SlideShare ist ein Scribd-Unternehmen logo

Prepare for an OCR HIPAA Audit

Iatric Systems
Iatric Systems

This document outlines Mac McMillan's presentation on how to prepare for an Office for Civil Rights (OCR) HIPAA audit. It discusses the OCR's HIPAA audit program, including desk audits and onsite compliance audits. It provides an overview of 2012 HIPAA/HITECH audit findings, with the majority being related to security rule violations. The presentation agenda includes an introduction to OCR audits, criteria for audit selection, past audit results, the privacy and security rules most commonly cited for findings, and how to create an OCR audit toolkit to prepare for an audit.

Gesundheitswesen
1 von 40
Downloaden Sie, um offline zu lesen
Presented By: Mac McMillan, FHIMSS, CISM CEO, CynergisTek, Inc. How to prepare your organization for an OCR HIPAA audit
CynergisTek,  Inc.         11410  Jollyville  Road,  Suite  2201,  Austin  TX  78759                512.402.8550       info@cynergistek.com                cynergistek.com       @CynergisTek How  to  Prepare  for  an  OCR   HIPAA  Audit Presented  by: Mac  McMillan CEO,  CynergisTek
CynergisTek,  Inc.         11410  Jollyville  Road,  Suite  2201,  Austin  TX  78759                512.402.8550       info@cynergistek.com                cynergistek.com       @CynergisTek Today’s  Presenter Mac  McMillan FHIMSS,  CISM CEO,  CynergisTek,  Inc. 3 • Co-­‐founder  &  CEO  CynergisTek,  Inc. • Chair,  HIMSS  P&S  Policy  Task  Force • CHIME,  AEHIS  Advisory  Board • Healthcare  Most  Wired  Advisory  Board • HCPro Editorial  Advisory  Board • HealthInfoSecurity.com Editorial  Advisory  Board • Top  10  Influencers  in  Health  IT  2013 • Top  50  Leaders  in  Health  IT  2015 • Director  of  Security,  DoD • Excellence   in  Government  Fellow • US  Marine  Intelligence   Officer,  Retired
CynergisTek,  Inc.         11410  Jollyville  Road,  Suite  2201,  Austin  TX  78759                512.402.8550       info@cynergistek.com                cynergistek.com       @CynergisTek 4 Agenda Introduction OCR  HIPAA  Audit  Program OCR  HIPAA  Desk  Audits OCR  HIPAA  Compliance   Performance  Audits Creating  An  OCR  Audit  Toolkit Questions
CynergisTek,  Inc.         11410  Jollyville  Road,  Suite  2201,  Austin  TX  78759                512.402.8550       info@cynergistek.com                cynergistek.com       @CynergisTek OCR  HIPAA  Audit   Program 5
CynergisTek,  Inc.         11410  Jollyville  Road,  Suite  2201,  Austin  TX  78759                512.402.8550       info@cynergistek.com                cynergistek.com       @CynergisTek 6 HIPAA/HITECH  Audits HITECH  Act  – Sec.  13411 • Periodic  audits  to  ensure  covered  entities  and  business   associates  comply  with  requirements  of  HIPAA  and  HITECH • Examine  mechanisms  for  compliance • Identify  best  practices   • Discover  risks  and  vulnerabilities  that  may  not  have  come  to   light  through  complaint  investigations  and  compliance  reviews • Renew  attention  of  covered  entities  to  health  information   privacy  and  security  compliance  activities
CynergisTek,  Inc.         11410  Jollyville  Road,  Suite  2201,  Austin  TX  78759                512.402.8550       info@cynergistek.com                cynergistek.com       @CynergisTek 7 Criteria   Used  in   Pool  of  CEs   Size  and   Use  of  HIT Affiliations   with  Other   CEs   Type  of   Entity Geographic   Location Audit  Selection  Criteria
CynergisTek,  Inc.         11410  Jollyville  Road,  Suite  2201,  Austin  TX  78759                512.402.8550       info@cynergistek.com                cynergistek.com       @CynergisTek 8 Overview  of  2012  HIPAA/HITECH  Audits • On-­‐site  audits  of  115  covered  entities • 61  providers,  47  health  plans,  7  clearinghouses • No  findings  or  observations  for  13  entities  (11%)   • 2    providers,  9  health  plans,  2  clearinghouses • Total  979  audit  findings  and  observations – 293  Privacy   – 592  Security – 94  Breach  Notification • Percentage  of  Security  Rule  findings  and  observations  was   double  what  would  have  been  expected  based  on  protocol   • Smaller  entities  struggle  with  all  three  areas
CynergisTek,  Inc.         11410  Jollyville  Road,  Suite  2201,  Austin  TX  78759                512.402.8550       info@cynergistek.com                cynergistek.com       @CynergisTek 9 Privacy  Rule  Findings 20% 2% 16% 18% 44% 0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50% Notice  of  Privacy   Practices Restriction  Requests   &  Alternative   Communications Individual  Right  of   Access Administrative   Standards Uses  and  Disclosures   of  PHI
CynergisTek,  Inc.         11410  Jollyville  Road,  Suite  2201,  Austin  TX  78759                512.402.8550       info@cynergistek.com                cynergistek.com       @CynergisTek 10 Security  Rule  Findings 12% 14% 9% 18% 14% 14% 0% 2% 4% 6% 8% 10% 12% 14% 16% 18% 20% Risk  Analysis Access   Management Security  Incident   Procedures Contingency   Planning Audit  Controls   and  Monitoring Movement  and   Destruction  of   Media
CynergisTek,  Inc.         11410  Jollyville  Road,  Suite  2201,  Austin  TX  78759                512.402.8550       info@cynergistek.com                cynergistek.com       @CynergisTek OCR  Desk  Audit  Program
CynergisTek,  Inc.         11410  Jollyville  Road,  Suite  2201,  Austin  TX  78759                512.402.8550       info@cynergistek.com                cynergistek.com       @CynergisTek 12 • Permanent  audit  program  includes  desk  audits  and   comprehensive,  onsite  audits • ~200  Covered  Entities  to  be  selected  for  desk  audits • Equal  number  or  less  BAs  selected  for  desk  audits • Greater  number  of  on-­‐site  (comprehensive)  audits,  but   no  specific  number  given  yet • Updating  audit  protocol • Audits  will  be  performed  by  HHS  contractors  but   program  to  be  managed  by  OCR  personnel OCR’s    Permanent  Audit  Program
CynergisTek,  Inc.         11410  Jollyville  Road,  Suite  2201,  Austin  TX  78759                512.402.8550       info@cynergistek.com                cynergistek.com       @CynergisTek 13 The  Desk  Audit  Process Pre-­‐Audit   Survey Notification   and  data   request  to   selected   entities Desk  review   and  draft   findings  to   entity Entity   provides   management   review   Final   Report
CynergisTek,  Inc.         11410  Jollyville  Road,  Suite  2201,  Austin  TX  78759                512.402.8550       info@cynergistek.com                cynergistek.com       @CynergisTek 14 Scope  of  OCR  Desk  Audits • Security—Risk  Analysis  and  risk  management • Breach—Content  and  timeliness   of  breach  notifications • Privacy—Notice  of  Privacy  Practices  and  Access 2015  Desk  Audits  of   Covered  Entities • Security—Risk  Analysis  and  risk  management • Breach—Breach  reporting  to  Covered  Entities 2015  Desk  Audits  of   Business  Associates • Covered  Entities • Business   Associates 2016   On-­‐site   Comprehensive  Audits
CynergisTek,  Inc.         11410  Jollyville  Road,  Suite  2201,  Austin  TX  78759                512.402.8550       info@cynergistek.com                cynergistek.com       @CynergisTek 15 Comprehensive  Audit  Process Notice  &   Document   Request On-­‐Site   Activity Draft   Report Review  &   Respond Final   Report
CynergisTek,  Inc.         11410  Jollyville  Road,  Suite  2201,  Austin  TX  78759                512.402.8550       info@cynergistek.com                cynergistek.com       @CynergisTek 16 Scope  of  OCR  Onsite  Audits   • Device  and  media  controls • Transmission  security • Encryption  of  data  at  rest • Facility  access  controls   Security • Administrative  and  physical  safeguards • Workforce  training  to  HIPAA  policies  &  proceduresPrivacy • High  risk  areas  identified  through: • 2015  audits • Breach  reports  submitted  to  OCR • Consumer  complaints Other Areas
CynergisTek,  Inc.         11410  Jollyville  Road,  Suite  2201,  Austin  TX  78759                512.402.8550       info@cynergistek.com                cynergistek.com       @CynergisTek OCR  Performance  Audit 17
CynergisTek,  Inc.         11410  Jollyville  Road,  Suite  2201,  Austin  TX  78759                512.402.8550       info@cynergistek.com                cynergistek.com       @CynergisTek 18 • Conducted  in  accordance  with  Generally  Accepted   Government  Audit  Standards  (GAGAS) • Provides  findings,  observations,  or  conclusions  from   evaluation  of  evidence  against  established  criteria • Objective  assessment  of  variety  of  attributes – Program  effectiveness,  economy,  and  efficiency – Internal  controls – Compliance On-­‐site  Audits  are  Performance  Audits
CynergisTek,  Inc.         11410  Jollyville  Road,  Suite  2201,  Austin  TX  78759                512.402.8550       info@cynergistek.com                cynergistek.com       @CynergisTek 19 Audit  Process
CynergisTek,  Inc.         11410  Jollyville  Road,  Suite  2201,  Austin  TX  78759                512.402.8550       info@cynergistek.com                cynergistek.com       @CynergisTek 20 • Send  notification  letter  to  the  covered  entity – Information  request  list – Entity  survey • Make  initial  telephone  contact  with  Covered  Entity – Confirm  notification  letter  receipt – Respond  to  questions  and  concerns – Confirm  due  date  for  documentation  requests Planning  the  Audit
CynergisTek,  Inc.         11410  Jollyville  Road,  Suite  2201,  Austin  TX  78759                512.402.8550       info@cynergistek.com                cynergistek.com       @CynergisTek 21 Documentation  Request
CynergisTek,  Inc.         11410  Jollyville  Road,  Suite  2201,  Austin  TX  78759                512.402.8550       info@cynergistek.com                cynergistek.com       @CynergisTek 22 • Conduct  kick-­‐off  call – Confirm  Covered  Entity  type  (e.g.  provider,  health   plan),  applicable  scope,  audit  location(s) – Discuss  on-­‐site  visit  and  logistics • Perform  analysis  of  documentation  provided  by  CE – What  documents  have  been  received  and  which  are   missing – Review  documentation  for  compliance  with   appropriate  regulatory  standard  or  specification Preparation  Work
CynergisTek,  Inc.         11410  Jollyville  Road,  Suite  2201,  Austin  TX  78759                512.402.8550       info@cynergistek.com                cynergistek.com       @CynergisTek 23 • Conduct  entrance  conference – Discuss  performance  audit  scope,  objective  and  approach – Set  expectations • Execute  and  document  applicable  audit  procedures – Complete  on-­‐site  testing – Conduct  interviews – Review  documentation – Observe  appropriate  facilities  and  workstations • Conduct  exit  conference – Preliminary  identification  of  compliance  issues On-­‐Site  Field  Work
CynergisTek,  Inc.         11410  Jollyville  Road,  Suite  2201,  Austin  TX  78759                512.402.8550       info@cynergistek.com                cynergistek.com       @CynergisTek 24 • Document  results  of  the  audit • Finalize  draft  identified  findings • Issue  draft  performance  report  to  CE  for  comment  and   correction • Issue  final  performance  audit  report  that  includes  CE   comments  and  response       Post  Field  Work
CynergisTek,  Inc.         11410  Jollyville  Road,  Suite  2201,  Austin  TX  78759                512.402.8550       info@cynergistek.com                cynergistek.com       @CynergisTek 25 • Administrative   Safeguards • Physical   Safeguards • Technical   Safeguards Security Sample  Audit  Protocol  -­‐ Provider • Notice  of  Privacy   Practices • Request   Restrictions • Right  to  Access • Administrative   Requirements • Amendment • Uses  &  Disclosures • Accounting  of   Disclosures Privacy • Assessment  for   breach • Notification  to   individuals • Notification  to   Secretary • Notification  to   media   Breach   Notification
CynergisTek,  Inc.         11410  Jollyville  Road,  Suite  2201,  Austin  TX  78759                512.402.8550       info@cynergistek.com                cynergistek.com       @CynergisTek 26 • Required  element  for  Security  Rule  and  Meaningful  Use • An  assessment  of  threats  and  vulnerabilities  to  information   systems  that  handle  e-­‐PHI • This  provides  the  starting  point  for  determining  what  is   ‘appropriate’and  ‘reasonable’ • Organizations  determine  their  own  technology  and  administrative   choices  to  mitigate  their  risks • The  risk  analysis  process  should  be  ongoing  and  repeated  as   needed  when  the  organization  experiences  changes  in  technology   or  operating  environment HIPAA  Security  Risk  Assessment
CynergisTek,  Inc.         11410  Jollyville  Road,  Suite  2201,  Austin  TX  78759                512.402.8550       info@cynergistek.com                cynergistek.com       @CynergisTek 27 Performing  a  Risk  Analysis Gather   Information • Prepare  inventory  lists  of  information  assets-­‐data,  hardware  and  software. • Determine  potential  threats  to  information  assets. • Identify  organizational  and  information  system  vulnerabilities. • Document  existing  security  controls  and  processes.   • Develop  plans  for  targeted  security  controls. Analyze   Information • Evaluate  and  measure  risks  associated  with  information  assets. • Rank  information  assets  based  on  asset  criticality  and  business   value. • Develop  and  analyze  multiple  potential  threat  scenarios. Develop   Remedial  Plans • Prioritize  potential  threats  based  on  importance  and  criticality. • Develop  remedial  plans  to  combat  potential  threat  scenarios. • Repeat  risk  analysis  to  evaluate  success  of  remediation  and  when  there  are  changes  in  technology  or   operating  environment.  
CynergisTek,  Inc.         11410  Jollyville  Road,  Suite  2201,  Austin  TX  78759                512.402.8550       info@cynergistek.com                cynergistek.com       @CynergisTek Creating  an  OCR  Audit   Toolkit 28
CynergisTek,  Inc.         11410  Jollyville  Road,  Suite  2201,  Austin  TX  78759                512.402.8550       info@cynergistek.com                cynergistek.com       @CynergisTek 29 • Prepare  a  plan  to  perform  mock  audits   • Replicate  what  documentation  would  be  required  under   audit  conditions  and  the  timelines  for  production • Use  OCR’s  2012  Pilot  Audit  Protocol – http://www.hhs.gov/ocr/privacy/hipaa/enforcement /audit/protocol.html • Update  the  2012  audit  protocol  for  changes  in  the  HIPAA   Privacy,  Security  and  Breach  Notification  Rules Building  an  Audit  Tool  Kit  
CynergisTek,  Inc.         11410  Jollyville  Road,  Suite  2201,  Austin  TX  78759                512.402.8550       info@cynergistek.com                cynergistek.com       @CynergisTek 30 Established   Performance   Criteria Key  Activity Audit  Procedures Implementation Specification Who  Responsible? Using  the  HIPAA  Pilot  Audit  Protocol   Review  policies   and  procedures   and  interview   appropriate   staff  or   contractors   responsible   for   carrying  out   activity  to  meet   standard  or   specification. Plain  language   action  to  meet   requirement. Standard  or   implementation   specification   to   be  measured. Some  Security   Rule   Implementation   Specifications   provide   flexibility   through   designating  the   requirement  to   be  Addressable. Representative Suggestions:     Every  org  is   different.   Sometimes   responsibilities   for  compliance   activities   are   shared.
CynergisTek,  Inc.         11410  Jollyville  Road,  Suite  2201,  Austin  TX  78759                512.402.8550       info@cynergistek.com                cynergistek.com       @CynergisTek 31 Established  Performance   Criteria Key  Activity Audit  Procedures Who  Responsible? Uses/disclosures   requiring  opportunity   for  the  individual  to   agree  or  to  object. A   health  care  provider   must  inform  individual   of  the  PHI that  it  may   include  in  a  directory   and  to  whom  it  may   disclose  such   information  & provide   the  individual  with  the   opportunity  to  restrict   or  prohibit  the  uses  or disclosures. Opportunity  to   Object  to  Use or   Disclosure Inquire  of  management   as   to  whether   objections  by   individuals  to  restrict  or   prohibit  some  or  all  of  the   uses  or  disclosures   are   obtained and  maintained.   Obtain  and  review  Notice   of  Privacy  Practices  and   evaluate  the  content  in   relation  to  the  specified   criteria  for  evidence   of   opportunity  to  object.   Obtain  evidence  that  staff   have  been  trained  to   properly  carry  out  this   standard. Privacy Officer HIM  Leader Compliance   Officer Example:  Opportunity  to  Object  
CynergisTek,  Inc.         11410  Jollyville  Road,  Suite  2201,  Austin  TX  78759                512.402.8550       info@cynergistek.com                cynergistek.com       @CynergisTek 32 Established  Performance   Criteria Key  Activity Audit  Procedures Who  Responsible? A  covered  entity  must   train  all  members  of  its   workforce  on  the   policies  and  procedures   with  respect   to PHI as   necessary   and   appropriate  for  the   members  of  the   workforce  to  carry  out   their  functions  within   the  covered  entity.   §164.530(b)(2)(i)(A)   Training  must  be   provided  to  each   member  of  the  covered   entity's  workforce. Training Inquire  of  management   as   to  whether   training  is   provided  to  the  entity's   workforce  on  HIPAA   Privacy  Standards.  Review   documentation  to   determine   if  a  training   process  is  in  place  for   HIPAA  privacy  standards.   Review  documentation  to   determine   if  a  monitoring   process  is  in  place  to  help   ensure  all  members  of  the   workforce  receive  training   on  HIPAA  privacy   standards.   Privacy Officer HR  Leader   Compliance   Officer Example:  HIPAA  Privacy  Training  
CynergisTek,  Inc.         11410  Jollyville  Road,  Suite  2201,  Austin  TX  78759                512.402.8550       info@cynergistek.com                cynergistek.com       @CynergisTek 33 Established  Performance   Criteria Key  Activity Audit  Procedures Implementation Specification Who   Responsible? §164.308(a)(1)   Conduct  an  accurate   and  thorough   assessment   of  the   potential  risks  and   vulnerabilities   to  the   CIA  of  PHI  held by   the  covered  entity   or  business   associate. Conduct Risk   Assessment Inquire  of   management  as  to   whether  formal  or   informal  policies  or   practices  exist  to   conduct  an   accurate   assessment   of   potential  risks  and   vulnerabilities   to   the  CIA of  ePHI.   Required CIO,  CISO,   Compliance   Officer Example:  Security  Management  Process  
CynergisTek,  Inc.         11410  Jollyville  Road,  Suite  2201,  Austin  TX  78759                512.402.8550       info@cynergistek.com                cynergistek.com       @CynergisTek 34 Established   Performance   Criteria Key  Activity Audit  Procedures Implementation Specification Who  Responsible? §164.312(a)(1):   Access  Control  -­‐ §164.312(a)(2)(i v)  Implement  a   mechanism  to   encrypt  and   decrypt   electronic   protected   health   information. Encryption  and   decryption Inquire  of   management  as   to  whether   an   encryption   mechanism  is  in   place  to  protect   ePHI.  Obtain  & review  formal  or   informal  policies   and  procedures   and  evaluate   the  content   relative  to  the   specified   criteria Addressable CIO,  CISO Example:  Access  Controls/Encryption  
CynergisTek,  Inc.         11410  Jollyville  Road,  Suite  2201,  Austin  TX  78759                512.402.8550       info@cynergistek.com                cynergistek.com       @CynergisTek 35 Established  Performance   Criteria Key  Activity Audit  Procedures Who  Responsible? Notice  to  Individuals   §164.404  (a)  A  covered   entity  shall,  following   the  discovery  of  a   breach  of  unsecured   protected  health   information,  notify  each   individual  whose   unsecured   protected   health  information  has   been,  or  is  reasonably   believed   by  the  covered   entity  to  have  been,   accessed,   acquired,   used  or  disclosed  as  a   result  of  such  breach. Notification to   Individual  of   Breach Inquire  of  management   as   to  whether   a  process   exists  for  notifying   individuals  within  the   required  time  period.   Obtain  and  review  key   documents  that  outline   the  process  for  notifying   individuals  of  breaches. Privacy Officer HIM  Leader   Compliance   Officer Example:  Notification  of  Breach  
CynergisTek,  Inc.         11410  Jollyville  Road,  Suite  2201,  Austin  TX  78759                512.402.8550       info@cynergistek.com                cynergistek.com       @CynergisTek Iatric  &  CynergisTek   Managed  Services
CynergisTek,  Inc.         11410  Jollyville  Road,  Suite  2201,  Austin  TX  78759                512.402.8550       info@cynergistek.com                cynergistek.com       @CynergisTek Policies Develop  and  implement  policies  that  meet   the  HIPAA  Privacy,  Security  and  Breach   Notification  Rule  standards Determine  frequency  of  standard,   behavioral  and  fraud  detection  monitoring Proactive,  comprehensive  auditing  and   monitoring  that  is  manageable  and  scalable;   implement  ongoing  analysis Documentation  to  communicate  program   effectiveness,  both  internally  and  externally Components  of  a  Mature  Audit  Program Monitoring Analysis Reporting
CynergisTek,  Inc.         11410  Jollyville  Road,  Suite  2201,  Austin  TX  78759                512.402.8550       info@cynergistek.com                cynergistek.com       @CynergisTek 38 CynergisTek  Offers  POMS Elite Select POM Privacy  Optimization  Module Proactive  auditing  and  monitoring  optimization  plan.   Focuses  on  establishing  necessary  processes  for  effective   and  efficient  privacy  monitoring. Managed  Privacy  Monitoring  Service:   Select Ongoing  monitoring  and  reporting   by  a  CynergisTek  analyst,  use  of  Iatric   Systems  SAM  solution. Managed  Privacy  Monitoring  Service:  Elite Elite  level  of  engagement,  intense  ongoing   monitoring  by  a  CynergisTek  analyst  and  use  of   CynergisTek  advisory  services.  
CynergisTek,  Inc.         11410  Jollyville  Road,  Suite  2201,  Austin  TX  78759                512.402.8550       info@cynergistek.com                cynergistek.com       @CynergisTek 39 Questions Mac  McMillan mac.mcmillan@cynergistek.com 512.405.8555 @mmcmillan07 Questions? ?
How to prepare your organization for an OCR HIPAA audit Contact Us | Survey Survey: Please take the survey that will appear after you leave the webinar. You could win a $100 Amazon.com Gift Card. Follow Us: http://new.iatric.com/blog-home For more information: Please contact your Iatric Systems Account Manager Send an email to info@iatric.com Thank you for attending!

Empfohlen

Red7 Medical Identity Security and Data Protection
Red7 Medical Identity Security and Data ProtectionRed7 Medical Identity Security and Data Protection
Red7 Medical Identity Security and Data ProtectionRobert Grupe, CSSLP CISSP PE PMP
 
Business Associates: How to become HIPAA compliant, increase revenue, and gai...
Business Associates: How to become HIPAA compliant, increase revenue, and gai...Business Associates: How to become HIPAA compliant, increase revenue, and gai...
Business Associates: How to become HIPAA compliant, increase revenue, and gai...Compliancy Group
 
OCR HIPAA Audits…Will You Be Prepared?
OCR HIPAA Audits…Will You Be Prepared?OCR HIPAA Audits…Will You Be Prepared?
OCR HIPAA Audits…Will You Be Prepared?ID Experts
 
Leveraging HPCC Systems as Part of an Information Security, Privacy, and Comp...
Leveraging HPCC Systems as Part of an Information Security, Privacy, and Comp...Leveraging HPCC Systems as Part of an Information Security, Privacy, and Comp...
Leveraging HPCC Systems as Part of an Information Security, Privacy, and Comp...HPCC Systems
 
2016 ISACA NACACS - Audit Privacy Considerations
2016 ISACA NACACS - Audit Privacy Considerations2016 ISACA NACACS - Audit Privacy Considerations
2016 ISACA NACACS - Audit Privacy ConsiderationsNathan Anderson
 
Uk Corporate Governance: Enron to VW - It's Not About The Car 02 12 15 fv 30 ...
Uk Corporate Governance: Enron to VW - It's Not About The Car 02 12 15 fv 30 ...Uk Corporate Governance: Enron to VW - It's Not About The Car 02 12 15 fv 30 ...
Uk Corporate Governance: Enron to VW - It's Not About The Car 02 12 15 fv 30 ...John Walmsley
 
HIPAA security risk assessments
HIPAA security risk assessmentsHIPAA security risk assessments
HIPAA security risk assessmentsJose Ivan Delgado, Ph.D.
 
Increasing Challenges in Healthcare Privacy and Security
Increasing Challenges in Healthcare Privacy and SecurityIncreasing Challenges in Healthcare Privacy and Security
Increasing Challenges in Healthcare Privacy and SecurityCynergisTek, Inc.
 

Empfohlen

Red7 Medical Identity Security and Data Protection
Red7 Medical Identity Security and Data ProtectionRed7 Medical Identity Security and Data Protection
Red7 Medical Identity Security and Data ProtectionRobert Grupe, CSSLP CISSP PE PMP
 
Business Associates: How to become HIPAA compliant, increase revenue, and gai...
Business Associates: How to become HIPAA compliant, increase revenue, and gai...Business Associates: How to become HIPAA compliant, increase revenue, and gai...
Business Associates: How to become HIPAA compliant, increase revenue, and gai...Compliancy Group
 
OCR HIPAA Audits…Will You Be Prepared?
OCR HIPAA Audits…Will You Be Prepared?OCR HIPAA Audits…Will You Be Prepared?
OCR HIPAA Audits…Will You Be Prepared?ID Experts
 
Leveraging HPCC Systems as Part of an Information Security, Privacy, and Comp...
Leveraging HPCC Systems as Part of an Information Security, Privacy, and Comp...Leveraging HPCC Systems as Part of an Information Security, Privacy, and Comp...
Leveraging HPCC Systems as Part of an Information Security, Privacy, and Comp...HPCC Systems
 
2016 ISACA NACACS - Audit Privacy Considerations
2016 ISACA NACACS - Audit Privacy Considerations2016 ISACA NACACS - Audit Privacy Considerations
2016 ISACA NACACS - Audit Privacy ConsiderationsNathan Anderson
 
Uk Corporate Governance: Enron to VW - It's Not About The Car 02 12 15 fv 30 ...
Uk Corporate Governance: Enron to VW - It's Not About The Car 02 12 15 fv 30 ...Uk Corporate Governance: Enron to VW - It's Not About The Car 02 12 15 fv 30 ...
Uk Corporate Governance: Enron to VW - It's Not About The Car 02 12 15 fv 30 ...John Walmsley
 
HIPAA security risk assessments
HIPAA security risk assessmentsHIPAA security risk assessments
HIPAA security risk assessmentsJose Ivan Delgado, Ph.D.
 
Increasing Challenges in Healthcare Privacy and Security
Increasing Challenges in Healthcare Privacy and SecurityIncreasing Challenges in Healthcare Privacy and Security
Increasing Challenges in Healthcare Privacy and SecurityCynergisTek, Inc.
 
Team Ruby Final Presentation Slides R7
Team Ruby Final Presentation Slides R7Team Ruby Final Presentation Slides R7
Team Ruby Final Presentation Slides R7Kevin Jones
 
Time for Your Compliance Check-Up: How Mercy Health Uses Tripwire to Pass Audits
Time for Your Compliance Check-Up: How Mercy Health Uses Tripwire to Pass AuditsTime for Your Compliance Check-Up: How Mercy Health Uses Tripwire to Pass Audits
Time for Your Compliance Check-Up: How Mercy Health Uses Tripwire to Pass AuditsTripwire
 
CHIME LEAD Fourm Houston - "Case Studies from the Field: Putting Cyber Securi...
CHIME LEAD Fourm Houston - "Case Studies from the Field: Putting Cyber Securi...CHIME LEAD Fourm Houston - "Case Studies from the Field: Putting Cyber Securi...
CHIME LEAD Fourm Houston - "Case Studies from the Field: Putting Cyber Securi...Health IT Conference – iHT2
 
{d1a164b5-f3a5-4840-96b1-16dd83ccdda9}_Wells_Fargo_GIB_Cyber_security_100615_...
{d1a164b5-f3a5-4840-96b1-16dd83ccdda9}_Wells_Fargo_GIB_Cyber_security_100615_...{d1a164b5-f3a5-4840-96b1-16dd83ccdda9}_Wells_Fargo_GIB_Cyber_security_100615_...
{d1a164b5-f3a5-4840-96b1-16dd83ccdda9}_Wells_Fargo_GIB_Cyber_security_100615_...Taiye Lambo
 
Health Insurance Portability and Accountability Act (HIPAA) Compliance
Health Insurance Portability and Accountability Act (HIPAA) ComplianceHealth Insurance Portability and Accountability Act (HIPAA) Compliance
Health Insurance Portability and Accountability Act (HIPAA) ComplianceControlCase
 
Avior Healthcare Security Compliance Webcast Final1
Avior Healthcare Security Compliance Webcast Final1Avior Healthcare Security Compliance Webcast Final1
Avior Healthcare Security Compliance Webcast Final1jhietala
 
2018-11-15 IT Assessment
2018-11-15 IT Assessment2018-11-15 IT Assessment
2018-11-15 IT AssessmentRaffa Learning Community
 
Cleared Job Fair Job Seeker Handbook Oct 6, 2016, Tysons Corner, Virginia
Cleared Job Fair Job Seeker Handbook Oct 6, 2016, Tysons Corner, VirginiaCleared Job Fair Job Seeker Handbook Oct 6, 2016, Tysons Corner, Virginia
Cleared Job Fair Job Seeker Handbook Oct 6, 2016, Tysons Corner, VirginiaClearedJobs.Net
 
Why a Risk Assessment is NOT Enough for HIPAA Compliance
Why a Risk Assessment is NOT Enough for HIPAA ComplianceWhy a Risk Assessment is NOT Enough for HIPAA Compliance
Why a Risk Assessment is NOT Enough for HIPAA ComplianceCompliancy Group
 
Complying with Cybersecurity Regulations for IBM i Servers and Data
Complying with Cybersecurity Regulations for IBM i Servers and DataComplying with Cybersecurity Regulations for IBM i Servers and Data
Complying with Cybersecurity Regulations for IBM i Servers and DataPrecisely
 
Medical billing services for urgent care centers by Sunknowledge
Medical billing services for urgent care centers by SunknowledgeMedical billing services for urgent care centers by Sunknowledge
Medical billing services for urgent care centers by SunknowledgeZeeshanul Kader
 
Information Risk Management Overview
Information Risk Management OverviewInformation Risk Management Overview
Information Risk Management Overviewelvinchan
 
Information Assurance for Accountant 2007
Information Assurance for Accountant 2007Information Assurance for Accountant 2007
Information Assurance for Accountant 2007Donald E. Hester
 
Chamber Technology Committee Presentation
Chamber Technology Committee PresentationChamber Technology Committee Presentation
Chamber Technology Committee PresentationTony DeGonia (LION)
 
SunKnowledgeServicesSep_14_2016
SunKnowledgeServicesSep_14_2016SunKnowledgeServicesSep_14_2016
SunKnowledgeServicesSep_14_2016Sammya Sen
 
Medical Billing Services for Urgent Care Centers by Sun Knowledge
Medical Billing Services for Urgent Care Centers by Sun KnowledgeMedical Billing Services for Urgent Care Centers by Sun Knowledge
Medical Billing Services for Urgent Care Centers by Sun KnowledgeMichael Smith
 
Thu 4:30 PM - Actionable Dashboarding
Thu 4:30 PM - Actionable DashboardingThu 4:30 PM - Actionable Dashboarding
Thu 4:30 PM - Actionable DashboardingApttus
 
Get Ready for Syncsort's New Best-of-Breed Security Solution
Get Ready for Syncsort's New Best-of-Breed Security SolutionGet Ready for Syncsort's New Best-of-Breed Security Solution
Get Ready for Syncsort's New Best-of-Breed Security SolutionPrecisely
 
Telehealth and Medical Billing both Franchise Opportunity together at Low Cost
Telehealth and Medical Billing both Franchise Opportunity together at Low CostTelehealth and Medical Billing both Franchise Opportunity together at Low Cost
Telehealth and Medical Billing both Franchise Opportunity together at Low CostMichael Smith
 
Market Intelligence Briefing: The Civilian FY16 Federal Budget
Market Intelligence Briefing: The Civilian FY16 Federal BudgetMarket Intelligence Briefing: The Civilian FY16 Federal Budget
Market Intelligence Briefing: The Civilian FY16 Federal BudgetimmixGroup
 
What Covered Entities Need to Know about OCR HIPAA Audit​s
What Covered Entities Need to Know about OCR HIPAA Audit​sWhat Covered Entities Need to Know about OCR HIPAA Audit​s
What Covered Entities Need to Know about OCR HIPAA Audit​sIatric Systems
 
Macra and Hospitalists: Get Your Questions Answered
Macra and Hospitalists: Get Your Questions AnsweredMacra and Hospitalists: Get Your Questions Answered
Macra and Hospitalists: Get Your Questions AnsweredIatric Systems
 

Weitere ähnliche Inhalte

Ähnlich wie Prepare for an OCR HIPAA Audit

Team Ruby Final Presentation Slides R7
Team Ruby Final Presentation Slides R7Team Ruby Final Presentation Slides R7
Team Ruby Final Presentation Slides R7Kevin Jones
 
Time for Your Compliance Check-Up: How Mercy Health Uses Tripwire to Pass Audits
Time for Your Compliance Check-Up: How Mercy Health Uses Tripwire to Pass AuditsTime for Your Compliance Check-Up: How Mercy Health Uses Tripwire to Pass Audits
Time for Your Compliance Check-Up: How Mercy Health Uses Tripwire to Pass AuditsTripwire
 
CHIME LEAD Fourm Houston - "Case Studies from the Field: Putting Cyber Securi...
CHIME LEAD Fourm Houston - "Case Studies from the Field: Putting Cyber Securi...CHIME LEAD Fourm Houston - "Case Studies from the Field: Putting Cyber Securi...
CHIME LEAD Fourm Houston - "Case Studies from the Field: Putting Cyber Securi...Health IT Conference – iHT2
 
{d1a164b5-f3a5-4840-96b1-16dd83ccdda9}_Wells_Fargo_GIB_Cyber_security_100615_...
{d1a164b5-f3a5-4840-96b1-16dd83ccdda9}_Wells_Fargo_GIB_Cyber_security_100615_...{d1a164b5-f3a5-4840-96b1-16dd83ccdda9}_Wells_Fargo_GIB_Cyber_security_100615_...
{d1a164b5-f3a5-4840-96b1-16dd83ccdda9}_Wells_Fargo_GIB_Cyber_security_100615_...Taiye Lambo
 
Health Insurance Portability and Accountability Act (HIPAA) Compliance
Health Insurance Portability and Accountability Act (HIPAA) ComplianceHealth Insurance Portability and Accountability Act (HIPAA) Compliance
Health Insurance Portability and Accountability Act (HIPAA) ComplianceControlCase
 
Avior Healthcare Security Compliance Webcast Final1
Avior Healthcare Security Compliance Webcast Final1Avior Healthcare Security Compliance Webcast Final1
Avior Healthcare Security Compliance Webcast Final1jhietala
 
Cleared Job Fair Job Seeker Handbook Oct 6, 2016, Tysons Corner, Virginia
Cleared Job Fair Job Seeker Handbook Oct 6, 2016, Tysons Corner, VirginiaCleared Job Fair Job Seeker Handbook Oct 6, 2016, Tysons Corner, Virginia
Cleared Job Fair Job Seeker Handbook Oct 6, 2016, Tysons Corner, VirginiaClearedJobs.Net
 
Why a Risk Assessment is NOT Enough for HIPAA Compliance
Why a Risk Assessment is NOT Enough for HIPAA ComplianceWhy a Risk Assessment is NOT Enough for HIPAA Compliance
Why a Risk Assessment is NOT Enough for HIPAA ComplianceCompliancy Group
 
Complying with Cybersecurity Regulations for IBM i Servers and Data
Complying with Cybersecurity Regulations for IBM i Servers and DataComplying with Cybersecurity Regulations for IBM i Servers and Data
Complying with Cybersecurity Regulations for IBM i Servers and DataPrecisely
 
Medical billing services for urgent care centers by Sunknowledge
Medical billing services for urgent care centers by SunknowledgeMedical billing services for urgent care centers by Sunknowledge
Medical billing services for urgent care centers by SunknowledgeZeeshanul Kader
 
Information Risk Management Overview
Information Risk Management OverviewInformation Risk Management Overview
Information Risk Management Overviewelvinchan
 
Information Assurance for Accountant 2007
Information Assurance for Accountant 2007Information Assurance for Accountant 2007
Information Assurance for Accountant 2007Donald E. Hester
 
Chamber Technology Committee Presentation
Chamber Technology Committee PresentationChamber Technology Committee Presentation
Chamber Technology Committee PresentationTony DeGonia (LION)
 
SunKnowledgeServicesSep_14_2016
SunKnowledgeServicesSep_14_2016SunKnowledgeServicesSep_14_2016
SunKnowledgeServicesSep_14_2016Sammya Sen
 
Medical Billing Services for Urgent Care Centers by Sun Knowledge
Medical Billing Services for Urgent Care Centers by Sun KnowledgeMedical Billing Services for Urgent Care Centers by Sun Knowledge
Medical Billing Services for Urgent Care Centers by Sun KnowledgeMichael Smith
 
Thu 4:30 PM - Actionable Dashboarding
Thu 4:30 PM - Actionable DashboardingThu 4:30 PM - Actionable Dashboarding
Thu 4:30 PM - Actionable DashboardingApttus
 
Get Ready for Syncsort's New Best-of-Breed Security Solution
Get Ready for Syncsort's New Best-of-Breed Security SolutionGet Ready for Syncsort's New Best-of-Breed Security Solution
Get Ready for Syncsort's New Best-of-Breed Security SolutionPrecisely
 
Telehealth and Medical Billing both Franchise Opportunity together at Low Cost
Telehealth and Medical Billing both Franchise Opportunity together at Low CostTelehealth and Medical Billing both Franchise Opportunity together at Low Cost
Telehealth and Medical Billing both Franchise Opportunity together at Low CostMichael Smith
 
Market Intelligence Briefing: The Civilian FY16 Federal Budget
Market Intelligence Briefing: The Civilian FY16 Federal BudgetMarket Intelligence Briefing: The Civilian FY16 Federal Budget
Market Intelligence Briefing: The Civilian FY16 Federal BudgetimmixGroup
 

Ähnlich wie Prepare for an OCR HIPAA Audit (20)

Team Ruby Final Presentation Slides R7
Team Ruby Final Presentation Slides R7Team Ruby Final Presentation Slides R7
Team Ruby Final Presentation Slides R7
 
Time for Your Compliance Check-Up: How Mercy Health Uses Tripwire to Pass Audits
Time for Your Compliance Check-Up: How Mercy Health Uses Tripwire to Pass AuditsTime for Your Compliance Check-Up: How Mercy Health Uses Tripwire to Pass Audits
Time for Your Compliance Check-Up: How Mercy Health Uses Tripwire to Pass Audits
 
CHIME LEAD Fourm Houston - "Case Studies from the Field: Putting Cyber Securi...
CHIME LEAD Fourm Houston - "Case Studies from the Field: Putting Cyber Securi...CHIME LEAD Fourm Houston - "Case Studies from the Field: Putting Cyber Securi...
CHIME LEAD Fourm Houston - "Case Studies from the Field: Putting Cyber Securi...
 
{d1a164b5-f3a5-4840-96b1-16dd83ccdda9}_Wells_Fargo_GIB_Cyber_security_100615_...
{d1a164b5-f3a5-4840-96b1-16dd83ccdda9}_Wells_Fargo_GIB_Cyber_security_100615_...{d1a164b5-f3a5-4840-96b1-16dd83ccdda9}_Wells_Fargo_GIB_Cyber_security_100615_...
{d1a164b5-f3a5-4840-96b1-16dd83ccdda9}_Wells_Fargo_GIB_Cyber_security_100615_...
 
Health Insurance Portability and Accountability Act (HIPAA) Compliance
Health Insurance Portability and Accountability Act (HIPAA) ComplianceHealth Insurance Portability and Accountability Act (HIPAA) Compliance
Health Insurance Portability and Accountability Act (HIPAA) Compliance
 
Avior Healthcare Security Compliance Webcast Final1
Avior Healthcare Security Compliance Webcast Final1Avior Healthcare Security Compliance Webcast Final1
Avior Healthcare Security Compliance Webcast Final1
 
2018-11-15 IT Assessment
2018-11-15 IT Assessment2018-11-15 IT Assessment
2018-11-15 IT Assessment
 
Cleared Job Fair Job Seeker Handbook Oct 6, 2016, Tysons Corner, Virginia
Cleared Job Fair Job Seeker Handbook Oct 6, 2016, Tysons Corner, VirginiaCleared Job Fair Job Seeker Handbook Oct 6, 2016, Tysons Corner, Virginia
Cleared Job Fair Job Seeker Handbook Oct 6, 2016, Tysons Corner, Virginia
 
Why a Risk Assessment is NOT Enough for HIPAA Compliance
Why a Risk Assessment is NOT Enough for HIPAA ComplianceWhy a Risk Assessment is NOT Enough for HIPAA Compliance
Why a Risk Assessment is NOT Enough for HIPAA Compliance
 
Complying with Cybersecurity Regulations for IBM i Servers and Data
Complying with Cybersecurity Regulations for IBM i Servers and DataComplying with Cybersecurity Regulations for IBM i Servers and Data
Complying with Cybersecurity Regulations for IBM i Servers and Data
 
Medical billing services for urgent care centers by Sunknowledge
Medical billing services for urgent care centers by SunknowledgeMedical billing services for urgent care centers by Sunknowledge
Medical billing services for urgent care centers by Sunknowledge
 
Information Risk Management Overview
Information Risk Management OverviewInformation Risk Management Overview
Information Risk Management Overview
 
Information Assurance for Accountant 2007
Information Assurance for Accountant 2007Information Assurance for Accountant 2007
Information Assurance for Accountant 2007
 
Chamber Technology Committee Presentation
Chamber Technology Committee PresentationChamber Technology Committee Presentation
Chamber Technology Committee Presentation
 
SunKnowledgeServicesSep_14_2016
SunKnowledgeServicesSep_14_2016SunKnowledgeServicesSep_14_2016
SunKnowledgeServicesSep_14_2016
 
Medical Billing Services for Urgent Care Centers by Sun Knowledge
Medical Billing Services for Urgent Care Centers by Sun KnowledgeMedical Billing Services for Urgent Care Centers by Sun Knowledge
Medical Billing Services for Urgent Care Centers by Sun Knowledge
 
Thu 4:30 PM - Actionable Dashboarding
Thu 4:30 PM - Actionable DashboardingThu 4:30 PM - Actionable Dashboarding
Thu 4:30 PM - Actionable Dashboarding
 
Get Ready for Syncsort's New Best-of-Breed Security Solution
Get Ready for Syncsort's New Best-of-Breed Security SolutionGet Ready for Syncsort's New Best-of-Breed Security Solution
Get Ready for Syncsort's New Best-of-Breed Security Solution
 
Telehealth and Medical Billing both Franchise Opportunity together at Low Cost
Telehealth and Medical Billing both Franchise Opportunity together at Low CostTelehealth and Medical Billing both Franchise Opportunity together at Low Cost
Telehealth and Medical Billing both Franchise Opportunity together at Low Cost
 
Market Intelligence Briefing: The Civilian FY16 Federal Budget
Market Intelligence Briefing: The Civilian FY16 Federal BudgetMarket Intelligence Briefing: The Civilian FY16 Federal Budget
Market Intelligence Briefing: The Civilian FY16 Federal Budget
 

Mehr von Iatric Systems

What Covered Entities Need to Know about OCR HIPAA Audit​s
What Covered Entities Need to Know about OCR HIPAA Audit​sWhat Covered Entities Need to Know about OCR HIPAA Audit​s
What Covered Entities Need to Know about OCR HIPAA Audit​sIatric Systems
 
Macra and Hospitalists: Get Your Questions Answered
Macra and Hospitalists: Get Your Questions AnsweredMacra and Hospitalists: Get Your Questions Answered
Macra and Hospitalists: Get Your Questions AnsweredIatric Systems
 
How MEDITECH Hospitals Can Meet The New eCQM Reporting Requirements using QRDA
How MEDITECH Hospitals Can Meet The New eCQM Reporting Requirements using QRDAHow MEDITECH Hospitals Can Meet The New eCQM Reporting Requirements using QRDA
How MEDITECH Hospitals Can Meet The New eCQM Reporting Requirements using QRDAIatric Systems
 
Learn How to Overcome Patient Identity Challenges
Learn How to Overcome Patient Identity ChallengesLearn How to Overcome Patient Identity Challenges
Learn How to Overcome Patient Identity ChallengesIatric Systems
 
How To Get a Handle on Your Patient Identity Challenges
How To Get a Handle on Your Patient Identity ChallengesHow To Get a Handle on Your Patient Identity Challenges
How To Get a Handle on Your Patient Identity ChallengesIatric Systems
 
Meet Your Interoperability Goals and Realize Your Vision
Meet Your Interoperability Goals and Realize Your VisionMeet Your Interoperability Goals and Realize Your Vision
Meet Your Interoperability Goals and Realize Your VisionIatric Systems
 
Top Challenges in Healthcare IT that Keep CIOs up at Night
Top Challenges in Healthcare IT that Keep CIOs up at Night Top Challenges in Healthcare IT that Keep CIOs up at Night
Top Challenges in Healthcare IT that Keep CIOs up at Night Iatric Systems
 
Portals, Mobile Devices, and Patient Engagement
Portals, Mobile Devices, and Patient EngagementPortals, Mobile Devices, and Patient Engagement
Portals, Mobile Devices, and Patient EngagementIatric Systems
 
Using FHIR for Interoperability
Using FHIR for InteroperabilityUsing FHIR for Interoperability
Using FHIR for InteroperabilityIatric Systems
 
Learn Best Practices for Joining an HIE
Learn Best Practices for Joining an HIELearn Best Practices for Joining an HIE
Learn Best Practices for Joining an HIEIatric Systems
 
How to get Prepared and Find Success with Meaningful Use Stage 2 and 3
How to get Prepared and Find Success with Meaningful Use Stage 2 and 3How to get Prepared and Find Success with Meaningful Use Stage 2 and 3
How to get Prepared and Find Success with Meaningful Use Stage 2 and 3Iatric Systems
 
Successfully Navigate an EHR System Migration Webcast
Successfully Navigate an EHR System Migration WebcastSuccessfully Navigate an EHR System Migration Webcast
Successfully Navigate an EHR System Migration WebcastIatric Systems
 
Understanding HL7 version 2.5.1 and Meaningful Use data considerations
Understanding HL7 version 2.5.1 and Meaningful Use data considerationsUnderstanding HL7 version 2.5.1 and Meaningful Use data considerations
Understanding HL7 version 2.5.1 and Meaningful Use data considerationsIatric Systems
 
Get Prepared and Find Success with Meaningful Use Stage 2 and 3
Get Prepared and Find Success with Meaningful Use Stage 2 and 3Get Prepared and Find Success with Meaningful Use Stage 2 and 3
Get Prepared and Find Success with Meaningful Use Stage 2 and 3Iatric Systems
 
Improving the Patient Experience with HIT Webcast
Improving the Patient Experience with HIT WebcastImproving the Patient Experience with HIT Webcast
Improving the Patient Experience with HIT WebcastIatric Systems
 
3 Ways to Overcome Your Interface Challenges
3 Ways to Overcome Your Interface Challenges3 Ways to Overcome Your Interface Challenges
3 Ways to Overcome Your Interface ChallengesIatric Systems
 
Stay on Track with Meaningful Use in 2015
Stay on Track with Meaningful Use in 2015Stay on Track with Meaningful Use in 2015
Stay on Track with Meaningful Use in 2015Iatric Systems
 
5 Ways to Keep Your Interface Projects Under Control
5 Ways to Keep Your Interface Projects Under Control5 Ways to Keep Your Interface Projects Under Control
5 Ways to Keep Your Interface Projects Under ControlIatric Systems
 
How to Interpret and Plan for the 2014 CMS CEHRT Rule
How to Interpret and Plan for the 2014 CMS CEHRT Rule How to Interpret and Plan for the 2014 CMS CEHRT Rule
How to Interpret and Plan for the 2014 CMS CEHRT Rule Iatric Systems
 
Preparation is the Key to Meaningful Use Success
Preparation is the Key to Meaningful Use SuccessPreparation is the Key to Meaningful Use Success
Preparation is the Key to Meaningful Use SuccessIatric Systems
 

Mehr von Iatric Systems (20)

What Covered Entities Need to Know about OCR HIPAA Audit​s
What Covered Entities Need to Know about OCR HIPAA Audit​sWhat Covered Entities Need to Know about OCR HIPAA Audit​s
What Covered Entities Need to Know about OCR HIPAA Audit​s
 
Macra and Hospitalists: Get Your Questions Answered
Macra and Hospitalists: Get Your Questions AnsweredMacra and Hospitalists: Get Your Questions Answered
Macra and Hospitalists: Get Your Questions Answered
 
How MEDITECH Hospitals Can Meet The New eCQM Reporting Requirements using QRDA
How MEDITECH Hospitals Can Meet The New eCQM Reporting Requirements using QRDAHow MEDITECH Hospitals Can Meet The New eCQM Reporting Requirements using QRDA
How MEDITECH Hospitals Can Meet The New eCQM Reporting Requirements using QRDA
 
Learn How to Overcome Patient Identity Challenges
Learn How to Overcome Patient Identity ChallengesLearn How to Overcome Patient Identity Challenges
Learn How to Overcome Patient Identity Challenges
 
How To Get a Handle on Your Patient Identity Challenges
How To Get a Handle on Your Patient Identity ChallengesHow To Get a Handle on Your Patient Identity Challenges
How To Get a Handle on Your Patient Identity Challenges
 
Meet Your Interoperability Goals and Realize Your Vision
Meet Your Interoperability Goals and Realize Your VisionMeet Your Interoperability Goals and Realize Your Vision
Meet Your Interoperability Goals and Realize Your Vision
 
Top Challenges in Healthcare IT that Keep CIOs up at Night
Top Challenges in Healthcare IT that Keep CIOs up at Night Top Challenges in Healthcare IT that Keep CIOs up at Night
Top Challenges in Healthcare IT that Keep CIOs up at Night
 
Portals, Mobile Devices, and Patient Engagement
Portals, Mobile Devices, and Patient EngagementPortals, Mobile Devices, and Patient Engagement
Portals, Mobile Devices, and Patient Engagement
 
Using FHIR for Interoperability
Using FHIR for InteroperabilityUsing FHIR for Interoperability
Using FHIR for Interoperability
 
Learn Best Practices for Joining an HIE
Learn Best Practices for Joining an HIELearn Best Practices for Joining an HIE
Learn Best Practices for Joining an HIE
 
How to get Prepared and Find Success with Meaningful Use Stage 2 and 3
How to get Prepared and Find Success with Meaningful Use Stage 2 and 3How to get Prepared and Find Success with Meaningful Use Stage 2 and 3
How to get Prepared and Find Success with Meaningful Use Stage 2 and 3
 
Successfully Navigate an EHR System Migration Webcast
Successfully Navigate an EHR System Migration WebcastSuccessfully Navigate an EHR System Migration Webcast
Successfully Navigate an EHR System Migration Webcast
 
Understanding HL7 version 2.5.1 and Meaningful Use data considerations
Understanding HL7 version 2.5.1 and Meaningful Use data considerationsUnderstanding HL7 version 2.5.1 and Meaningful Use data considerations
Understanding HL7 version 2.5.1 and Meaningful Use data considerations
 
Get Prepared and Find Success with Meaningful Use Stage 2 and 3
Get Prepared and Find Success with Meaningful Use Stage 2 and 3Get Prepared and Find Success with Meaningful Use Stage 2 and 3
Get Prepared and Find Success with Meaningful Use Stage 2 and 3
 
Improving the Patient Experience with HIT Webcast
Improving the Patient Experience with HIT WebcastImproving the Patient Experience with HIT Webcast
Improving the Patient Experience with HIT Webcast
 
3 Ways to Overcome Your Interface Challenges
3 Ways to Overcome Your Interface Challenges3 Ways to Overcome Your Interface Challenges
3 Ways to Overcome Your Interface Challenges
 
Stay on Track with Meaningful Use in 2015
Stay on Track with Meaningful Use in 2015Stay on Track with Meaningful Use in 2015
Stay on Track with Meaningful Use in 2015
 
5 Ways to Keep Your Interface Projects Under Control
5 Ways to Keep Your Interface Projects Under Control5 Ways to Keep Your Interface Projects Under Control
5 Ways to Keep Your Interface Projects Under Control
 
How to Interpret and Plan for the 2014 CMS CEHRT Rule
How to Interpret and Plan for the 2014 CMS CEHRT Rule How to Interpret and Plan for the 2014 CMS CEHRT Rule
How to Interpret and Plan for the 2014 CMS CEHRT Rule
 
Preparation is the Key to Meaningful Use Success
Preparation is the Key to Meaningful Use SuccessPreparation is the Key to Meaningful Use Success
Preparation is the Key to Meaningful Use Success
 

Kürzlich hochgeladen

Incentive spirometry powerpoint presentation
Incentive spirometry powerpoint presentationIncentive spirometry powerpoint presentation
Incentive spirometry powerpoint presentationpratiksha ghimire
 
The future of change - strategic translation
The future of change - strategic translationThe future of change - strategic translation
The future of change - strategic translationHelenBevan4
 
Low Vision Case (Nisreen mokhanawala).pptx
Low Vision Case (Nisreen mokhanawala).pptxLow Vision Case (Nisreen mokhanawala).pptx
Low Vision Case (Nisreen mokhanawala).pptxShubham
 
Subconjunctival Haemorrhage,causes,treatment..pptx
Subconjunctival Haemorrhage,causes,treatment..pptxSubconjunctival Haemorrhage,causes,treatment..pptx
Subconjunctival Haemorrhage,causes,treatment..pptxvideosfildr
 
Local Advanced Esophageal Cancer (T3-4N0-2M0): Artificial Intelligence, Syner...
Local Advanced Esophageal Cancer (T3-4N0-2M0): Artificial Intelligence, Syner...Local Advanced Esophageal Cancer (T3-4N0-2M0): Artificial Intelligence, Syner...
Local Advanced Esophageal Cancer (T3-4N0-2M0): Artificial Intelligence, Syner...Oleg Kshivets
 
Back care and back massage. powerpoint presentation
Back care and back massage. powerpoint presentationBack care and back massage. powerpoint presentation
Back care and back massage. powerpoint presentationpratiksha ghimire
 
Professional Ear Wax Cleaning Services for Your Home
Professional Ear Wax Cleaning Services for Your HomeProfessional Ear Wax Cleaning Services for Your Home
Professional Ear Wax Cleaning Services for Your HomeEarwax Doctor
 
20 Benefits of Empathetic Listening in Mental Health Support
20 Benefits of Empathetic Listening in Mental Health Support20 Benefits of Empathetic Listening in Mental Health Support
20 Benefits of Empathetic Listening in Mental Health SupportSayhey
 
CASE STUDY ON CHRONIC KIDNEY DISEASE.pptx
CASE STUDY ON CHRONIC KIDNEY DISEASE.pptxCASE STUDY ON CHRONIC KIDNEY DISEASE.pptx
CASE STUDY ON CHRONIC KIDNEY DISEASE.pptxdrsriram2001
 
Advance Directives and Advance Care Planning: Ensuring Patient Voices Are Heard
Advance Directives and Advance Care Planning: Ensuring Patient Voices Are HeardAdvance Directives and Advance Care Planning: Ensuring Patient Voices Are Heard
Advance Directives and Advance Care Planning: Ensuring Patient Voices Are HeardVITASAuthor
 
Understanding Cholera: Epidemiology, Prevention, and Control.pdf
Understanding Cholera: Epidemiology, Prevention, and Control.pdfUnderstanding Cholera: Epidemiology, Prevention, and Control.pdf
Understanding Cholera: Epidemiology, Prevention, and Control.pdfSasikiranMarri
 
Mental Health for physiotherapy and other health students
Mental Health for physiotherapy and other health studentsMental Health for physiotherapy and other health students
Mental Health for physiotherapy and other health studentseyobkaseye
 
Medisep insurance policy , new kerala government insurance policy for govrnm...
Medisep insurance policy , new kerala government insurance policy for govrnm...Medisep insurance policy , new kerala government insurance policy for govrnm...
Medisep insurance policy , new kerala government insurance policy for govrnm...LinshaLichu1
 
Learn Tips for Managing Chemobrain or Mental Fogginess
Learn Tips for Managing Chemobrain or Mental FogginessLearn Tips for Managing Chemobrain or Mental Fogginess
Learn Tips for Managing Chemobrain or Mental Fogginessbkling
 
Information about acne, detail description of their treatment by topical and ...
Information about acne, detail description of their treatment by topical and ...Information about acne, detail description of their treatment by topical and ...
Information about acne, detail description of their treatment by topical and ...mauryashreya478
 
ANTIGEN- SECTION IMMUNOLOGY DEPARTMENT OF MICROBIOLOGY
ANTIGEN- SECTION IMMUNOLOGY DEPARTMENT OF MICROBIOLOGYANTIGEN- SECTION IMMUNOLOGY DEPARTMENT OF MICROBIOLOGY
ANTIGEN- SECTION IMMUNOLOGY DEPARTMENT OF MICROBIOLOGYDrmayuribhise
 
Champions of Health Spotlight On Leaders Shaping Denmark's Healthcare.pdf
Champions of Health Spotlight On Leaders Shaping Denmark's Healthcare.pdfChampions of Health Spotlight On Leaders Shaping Denmark's Healthcare.pdf
Champions of Health Spotlight On Leaders Shaping Denmark's Healthcare.pdfeurohealthleaders
 
『澳洲文凭』买莫道克大学毕业证书成绩单办理澳洲Murdoch文凭学位证书
『澳洲文凭』买莫道克大学毕业证书成绩单办理澳洲Murdoch文凭学位证书『澳洲文凭』买莫道克大学毕业证书成绩单办理澳洲Murdoch文凭学位证书
『澳洲文凭』买莫道克大学毕业证书成绩单办理澳洲Murdoch文凭学位证书rnrncn29
 

Kürzlich hochgeladen (20)

Incentive spirometry powerpoint presentation
Incentive spirometry powerpoint presentationIncentive spirometry powerpoint presentation
Incentive spirometry powerpoint presentation
 
The future of change - strategic translation
The future of change - strategic translationThe future of change - strategic translation
The future of change - strategic translation
 
Low Vision Case (Nisreen mokhanawala).pptx
Low Vision Case (Nisreen mokhanawala).pptxLow Vision Case (Nisreen mokhanawala).pptx
Low Vision Case (Nisreen mokhanawala).pptx
 
Subconjunctival Haemorrhage,causes,treatment..pptx
Subconjunctival Haemorrhage,causes,treatment..pptxSubconjunctival Haemorrhage,causes,treatment..pptx
Subconjunctival Haemorrhage,causes,treatment..pptx
 
Local Advanced Esophageal Cancer (T3-4N0-2M0): Artificial Intelligence, Syner...
Local Advanced Esophageal Cancer (T3-4N0-2M0): Artificial Intelligence, Syner...Local Advanced Esophageal Cancer (T3-4N0-2M0): Artificial Intelligence, Syner...
Local Advanced Esophageal Cancer (T3-4N0-2M0): Artificial Intelligence, Syner...
 
Back care and back massage. powerpoint presentation
Back care and back massage. powerpoint presentationBack care and back massage. powerpoint presentation
Back care and back massage. powerpoint presentation
 
Professional Ear Wax Cleaning Services for Your Home
Professional Ear Wax Cleaning Services for Your HomeProfessional Ear Wax Cleaning Services for Your Home
Professional Ear Wax Cleaning Services for Your Home
 
20 Benefits of Empathetic Listening in Mental Health Support
20 Benefits of Empathetic Listening in Mental Health Support20 Benefits of Empathetic Listening in Mental Health Support
20 Benefits of Empathetic Listening in Mental Health Support
 
CASE STUDY ON CHRONIC KIDNEY DISEASE.pptx
CASE STUDY ON CHRONIC KIDNEY DISEASE.pptxCASE STUDY ON CHRONIC KIDNEY DISEASE.pptx
CASE STUDY ON CHRONIC KIDNEY DISEASE.pptx
 
Advance Directives and Advance Care Planning: Ensuring Patient Voices Are Heard
Advance Directives and Advance Care Planning: Ensuring Patient Voices Are HeardAdvance Directives and Advance Care Planning: Ensuring Patient Voices Are Heard
Advance Directives and Advance Care Planning: Ensuring Patient Voices Are Heard
 
DELIRIUM psychiatric delirium is a organic mental disorder
DELIRIUM psychiatric delirium is a organic mental disorderDELIRIUM psychiatric delirium is a organic mental disorder
DELIRIUM psychiatric delirium is a organic mental disorder
 
Understanding Cholera: Epidemiology, Prevention, and Control.pdf
Understanding Cholera: Epidemiology, Prevention, and Control.pdfUnderstanding Cholera: Epidemiology, Prevention, and Control.pdf
Understanding Cholera: Epidemiology, Prevention, and Control.pdf
 
Mental Health for physiotherapy and other health students
Mental Health for physiotherapy and other health studentsMental Health for physiotherapy and other health students
Mental Health for physiotherapy and other health students
 
Medisep insurance policy , new kerala government insurance policy for govrnm...
Medisep insurance policy , new kerala government insurance policy for govrnm...Medisep insurance policy , new kerala government insurance policy for govrnm...
Medisep insurance policy , new kerala government insurance policy for govrnm...
 
Learn Tips for Managing Chemobrain or Mental Fogginess
Learn Tips for Managing Chemobrain or Mental FogginessLearn Tips for Managing Chemobrain or Mental Fogginess
Learn Tips for Managing Chemobrain or Mental Fogginess
 
Check Your own POSTURE & treat yourself.pptx
Check Your own POSTURE & treat yourself.pptxCheck Your own POSTURE & treat yourself.pptx
Check Your own POSTURE & treat yourself.pptx
 
Information about acne, detail description of their treatment by topical and ...
Information about acne, detail description of their treatment by topical and ...Information about acne, detail description of their treatment by topical and ...
Information about acne, detail description of their treatment by topical and ...
 
ANTIGEN- SECTION IMMUNOLOGY DEPARTMENT OF MICROBIOLOGY
ANTIGEN- SECTION IMMUNOLOGY DEPARTMENT OF MICROBIOLOGYANTIGEN- SECTION IMMUNOLOGY DEPARTMENT OF MICROBIOLOGY
ANTIGEN- SECTION IMMUNOLOGY DEPARTMENT OF MICROBIOLOGY
 
Champions of Health Spotlight On Leaders Shaping Denmark's Healthcare.pdf
Champions of Health Spotlight On Leaders Shaping Denmark's Healthcare.pdfChampions of Health Spotlight On Leaders Shaping Denmark's Healthcare.pdf
Champions of Health Spotlight On Leaders Shaping Denmark's Healthcare.pdf
 
『澳洲文凭』买莫道克大学毕业证书成绩单办理澳洲Murdoch文凭学位证书
『澳洲文凭』买莫道克大学毕业证书成绩单办理澳洲Murdoch文凭学位证书『澳洲文凭』买莫道克大学毕业证书成绩单办理澳洲Murdoch文凭学位证书
『澳洲文凭』买莫道克大学毕业证书成绩单办理澳洲Murdoch文凭学位证书
 

Prepare for an OCR HIPAA Audit

  • 1. Presented By: Mac McMillan, FHIMSS, CISM CEO, CynergisTek, Inc. How to prepare your organization for an OCR HIPAA audit
  • 2. CynergisTek,  Inc.         11410  Jollyville  Road,  Suite  2201,  Austin  TX  78759                512.402.8550       info@cynergistek.com                cynergistek.com       @CynergisTek How  to  Prepare  for  an  OCR   HIPAA  Audit Presented  by: Mac  McMillan CEO,  CynergisTek
  • 3. CynergisTek,  Inc.         11410  Jollyville  Road,  Suite  2201,  Austin  TX  78759                512.402.8550       info@cynergistek.com                cynergistek.com       @CynergisTek Today’s  Presenter Mac  McMillan FHIMSS,  CISM CEO,  CynergisTek,  Inc. 3 • Co-­‐founder  &  CEO  CynergisTek,  Inc. • Chair,  HIMSS  P&S  Policy  Task  Force • CHIME,  AEHIS  Advisory  Board • Healthcare  Most  Wired  Advisory  Board • HCPro Editorial  Advisory  Board • HealthInfoSecurity.com Editorial  Advisory  Board • Top  10  Influencers  in  Health  IT  2013 • Top  50  Leaders  in  Health  IT  2015 • Director  of  Security,  DoD • Excellence   in  Government  Fellow • US  Marine  Intelligence   Officer,  Retired
  • 4. CynergisTek,  Inc.         11410  Jollyville  Road,  Suite  2201,  Austin  TX  78759                512.402.8550       info@cynergistek.com                cynergistek.com       @CynergisTek 4 Agenda Introduction OCR  HIPAA  Audit  Program OCR  HIPAA  Desk  Audits OCR  HIPAA  Compliance   Performance  Audits Creating  An  OCR  Audit  Toolkit Questions
  • 5. CynergisTek,  Inc.         11410  Jollyville  Road,  Suite  2201,  Austin  TX  78759                512.402.8550       info@cynergistek.com                cynergistek.com       @CynergisTek OCR  HIPAA  Audit   Program 5
  • 6. CynergisTek,  Inc.         11410  Jollyville  Road,  Suite  2201,  Austin  TX  78759                512.402.8550       info@cynergistek.com                cynergistek.com       @CynergisTek 6 HIPAA/HITECH  Audits HITECH  Act  – Sec.  13411 • Periodic  audits  to  ensure  covered  entities  and  business   associates  comply  with  requirements  of  HIPAA  and  HITECH • Examine  mechanisms  for  compliance • Identify  best  practices   • Discover  risks  and  vulnerabilities  that  may  not  have  come  to   light  through  complaint  investigations  and  compliance  reviews • Renew  attention  of  covered  entities  to  health  information   privacy  and  security  compliance  activities
  • 7. CynergisTek,  Inc.         11410  Jollyville  Road,  Suite  2201,  Austin  TX  78759                512.402.8550       info@cynergistek.com                cynergistek.com       @CynergisTek 7 Criteria   Used  in   Pool  of  CEs   Size  and   Use  of  HIT Affiliations   with  Other   CEs   Type  of   Entity Geographic   Location Audit  Selection  Criteria
  • 8. CynergisTek,  Inc.         11410  Jollyville  Road,  Suite  2201,  Austin  TX  78759                512.402.8550       info@cynergistek.com                cynergistek.com       @CynergisTek 8 Overview  of  2012  HIPAA/HITECH  Audits • On-­‐site  audits  of  115  covered  entities • 61  providers,  47  health  plans,  7  clearinghouses • No  findings  or  observations  for  13  entities  (11%)   • 2    providers,  9  health  plans,  2  clearinghouses • Total  979  audit  findings  and  observations – 293  Privacy   – 592  Security – 94  Breach  Notification • Percentage  of  Security  Rule  findings  and  observations  was   double  what  would  have  been  expected  based  on  protocol   • Smaller  entities  struggle  with  all  three  areas
  • 9. CynergisTek,  Inc.         11410  Jollyville  Road,  Suite  2201,  Austin  TX  78759                512.402.8550       info@cynergistek.com                cynergistek.com       @CynergisTek 9 Privacy  Rule  Findings 20% 2% 16% 18% 44% 0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50% Notice  of  Privacy   Practices Restriction  Requests   &  Alternative   Communications Individual  Right  of   Access Administrative   Standards Uses  and  Disclosures   of  PHI
  • 10. CynergisTek,  Inc.         11410  Jollyville  Road,  Suite  2201,  Austin  TX  78759                512.402.8550       info@cynergistek.com                cynergistek.com       @CynergisTek 10 Security  Rule  Findings 12% 14% 9% 18% 14% 14% 0% 2% 4% 6% 8% 10% 12% 14% 16% 18% 20% Risk  Analysis Access   Management Security  Incident   Procedures Contingency   Planning Audit  Controls   and  Monitoring Movement  and   Destruction  of   Media
  • 11. CynergisTek,  Inc.         11410  Jollyville  Road,  Suite  2201,  Austin  TX  78759                512.402.8550       info@cynergistek.com                cynergistek.com       @CynergisTek OCR  Desk  Audit  Program
  • 12. CynergisTek,  Inc.         11410  Jollyville  Road,  Suite  2201,  Austin  TX  78759                512.402.8550       info@cynergistek.com                cynergistek.com       @CynergisTek 12 • Permanent  audit  program  includes  desk  audits  and   comprehensive,  onsite  audits • ~200  Covered  Entities  to  be  selected  for  desk  audits • Equal  number  or  less  BAs  selected  for  desk  audits • Greater  number  of  on-­‐site  (comprehensive)  audits,  but   no  specific  number  given  yet • Updating  audit  protocol • Audits  will  be  performed  by  HHS  contractors  but   program  to  be  managed  by  OCR  personnel OCR’s    Permanent  Audit  Program
  • 13. CynergisTek,  Inc.         11410  Jollyville  Road,  Suite  2201,  Austin  TX  78759                512.402.8550       info@cynergistek.com                cynergistek.com       @CynergisTek 13 The  Desk  Audit  Process Pre-­‐Audit   Survey Notification   and  data   request  to   selected   entities Desk  review   and  draft   findings  to   entity Entity   provides   management   review   Final   Report
  • 14. CynergisTek,  Inc.         11410  Jollyville  Road,  Suite  2201,  Austin  TX  78759                512.402.8550       info@cynergistek.com                cynergistek.com       @CynergisTek 14 Scope  of  OCR  Desk  Audits • Security—Risk  Analysis  and  risk  management • Breach—Content  and  timeliness   of  breach  notifications • Privacy—Notice  of  Privacy  Practices  and  Access 2015  Desk  Audits  of   Covered  Entities • Security—Risk  Analysis  and  risk  management • Breach—Breach  reporting  to  Covered  Entities 2015  Desk  Audits  of   Business  Associates • Covered  Entities • Business   Associates 2016   On-­‐site   Comprehensive  Audits
  • 15. CynergisTek,  Inc.         11410  Jollyville  Road,  Suite  2201,  Austin  TX  78759                512.402.8550       info@cynergistek.com                cynergistek.com       @CynergisTek 15 Comprehensive  Audit  Process Notice  &   Document   Request On-­‐Site   Activity Draft   Report Review  &   Respond Final   Report
  • 16. CynergisTek,  Inc.         11410  Jollyville  Road,  Suite  2201,  Austin  TX  78759                512.402.8550       info@cynergistek.com                cynergistek.com       @CynergisTek 16 Scope  of  OCR  Onsite  Audits   • Device  and  media  controls • Transmission  security • Encryption  of  data  at  rest • Facility  access  controls   Security • Administrative  and  physical  safeguards • Workforce  training  to  HIPAA  policies  &  proceduresPrivacy • High  risk  areas  identified  through: • 2015  audits • Breach  reports  submitted  to  OCR • Consumer  complaints Other Areas
  • 17. CynergisTek,  Inc.         11410  Jollyville  Road,  Suite  2201,  Austin  TX  78759                512.402.8550       info@cynergistek.com                cynergistek.com       @CynergisTek OCR  Performance  Audit 17
  • 18. CynergisTek,  Inc.         11410  Jollyville  Road,  Suite  2201,  Austin  TX  78759                512.402.8550       info@cynergistek.com                cynergistek.com       @CynergisTek 18 • Conducted  in  accordance  with  Generally  Accepted   Government  Audit  Standards  (GAGAS) • Provides  findings,  observations,  or  conclusions  from   evaluation  of  evidence  against  established  criteria • Objective  assessment  of  variety  of  attributes – Program  effectiveness,  economy,  and  efficiency – Internal  controls – Compliance On-­‐site  Audits  are  Performance  Audits
  • 19. CynergisTek,  Inc.         11410  Jollyville  Road,  Suite  2201,  Austin  TX  78759                512.402.8550       info@cynergistek.com                cynergistek.com       @CynergisTek 19 Audit  Process
  • 20. CynergisTek,  Inc.         11410  Jollyville  Road,  Suite  2201,  Austin  TX  78759                512.402.8550       info@cynergistek.com                cynergistek.com       @CynergisTek 20 • Send  notification  letter  to  the  covered  entity – Information  request  list – Entity  survey • Make  initial  telephone  contact  with  Covered  Entity – Confirm  notification  letter  receipt – Respond  to  questions  and  concerns – Confirm  due  date  for  documentation  requests Planning  the  Audit
  • 21. CynergisTek,  Inc.         11410  Jollyville  Road,  Suite  2201,  Austin  TX  78759                512.402.8550       info@cynergistek.com                cynergistek.com       @CynergisTek 21 Documentation  Request
  • 22. CynergisTek,  Inc.         11410  Jollyville  Road,  Suite  2201,  Austin  TX  78759                512.402.8550       info@cynergistek.com                cynergistek.com       @CynergisTek 22 • Conduct  kick-­‐off  call – Confirm  Covered  Entity  type  (e.g.  provider,  health   plan),  applicable  scope,  audit  location(s) – Discuss  on-­‐site  visit  and  logistics • Perform  analysis  of  documentation  provided  by  CE – What  documents  have  been  received  and  which  are   missing – Review  documentation  for  compliance  with   appropriate  regulatory  standard  or  specification Preparation  Work
  • 23. CynergisTek,  Inc.         11410  Jollyville  Road,  Suite  2201,  Austin  TX  78759                512.402.8550       info@cynergistek.com                cynergistek.com       @CynergisTek 23 • Conduct  entrance  conference – Discuss  performance  audit  scope,  objective  and  approach – Set  expectations • Execute  and  document  applicable  audit  procedures – Complete  on-­‐site  testing – Conduct  interviews – Review  documentation – Observe  appropriate  facilities  and  workstations • Conduct  exit  conference – Preliminary  identification  of  compliance  issues On-­‐Site  Field  Work
  • 24. CynergisTek,  Inc.         11410  Jollyville  Road,  Suite  2201,  Austin  TX  78759                512.402.8550       info@cynergistek.com                cynergistek.com       @CynergisTek 24 • Document  results  of  the  audit • Finalize  draft  identified  findings • Issue  draft  performance  report  to  CE  for  comment  and   correction • Issue  final  performance  audit  report  that  includes  CE   comments  and  response       Post  Field  Work
  • 25. CynergisTek,  Inc.         11410  Jollyville  Road,  Suite  2201,  Austin  TX  78759                512.402.8550       info@cynergistek.com                cynergistek.com       @CynergisTek 25 • Administrative   Safeguards • Physical   Safeguards • Technical   Safeguards Security Sample  Audit  Protocol  -­‐ Provider • Notice  of  Privacy   Practices • Request   Restrictions • Right  to  Access • Administrative   Requirements • Amendment • Uses  &  Disclosures • Accounting  of   Disclosures Privacy • Assessment  for   breach • Notification  to   individuals • Notification  to   Secretary • Notification  to   media   Breach   Notification
  • 26. CynergisTek,  Inc.         11410  Jollyville  Road,  Suite  2201,  Austin  TX  78759                512.402.8550       info@cynergistek.com                cynergistek.com       @CynergisTek 26 • Required  element  for  Security  Rule  and  Meaningful  Use • An  assessment  of  threats  and  vulnerabilities  to  information   systems  that  handle  e-­‐PHI • This  provides  the  starting  point  for  determining  what  is   ‘appropriate’and  ‘reasonable’ • Organizations  determine  their  own  technology  and  administrative   choices  to  mitigate  their  risks • The  risk  analysis  process  should  be  ongoing  and  repeated  as   needed  when  the  organization  experiences  changes  in  technology   or  operating  environment HIPAA  Security  Risk  Assessment
  • 27. CynergisTek,  Inc.         11410  Jollyville  Road,  Suite  2201,  Austin  TX  78759                512.402.8550       info@cynergistek.com                cynergistek.com       @CynergisTek 27 Performing  a  Risk  Analysis Gather   Information • Prepare  inventory  lists  of  information  assets-­‐data,  hardware  and  software. • Determine  potential  threats  to  information  assets. • Identify  organizational  and  information  system  vulnerabilities. • Document  existing  security  controls  and  processes.   • Develop  plans  for  targeted  security  controls. Analyze   Information • Evaluate  and  measure  risks  associated  with  information  assets. • Rank  information  assets  based  on  asset  criticality  and  business   value. • Develop  and  analyze  multiple  potential  threat  scenarios. Develop   Remedial  Plans • Prioritize  potential  threats  based  on  importance  and  criticality. • Develop  remedial  plans  to  combat  potential  threat  scenarios. • Repeat  risk  analysis  to  evaluate  success  of  remediation  and  when  there  are  changes  in  technology  or   operating  environment.  
  • 28. CynergisTek,  Inc.         11410  Jollyville  Road,  Suite  2201,  Austin  TX  78759                512.402.8550       info@cynergistek.com                cynergistek.com       @CynergisTek Creating  an  OCR  Audit   Toolkit 28
  • 29. CynergisTek,  Inc.         11410  Jollyville  Road,  Suite  2201,  Austin  TX  78759                512.402.8550       info@cynergistek.com                cynergistek.com       @CynergisTek 29 • Prepare  a  plan  to  perform  mock  audits   • Replicate  what  documentation  would  be  required  under   audit  conditions  and  the  timelines  for  production • Use  OCR’s  2012  Pilot  Audit  Protocol – http://www.hhs.gov/ocr/privacy/hipaa/enforcement /audit/protocol.html • Update  the  2012  audit  protocol  for  changes  in  the  HIPAA   Privacy,  Security  and  Breach  Notification  Rules Building  an  Audit  Tool  Kit  
  • 30. CynergisTek,  Inc.         11410  Jollyville  Road,  Suite  2201,  Austin  TX  78759                512.402.8550       info@cynergistek.com                cynergistek.com       @CynergisTek 30 Established   Performance   Criteria Key  Activity Audit  Procedures Implementation Specification Who  Responsible? Using  the  HIPAA  Pilot  Audit  Protocol   Review  policies   and  procedures   and  interview   appropriate   staff  or   contractors   responsible   for   carrying  out   activity  to  meet   standard  or   specification. Plain  language   action  to  meet   requirement. Standard  or   implementation   specification   to   be  measured. Some  Security   Rule   Implementation   Specifications   provide   flexibility   through   designating  the   requirement  to   be  Addressable. Representative Suggestions:     Every  org  is   different.   Sometimes   responsibilities   for  compliance   activities   are   shared.
  • 31. CynergisTek,  Inc.         11410  Jollyville  Road,  Suite  2201,  Austin  TX  78759                512.402.8550       info@cynergistek.com                cynergistek.com       @CynergisTek 31 Established  Performance   Criteria Key  Activity Audit  Procedures Who  Responsible? Uses/disclosures   requiring  opportunity   for  the  individual  to   agree  or  to  object. A   health  care  provider   must  inform  individual   of  the  PHI that  it  may   include  in  a  directory   and  to  whom  it  may   disclose  such   information  & provide   the  individual  with  the   opportunity  to  restrict   or  prohibit  the  uses  or disclosures. Opportunity  to   Object  to  Use or   Disclosure Inquire  of  management   as   to  whether   objections  by   individuals  to  restrict  or   prohibit  some  or  all  of  the   uses  or  disclosures   are   obtained and  maintained.   Obtain  and  review  Notice   of  Privacy  Practices  and   evaluate  the  content  in   relation  to  the  specified   criteria  for  evidence   of   opportunity  to  object.   Obtain  evidence  that  staff   have  been  trained  to   properly  carry  out  this   standard. Privacy Officer HIM  Leader Compliance   Officer Example:  Opportunity  to  Object  
  • 32. CynergisTek,  Inc.         11410  Jollyville  Road,  Suite  2201,  Austin  TX  78759                512.402.8550       info@cynergistek.com                cynergistek.com       @CynergisTek 32 Established  Performance   Criteria Key  Activity Audit  Procedures Who  Responsible? A  covered  entity  must   train  all  members  of  its   workforce  on  the   policies  and  procedures   with  respect   to PHI as   necessary   and   appropriate  for  the   members  of  the   workforce  to  carry  out   their  functions  within   the  covered  entity.   §164.530(b)(2)(i)(A)   Training  must  be   provided  to  each   member  of  the  covered   entity's  workforce. Training Inquire  of  management   as   to  whether   training  is   provided  to  the  entity's   workforce  on  HIPAA   Privacy  Standards.  Review   documentation  to   determine   if  a  training   process  is  in  place  for   HIPAA  privacy  standards.   Review  documentation  to   determine   if  a  monitoring   process  is  in  place  to  help   ensure  all  members  of  the   workforce  receive  training   on  HIPAA  privacy   standards.   Privacy Officer HR  Leader   Compliance   Officer Example:  HIPAA  Privacy  Training  
  • 33. CynergisTek,  Inc.         11410  Jollyville  Road,  Suite  2201,  Austin  TX  78759                512.402.8550       info@cynergistek.com                cynergistek.com       @CynergisTek 33 Established  Performance   Criteria Key  Activity Audit  Procedures Implementation Specification Who   Responsible? §164.308(a)(1)   Conduct  an  accurate   and  thorough   assessment   of  the   potential  risks  and   vulnerabilities   to  the   CIA  of  PHI  held by   the  covered  entity   or  business   associate. Conduct Risk   Assessment Inquire  of   management  as  to   whether  formal  or   informal  policies  or   practices  exist  to   conduct  an   accurate   assessment   of   potential  risks  and   vulnerabilities   to   the  CIA of  ePHI.   Required CIO,  CISO,   Compliance   Officer Example:  Security  Management  Process  
  • 34. CynergisTek,  Inc.         11410  Jollyville  Road,  Suite  2201,  Austin  TX  78759                512.402.8550       info@cynergistek.com                cynergistek.com       @CynergisTek 34 Established   Performance   Criteria Key  Activity Audit  Procedures Implementation Specification Who  Responsible? §164.312(a)(1):   Access  Control  -­‐ §164.312(a)(2)(i v)  Implement  a   mechanism  to   encrypt  and   decrypt   electronic   protected   health   information. Encryption  and   decryption Inquire  of   management  as   to  whether   an   encryption   mechanism  is  in   place  to  protect   ePHI.  Obtain  & review  formal  or   informal  policies   and  procedures   and  evaluate   the  content   relative  to  the   specified   criteria Addressable CIO,  CISO Example:  Access  Controls/Encryption  
  • 35. CynergisTek,  Inc.         11410  Jollyville  Road,  Suite  2201,  Austin  TX  78759                512.402.8550       info@cynergistek.com                cynergistek.com       @CynergisTek 35 Established  Performance   Criteria Key  Activity Audit  Procedures Who  Responsible? Notice  to  Individuals   §164.404  (a)  A  covered   entity  shall,  following   the  discovery  of  a   breach  of  unsecured   protected  health   information,  notify  each   individual  whose   unsecured   protected   health  information  has   been,  or  is  reasonably   believed   by  the  covered   entity  to  have  been,   accessed,   acquired,   used  or  disclosed  as  a   result  of  such  breach. Notification to   Individual  of   Breach Inquire  of  management   as   to  whether   a  process   exists  for  notifying   individuals  within  the   required  time  period.   Obtain  and  review  key   documents  that  outline   the  process  for  notifying   individuals  of  breaches. Privacy Officer HIM  Leader   Compliance   Officer Example:  Notification  of  Breach  
  • 36. CynergisTek,  Inc.         11410  Jollyville  Road,  Suite  2201,  Austin  TX  78759                512.402.8550       info@cynergistek.com                cynergistek.com       @CynergisTek Iatric  &  CynergisTek   Managed  Services
  • 37. CynergisTek,  Inc.         11410  Jollyville  Road,  Suite  2201,  Austin  TX  78759                512.402.8550       info@cynergistek.com                cynergistek.com       @CynergisTek Policies Develop  and  implement  policies  that  meet   the  HIPAA  Privacy,  Security  and  Breach   Notification  Rule  standards Determine  frequency  of  standard,   behavioral  and  fraud  detection  monitoring Proactive,  comprehensive  auditing  and   monitoring  that  is  manageable  and  scalable;   implement  ongoing  analysis Documentation  to  communicate  program   effectiveness,  both  internally  and  externally Components  of  a  Mature  Audit  Program Monitoring Analysis Reporting
  • 38. CynergisTek,  Inc.         11410  Jollyville  Road,  Suite  2201,  Austin  TX  78759                512.402.8550       info@cynergistek.com                cynergistek.com       @CynergisTek 38 CynergisTek  Offers  POMS Elite Select POM Privacy  Optimization  Module Proactive  auditing  and  monitoring  optimization  plan.   Focuses  on  establishing  necessary  processes  for  effective   and  efficient  privacy  monitoring. Managed  Privacy  Monitoring  Service:   Select Ongoing  monitoring  and  reporting   by  a  CynergisTek  analyst,  use  of  Iatric   Systems  SAM  solution. Managed  Privacy  Monitoring  Service:  Elite Elite  level  of  engagement,  intense  ongoing   monitoring  by  a  CynergisTek  analyst  and  use  of   CynergisTek  advisory  services.  
  • 39. CynergisTek,  Inc.         11410  Jollyville  Road,  Suite  2201,  Austin  TX  78759                512.402.8550       info@cynergistek.com                cynergistek.com       @CynergisTek 39 Questions Mac  McMillan mac.mcmillan@cynergistek.com 512.405.8555 @mmcmillan07 Questions? ?
  • 40. How to prepare your organization for an OCR HIPAA audit Contact Us | Survey Survey: Please take the survey that will appear after you leave the webinar. You could win a $100 Amazon.com Gift Card. Follow Us: http://new.iatric.com/blog-home For more information: Please contact your Iatric Systems Account Manager Send an email to info@iatric.com Thank you for attending!