, install and utilize technology and systems for the purpose of collecting, validating and verifying information…”. The notice does not include details on the criteria HHS will use to select an organization for an audit.

One of the notable items of this notice is HHS’s announcement that this round of HIPAA surveys will include business associates as well as covered entites.  This is a clear signal that HHS is getting serious about HIPAA compliance by all organizations who handle protected health information.

For more information about HIPAA audits and HIPAA enforcement, please contact Lee Kuo.

The Business Associate Agreement Battle – Understand the Key Issues

The September 2014 deadline for amending pre-existing HIPAA business associate agreements (BAA) is fast approaching.  Are you ready?  Under the HITECH Act, covered entities and business associates have just under seven months to negotiate and implement amendments to all BAAs entered into prior to January 25, 2013.

In the face of the unprecedented challenge of revising all pre-existing BAAs, covered entities and business associates need to act quickly, but also be mindful of the important terms in BAAs that can lead to increased liability, including the following:

  • Indemnification: Although not required by the HITECH Act, covered entities often push for strong indemnification language that requires the business associate to indemnify the covered entity for a business associate’s breach of protected health information (PHI) and violations of HIPAA.  Acceptable indemnification language for each party depends on the nature of the PHI involved in the transaction and the amount of PHI that is transmitted between the parties. 
  • Limitation of Liability: In order to reduce the risks of receiving and maintaining the covered entity’s PHI, many business associates push for BAA language that limits their liability to a certain amount (i.e. fees paid by covered entity in the underlying agreement).  A covered entity’s acceptance to a business associate’s “limitation of liability” terms can pose significant risks if the business associate violates HIPAA after the BAA is signed. 
  • Breach Notification Time Period: The HITECH Act requires business associates to notify covered entities of a breach of PHI within 60 days of discovery.  However, in order to protect relationships with patients affected by a breach, proposed BAAs from covered entities generally require a business associate to provide notification within 10 days or less.  A business associate’s acceptance to a shorter notification period can put tremendous pressure on it to investigate and disclose accurate information after a breach occurs.

These are just a few terms found in BAAs that can lead to increased liability and risks for covered entities and business associates.  Although it is critical to complete BAA amendments by the September 23, 2014 deadline, business associates and covered entities need to think critically about the language in BAAs prior to signature.

If you would like more information about negotiating business associate agreements, please contact Dave Schoolcraft, Elana Zana or Casey Moriarty.