Skip to main content Skip to footer
Helping your business win

Get $10 off your first order of $75 Redeem Now

Chat| 1-800-982-3400
Fanatical customer service since 1956
Coupons & Rewards Hot Deals Buy Again
Join Rewards+ for 2 months free
Track an order
Shared cart
Reward not redeemed
You dont have enough points to redeem this reward.
Shopping list
Alternative Items

Healthcare Resource Center

Preparing for HIPAA/HITECH Audits — Lessons Learned for Healthcare Practices

Presented by David Holtzman, Vice President of Compliance Services, CynergisTek, Inc.

The third in a series of Quill Healthcare webinars, you will review the findings of OCR's HIPAA Audit Pilot Program, highlighting lessons learned and identifying tools to help healthcare practices of all sizes and specialties to prepare for a HIPAA audit.

The session will also provide an overview of the recently announced OCR permanent HIPAA audit program which will debut in early 2015.

David Holtzman

About David Holtzman

  • Vice President of Compliance Services, CynergisTek, Inc.
  • Subject matter expert in health information privacy policy and compliance issues involving the HIPAA Privacy, Security and Breach Notification Rules.
  • Over 10 years of experience in developing, implementing and evaluating health information privacy and security compliance programs.
  • Former senior advisor for health information technology and the HIPPA Security Rule, Office for Civil Rights.

Sponsored by Quill.com
Co-hosted by HealthCents, Inc.

Video Transcription of Preparing for HIPAA/HITECH Audits – Lessons Learned for Healthcare Practices

Steve: Good day. I'm Steve Selbst, Quill Healthcare consultant, and I would like to introduce my colleague, Ms. Regina Vasquez. Between us, we have 30 years of healthcare consulting experience, and we specialize in payer contracts analysis and negotiations, credentialing and marketing practices services to payers and employer groups. Between us, we have negotiated over 10,000 payer contracts, and yet we still carve out time for our wives and husbands and our children.

I am pleased today to welcome you to Quill Healthcare's third monthly value-added webinar for practices. Quill Healthcare is the leading seller of medical supplies and office products and is dedicated to providing you with useful content, in these webinars, as a value-add to your practice.

Today's topic, "Preparing for HIPAA/HITECH Audits – Lessons Learned for Health Care Practices," is presented by our distinguished speaker, Mr. David Holtzman, JDCIPP and Vice President of Compliance Services at CynergisTek.

Now I'd like to introduce David, who is going to be our keynote speaker. First of all, Mr. Holtzman is Vice President of Compliance for CynergisTek, and they're a firm specializing in areas of information security and regulatory compliance in healthcare. He is considered a subject matter expert in health information privacy policy and compliance issues involving the HIPAA Privacy, Security, and Breach Notification Rules.

Mr. Holtzman has over 10 years of experience in developing, implementing, and evaluating health information privacy and security compliance programs, from both government and private sector positions.

Prior to CynergisTek, Holtzman was a senior advisor with the Department of Health and Human Services Office for the Civil Rights, OCR. So it's with great pleasure that we are honored to have David as a speaker today.

Before I turn the floor over to David Holtzman, our keynote speaker, I do have a couple of quick administrative matters that I would like to cover, which will enable us to have an enriched and interactive conversation during this webinar.

First of all, if you would like to ask questions, when David pauses, he will ask for questions, and what we will do at that time is, Ms. Vasquez will open up your lines for questions. What you will do if you would like to ask a question, is simply press *6 on your phone line, ask your question, and converse with David. When you're finished, please remember to press *6 again so that the rest of the 250-plus participants don't hear your background noise, which would be very appreciated.

Now, also, if you prefer to use an online method of asking questions during these breaks, feel free, beginning now and at any time during this web session, to simply send your questions to the email ID here, info@healthcents.com, and Ms. Vasquez will be collecting your questions, and during the pauses, she will ask those questions for you.

So again, *6 to ask a question, *6 again when you're done, or send an email at any time, beginning now, to info@healthcents.com throughout this webinar, and we will be happy to cover those questions during David's pauses.

Also . . .

David: Hi, Steve.

Steve: Yes.

David: If I could please interrupt for just one second, because we saw a message come across the screen. There are users who are attempting to access the audio portion, and the question was, "Does it have to be done by phone?"

The answer is, if you'll please move your cursor to the top of your screen where you see the telephone handle in the "Join Me" menu set, you'll be given an opportunity to connect to this call, the audio portion, by phone. Of course, you have to be able to hear it in order to hear that message, but I thought I would pass that along.

Steve: Okay. Thank you, David. And actually, David is the first one, I believe, in these webinars to have actually tested that function today, so we know that that works. Also if, by any chance, you lose this web session, please simply go back in your browser to join.me/healthcents, and if for any reason you lost your browser session, this will restore it immediately, and there's no password required in order for you to do that restore.

So without further ado, I would like to turn the floor over to our distinguished speaker, Mr. David Holtzman. David, take it away, please.

David: Thank you, Steve. If you folks will just bear with me for a moment. Can everybody see my screen?

Steve: Yes, looking good.

David: Great. Well, I want to thank everyone for joining today. It's really quite a thrill to be on the virtual stage of QuillHealthcare.com and to share information regarding a topic that I know and love — the HIPAA Privacy and Security and Breach Notification Rules.

My name is David Holtzman. I want to thank Steve for the great introduction.

Today's Objectives

The purpose of today's call, we're going to talk about how healthcare providers and practices can prepare for an OCR audit. We're going to discuss OCR's audit activities and some of their findings.

We're going to identify some privacy and security program vulnerabilities and how you can use risk analysis and risk assessment to mitigate healthcare threats and vulnerabilities. Then we're going to talk about some healthcare information technology best practices.

Agenda

Our agenda today is to also include a discussion of the Meaningful Use program and how CMS is using audit to verify whether an organization has attested appropriately and can demonstrate that it is actually in Meaningful Use of their electronic health record technologies.

As Steve mentioned, I am going to pause every now and then and provide an opportunity for folks to ask questions. Please understand that in this setting, it can be a challenge to look up reference materials. So if you have a question that involves a specific reference to a requirement or specification in the rule, more than happy to take those questions by email, so that we can give you the response that includes all the information that you would need.

HIPAA/HITECH Audits

So to begin, a couple of years back, in 2009, Congress passed the HITECH Act. The HITECH Act was the first time that Congress actually took an opportunity to return to and review the HIPAA Privacy and Security Rules. The HIPAA Privacy and Security Rules were a creature of federal regulatory . . .

Regina: I was actually answering someone's question online, so I have not seen the message yet.

David:  . . . was a creature of federal regulatory activity. In the HITECH Act, there were a number of changes to the HIPAA Privacy and Security Rules.

In addition, for the first time, Congress created an activity for the Department of Health and Human Services to perform periodic audits to evaluate whether covered entities were in compliance with the HIPAA Privacy and Security Rules.

The purpose of the audits that were to be implemented were not designed as enforcement activities. Rather, the idea or the hope was to identify areas where covered entities were having challenges to complying with the HIPAA Privacy and Security and Breach Notification Rules, and to raise awareness and attention by covered entities, and also to perhaps identify some best practices.

Overview of 2012 HIPAA/HITECH Audits

OCR implemented the pilot audit program in 2012, through the work of a contractor, KPMG. The audit design was to look at a full range of covered entities to provide a variety based on the size of the organization, from very small to rather large, the single-physician practice or two-physician practice to the academic medical center size, as well as to survey health plans and healthcare clearing houses, the other two components of covered entities.

The audit was designed to provide queries across the Privacy Rule, the Security Rule, and the Breach Notification Rule. As the audit protocol was designed, 60% of the questions looked at issues in the Privacy Rule, 30% looked at issues in the Security Rule, and 10% in the Breach Notification Rule.

One of the findings from the HIPAA audits of 2012, of the 115 covered entities, was that there was an over-representation or there were many more findings of security problems, HIPAA Security Rule compliance issues, than had been anticipated. In fact, almost three times what would have been expected.

Privacy Rule Findings

Looking at all covered entities, the covered entities by and large were pretty successful in adopting the requirements of the Privacy Rule, except that there was an unexpected over-representation of problems in uses and disclosures. In other words, 164.502, the Privacy Rule sets out how protected health information can be used and disclosed.

The findings of OCR were that a number of organizations were having challenges with it, and in digging down through who was being reviewed, smaller organizations were having more problems with compliance with this particular issue.

Security Rule Findings

When we look at the Security Rule findings, by and large, the covered entities were having challenges complying with the requirements of the Security Rule. Again, the smaller the provider, the more likely they were to have challenges in complying with the Security Rule.

Of interest is that there was, almost across the board, representation in the areas in which there were problems with compliance across all the major standards areas of the Security Rule. Particularly what stuck out was risk analysis, access management, and contingency planning.

Phase 2 OCR Audit Program

So let's fast-forward to today as to what is going on with organizations. OCR has announced that they thought that their 2012 audit program was a success and that they are going to invest in standing up a permanent audit program for HIPAA-covered entities and eventually for business associates.

This means that healthcare providers are at risk of being selected for an audit for their compliance with the HIPAA Privacy and Security Rules.

The selection process is beginning. The audit program will kick off in the early part of 2015. What we are hearing now is that OCR is preparing to send out letters to 1,200 covered entities. Again, as they had in 2012, they're going to select from an audit pool of covered entities of all types, but they are going to be looking more at healthcare providers and over-represent on small healthcare providers.

So the pre-audit survey request will simply ask for demographic information. It will make sure that it has the correct contact information for the provider. It will ask if they have the correct address, and they will also ask some specific information about the size of the organization, the type of healthcare practice that it is, as well as, perhaps, request information about revenue.

This is not a letter that will come to you that will say "Dear Occupant." It will be a formal letter with the seal of the Department of Health and Human Services.

No one will contact you by phone. You won't receive a spurious email that says, "Please enter your information here." However, the letter will ask you to go to an official U.S. government website to enter this information. It will also provide a phone number to contact if you have any questions to verify the authenticity of the letter.

So after the 1,200 responses have been received, they will whittle that list down to about 200 covered entities to be selected for desk audits.

There will be on-site audits, in other words, on-site audits in which government auditors will visit your practice and follow a protocol to be followed. Generally, the desk audit will use technology to get answers to the protocol questions that they're going to be submitting.

Desk Audit Expectations

Some of the key differentiators between an on-site audit and a desk audit are that, in a desk audit, the practice that's being reviewed or audited, their responses are limited to sending in documentation. There is no one sitting on the other side of the table having a conversation with you, and you must submit the documentation that's requested. Nothing more, nothing less.

They are going to have an expectation that the policies and procedures that are going to be reviewed in this audit, that they will have been established or implemented or otherwise in place at the time that the audit is commencing. In other words, your organization has to have the Privacy and Information Security policies already up and running by the time that the audit letter is sent to you.

You're not going to have time to respond from the date that the audit letter is received to create new policies and procedures and implement new programs. So it's very important that you take this opportunity now to position yourself to get ready for these audits.

The Desk Audit Steps

The process of the audit is, as we discussed, the pre-audit survey. There's going to be notifications to covered entities. You're going to have approximately 2 weeks, 10 business days, to respond to the audit request.

The documentation will go to the auditor or the audit office. You will receive a preliminary report from the Office for Civil Rights as to their findings, and you'll be asked to provide comment, and then the audit will be made final.

Phase 2 Audit Scope

The desk audits for 2015 are going to be of limited scope. In other words, the desk audit is designed to hit key features that are of interest to OCR and that have been identified as trouble areas in which practices have had compliance issues.

For 2015, for the upcoming round of audits, you can expect, if you're selected, you'll be asked to provide a copy of your HIPAA security risk analysis and the risk analysis policy that your organization has established, as well as your risk management plan, or the actions that you would take to fix the gaps that are identified through your HIPAA security risk analysis.

You'll also be asked to provide copies of your policies and procedures regarding the Breach Notification Rule, as well as information regarding the content and timeliness of breach notifications that you have made in the past.

Now just as a reminder, covered entities, that have had breaches, for a number of years have had an obligation to report those breaches to the Department of Health and Human Services based on the size of the breaches. In addition, there are requirements to notify individuals and in some cases the media, based on the size of the breach. So OCR is going to have the information that they need to check your accuracy in the response that you provide.

For the desk audits, there will also be a component to test for the Privacy Rule. In the Omnibus Rule that took effect in 2013, there were significant changes to the Privacy Rule and requirements to modify and create a new version of your Notice of Privacy Practices, as well as to adopt or modify your policies to provide individuals with access to their health information.

OCR is going to be looking to test your policies and procedures for the Notice of Privacy Practices, as well as to receive a copy of your current Notice of Privacy Practices, as well as your policies and procedures regarding patient access to their health records.

As a part of the audit of the covered entities, the covered entities selected for desk audit are going to be asked for a list of their business associates, because OCR wants to also audit business associates. Business associates have requirements under the Omnibus Rule to adopt appropriate policies and procedures to comply with the HIPAA Security Rule and portions of the Privacy Rule and the Breach Notification Rule.

However, it's very difficult for HHS to identify who is a business associate. There's no registration requirement. There is no social media page which lists business associates to covered entities.

OCR has chosen to solicit, from those organizations that are going to be subject to audit, the names of their business associates, and they are going to then collect that list and select approximately 300 business associates, from the list submitted by all the covered entities, and select them for audit.

OCR is committed to a broader permanent audit program, and in following years, probably beginning in 2016, they're going to return to the comprehensive on-site audit program, much like what they did with the pilot audits in 2012. Only this time the on-site audits, as the desk audits will be, these audits will be conducted by HHS personnel, not contractors.

Onsite Audits 2015 & Beyond

So for the on-site audits, they don't have a specific protocol that they've announced, but OCR has indicated that some of the topic areas that they are interested in looking in, in these broader audits, are going to be the compliance with the HIPAA Security Rule in the areas of device and media controls, transmission security, processes for encrypting data at rest, and facility access controls.

In the scope of the Privacy Rule, administrative and physical safeguards, the workforce training in HIPAA policies, as well as other high risk areas that are identified through the 2015 audits, as well as breach reports that are submitted to OCR.

I would also expect that they would look at other areas that were significantly modified or added by the Omnibus Rules in 2013.

So I'm going to stop for a moment and wait and see if anybody has any questions I can answer, before we go into our next topic area on how to prepare yourself for one of these HIPAA audits.

Regina: Before I unmute the lines, there was one question that came across, if you would please define what OCR stands for?

Office for Civil Rights (OCR) Question

David: Absolutely, and I apologize. OCR is the Office for Civil Rights at the Department of Health and Human Services. OCR is the federal agency that is responsible for developing, implementing, and enforcing the HIPAA Privacy, Security, and Breach Notification Rules.

OCR is headquartered in Washington, D.C., and most of the policies and regulations are developed and directed through that headquarters office.

However, OCR's enforcement activities and local administration of the HIPAA Privacy and Security Rules take place through 10 regional offices scattered throughout the country. Many organizations who may have been contacted by OCR to respond to a compliance review, a complaint, may have been contacted by one of these 10 regional offices.

Regina: Thank you.

David: Great question.

Regina: I'm going to unmute the line now, and if you have a question, please speak up and just state your question.

Steve: Did you, Regina, press *43 if you didn't receive the message that . . .

Regina: There we go.

Steve: There we go.

Regina: Now we're unmuted. You can ask your questions.

Steve: We are open for business. Please feel free to unmute your phone by pressing *6 and ask your question. Fire away.

Slideshow Question

David: One of the questions that I saw come across is, "Will it be possible to receive a copy of this slide show?" I'll let Steve respond to that question.

Steve: Okay, sure. At the end of the presentation, I will provide those details. But the short answer is anytime following this presentation, in order to obtain a PDF version of these charts, simply send an email to the email ID charts@healthcents.com.

Again, I will remind you at the end of this session about how to do that, and I will also provide further information if you would like to receive a recorded YouTube version of this session, that will be made available within two days of the session, as well, and I will explain that at the end. Thank you.

Business Associates Question

Regina: There was one question from the email. The question is around business associates. You mentioned that there is not a formal definition, but could you give us some examples of what might be considered business associates? I think people understand that billing companies are one, but are there others that might be considered business associates?

David: Sure. Well, apparently first I misspoke. There is a formal definition for business associate. What I think I meant to say is that OCR has not developed a protocol for the audit that it will perform on business associates.

Business associates are defined as contractors or vendors who perform a service or function on behalf of a covered entity or another business associate. An example of a business associate would be a billing company that takes protected health information from a covered entity and uses that information to send out bills. By the same token, they also create protected health information.

Another example would be an IT service company that either manages your IT services or repairs your equipment, and in doing so, has access to your protected health information.

Another example would be a cloud-based EHR vendor. I'm just going to pick a name out of a hat, like Athena Health. They maintain a Software as a Service application which contains electronic PHI.

So under the changes in the Omnibus Rule, business associates, for the first time, are directly responsible to the government and have the responsibility to have or comply with the provisions of the HIPAA Security Rule, as well as the use and disclosure provisions of the Privacy Rule. Great question. Thank you.

Regina: Okay. Any other questions? I don't see any coming across. And just to note, again, there was one instant message that came. We will put up on the screen at the end of the presentation here how to request a copy of the chart deck.

Measure & Document HIPAA Compliance

David: We've talked about OCR's experience in performing audits in 2012, what they called the Pilot Audit Program, and we've also discussed OCR's plans to implement a permanent audit program, starting with desk audits, in the new year of 2015.

Although we don't know precisely what is the new protocol, we do have some ideas of what OCR is going to be asking based on the presentations that they've been making for a number of months.

The rules themselves have not changed dramatically, when thinking about the HIPAA Security Rule, and the changed provisions of the HIPAA Privacy Rule have been in place since 2013 to supplement or augment the Privacy Rule requirements that have been in place since 2003.

Many of the provisions of the Breach Notification Rule have been unchanged since they were adopted in 2009. What has changed with the Breach Notification Rule is the standard for assessment. We can take another whole hour to talk about that.

Continuous Evaluation & Assessment

There are tools available to help you prepare for an OCR audit, and that's what we are really focusing our attention to today. The audits are coming. Whether or not you're selected this time, there is a good likelihood that at some point in the future you will be asked to provide documentation for your compliance with the HIPAA rules. So the best measure is to prepare for that eventuality.

Some of the tools that we are making available to you, we have developed an OCR mock-audit tool, which includes a number of queries and explanations, and a Toolkit sheet to assemble your documentation with.

In addition, many organizations, small providers have challenges with performing the Security Risk Assessment that is required both for compliance with the HIPAA Security Rule and with the CMS Meaningful Use EHR Incentive Program. We're going to go into that in a little bit more detail here in a few minutes.

HHS has developed a Risk Assessment Tool that it is making available for download, to be used by small healthcare providers or small business associates. "Small" being, of course, relative to everybody, but we're talking about healthcare providers of physician practices or organizations that are generally 10 or less.

For larger organizations, there is a more substantive and robust Risk Assessment Tool that has been available from NIST, the National Institute of Standards and Technology, who worked with OCR to develop a HIPAA Security Risk Assessment Tool.

I'd like to mention that the OCR Audit Readiness Toolkit that is available covers the Privacy Rule, the Security Rule, and the Breach Notification Rule. It's meant to prepare you for all components of the OCR audit program.

Security Risk Analysis

I'd like to focus on the need to do a security risk analysis. This is an area that both the audits have found, and in my personal experience in working in HIPAA privacy and security for nearly 12 years, organizations are having challenges performing a risk analysis. Many organizations feel that because they are not technically astute, or they don't have a knowledge base or awareness of information technology, that they can't meet this requirement.

I want to assure you that there are resources available. There is the HHS Risk Analysis Tool, or if you choose, you can hire a third party to do a HIPAA Security Risk Analysis.

This is vitally important, and it's the baseline for establishing compliance with the HIPAA Security Rule.

If OCR finds an organization that has not performed a HIPAA Security Risk Analysis through an audit or a complaint investigation or compliance review, the organization is at significant risk for significant fines and penalties. Also, it really does affect your ability to safeguard your health information.

How to Use OCR Audit Protocols

Thinking about the OCR Audit Readiness Toolkit that we have put together, a good way to use the Toolkit is to practice how you would perform an audit if you were a third party coming in to do an audit.

You would use the generally accepted principles of how an audit is conducted. You would ask a question of the ownership or the leadership of the organization that is the topic that is listed on each specific line of the audit tool.

You would obtain and review the policies and procedures that the organization has developed to show compliance with the standard or the implementation specification.

You would look at any documentation or evidence that they're carrying out the requirements of the rule. For example, under the Privacy Rule, an organization has to have a documented complaint process in place, and they have to be able to show that they receive and respond to complaints that are filed by patients or by other third parties.

The same with the requirement that patients have the right to review their healthcare information that's maintained by their healthcare provider. OCR would look to see that you have a process in place to permit patients to access their health records, how you process these requests, and the documentation that the individuals have been provided access to their health records.

The last question is, under the Security Rule, organizations are provided some flexibility and choices to put into place the appropriate protections and safeguards in certain areas regarding how ePHI, or electronic protected health information, is safeguarded. As a part of your Security Risk Analysis, you need to provide documentation of why you've selected certain processes or chosen to go a certain path, and how can you show that it is protective and effective.

At this point, I'm going to stop briefly before we go into the Meaningful Use portion of our program and provide another opportunity for questions to be asked.

Regina: I don't see any questions in email right now. Does anybody in the audience have any questions?

Steve: Again, if anybody would like to ask a question, please simply press *6 on your phone at this time, and go right ahead and ask your question.

Regina: Okay, one just came across here.

Participant: Hello?

David: Yes.

Policies and Procedures Forms Question

Participant: Quill, do they do the forms that are needed for all this, or do we have to make them up on our own?

David: Can you help me understand, by "forms," you mean the policies and procedures themselves?

Participant: Yes.

David: There are a number of resources for policies and procedures. There are, for example, the American Medical Association and many state and medical societies have produced generic policies and procedures to help practices comply with the rules.

There are also a number of resources through organizations like — and don't laugh — an organization called HIPAACOW, which is the HIPAA Collaborative of Wisconsin, that has published a series of  HIPAA Privacy, Security, and Breach Notification policies that can be used and adopted by healthcare providers. They provide them free of charge. That's hippacow.org.

I see a number of questions coming across on email.

Regina: Yeah, I've got one here. It's a pretty long one, actually.

David: Okay.

Risk Analysis Question

Regina: So the first question is, "What is the difference between risk analysis with an office that has EMR and one that uses paper charts?"

David: That's a great question. Risk analysis is required if you are a HIPAA covered entity and, in this case, is someone who provides healthcare treatment and bills electronically. So if you do not bill electronically, then you are probably not a HIPAA covered entity.

You can go to the OCR website, and they have a flow chart that you can measure whether or not you are a HIPAA covered entity.

If you are a HIPAA covered entity, but you don't use an EMR, then you have to perform a risk analysis on the information systems that handle PHI.

You may have a desktop computer that you have billing information in, or you may have a tablet that you keep patient notes on. You have to perform the HIPAA Security Risk Analysis, but you probably would be able to adopt less complex activities based on the risk assessment.

Entities Eligible for Audit Question

Regina: There's a follow-up question to that, and you touched on it. "Are there any entities that would be excluded from a potential audit? Or is everyone eligible for audit?"

David: Every HIPAA covered entity is eligible for audit. Again, if you go back to the definition of "covered entity", which has not changed since 2003, if you are a covered entity, you are one of three million or so covered entities that could be selected for the audit.

As we like to say, if you are one of the lucky 100 or 200 folks selected for an audit, that is the day that you go out and buy a lottery ticket, because the odds are just tremendous.

The challenge is that if you are selected for an audit, you will not have time to start from scratch and put in place the compliance programs that are needed to pass the audit.

Regina: That's a good point.

David: All right. I'm done.

Updating HIPAA Compliance Documentation Question

Regina: The next question from the site is, from the instant message, is one of our participants says, "I implemented a HIPAA binder about eight years ago. Is it advisable to update this with a date of 2014 to demonstrate that it has been updated and is currently compliant? Do I need business associates to sign a new document if it was signed eight years ago?"

David: Well, the answer to all those questions is yes, yes, yes. What you put in place eight years ago was very useful at the time, and much of what was in place eight years ago is in place today.

There have been significant changes that took effect in 2013, and with the requirements of HITECH. Some of them are specifically business associate agreements need to be updated. The Notice of Privacy Practices has to be updated.

I recommend that you go to OCR's website at hhs.gov/ocr/privacy [sic]. You'll be provided access to a number of materials that will help you understand what the most recent changes are, and it will help you with adopting new policies and procedures.

The HIPAACOW website that I mentioned has the new policies and procedures, so you may also want to head there to look at policies and procedures that may fit into your needs.

Thank you.

Regina: Okay.

David: Next question.

Compliance Policies Requested by Auditors Question

Regina: Okay. Touching on policies, one of the participants says, "Can you give us some examples of compliance policies, i.e., what would an auditor want to see? For example, computer passwords, things like that." What do they need to demonstrate to the auditors? What would the auditors be looking for? I think that's the question.

David: Looking specifically at the HIPAA Security Rule, it lays out what the requirements are. The rule requires that you have a policy for passwords, and that passwords be changed from time to time. However, the standard in the rule doesn't have a set requirement for password length, or for the time between password reset.

What I suggest, so that you can get the full explanation of what is required, please go to the HHS Risk Assessment, and in that Risk Assessment, for each of the areas that are required for compliance with the Security Rule, it provides a detailed, as plain English as you can get, explanation of what is required to be put into place.

I want to be clear that although it's an HHS website, HHS is not monitoring who accesses the website, and the actual tool is downloadable onto your system. So any information that you put into the file after you've downloaded it is private to you. It is not shared with the government, and you will not be asked to share it with the government.

It is entirely a tool to help small healthcare providers understand and come into compliance with the rule. That's one way I would urge folks to understand what the requirements are and what auditors will be looking for.

HIPAA Compliance Rules for Dental Providers Question

Regina: One final question. "Are there any specific HIPAA compliance rules or regulations that are different for dental providers than other types of medical providers that you are aware of?"

David: That's a great question. The HIPAA rules specify that covered entities are essentially three classes. They are healthcare clearing houses, which are billing and transactional organizations. They are health plans, which are health insurance issuers and group health plans that are usually employer-sponsored plans. Then there are healthcare providers who use electronic information for billing purposes. That's a kind of short-hand way.

Healthcare providers can be of any type of healthcare provider. There's no differentiation between the dental provider, the oral surgeon, the physician's office, the nurse practitioner, or the physical therapist. They are all included in the definition of healthcare provider.

Regina: Okay.

David: That's a great question. Thank you.

HIPAA Compliant File Sharing Providers Question

Regina: I'm going to ask this question, but it may be covered in the next section. So if it is, then we can visit it then. This just came through by email. The questioner is wondering if any of the cloud-based storage providers, for file sharing, like OneDrive, Box, or Dropbox, are those HIPAA compliant, file-sharing providers? Do you know of any that are HIPAA compliant?

David: If you wish to use a technology provider, whether it's a cloud service provider, a storage provider, before you put information that contains patient health information, or protected health information, into one of those vendors, you have to ask them to sign a Business Associate Agreement. That is the baseline question for whether or not an organization is willing to be, or demonstrating HIPAA compliance.

If an organization, like a vendor of any kind who's going to handle health information in any form, whether it's paper or electronic, if they say, "No, we will not give you a business associate agreement," then that's their message to you that they are not willing to demonstrate HIPAA compliance. You are at risk if you allow them to handle, process, or maintain health information. You've violated federal law.

Regina: Okay. There are a couple more questions. Do we have time to do this?

Steve: Well, we'll ping pong it back to David. I think if we can a close at around half past the hour, certainly leave it to David as to how you want to handle it.

David: I'll take two more questions.

Audit Preparation Resources for Home Care Providers Question

Regina: Okay. So one was, "Are there any resources, audit preparation resources, specific to home care providers? Are there any unique regulations or rules or compliance issues that are unique to home care providers?"

David: You know, that's a great question. To answer the first part of the question, I would urge them to use the same Risk Assessment and the same OCR Audit Readiness Toolkit that all other healthcare providers would.

Home care providers have unique challenges in the use of portable electronic devices like laptop computers, or smartphones, or tablets, and making sure that any data that is stored on those devices, that the device is encrypted.

First of all, encryption is probably the best tool that you can have to safeguard health information on a portable mobile device. Secondly, under the Breach Notification law, if a device that is encrypted, that has health information is lost, that loss is not reportable as a breach.

That applies to the HIPAA rules, as well as 47 of the 48 states that have Breach Notification laws. There's a safe harbor for encrypted information.

Great question.

Regina: Okay. The last question I have . . .

David: All right. I'm going to move on to Meaningful Use.

Regina: I have one last question.

David: Oh, I'm sorry.

HIPAA Compliance for Collection Agencies Question

Regina: That's could you briefly touch on HIPAA compliance with regard to collection agencies? This might fall back to the Business Associate Agreement.

One of our participants says that they have accounts that they may send to collection. They're concerned that as soon as they give any protected health information to that collection agency, that they're in violation of HIPAA regulations. So can you touch on that?

David: You know, that is a rather complex topic. Just briefly, if you are hiring a collection agency to collect a debt for you, then they are a business associate. You have to have a BA agreement before you can share information with them about who the individual is, the funds that they owe, and for what services.

If you sell the collection debt, that transaction can be sold to any third party. It does not have to be sold to a covered entity. Once that transaction, that debt is sold to a third party, so long as the third party is not itself a HIPAA covered entity, then that information is no longer protected under the privacy rule.

As I said, it's a rather complex area, and I urge you to receive appropriate advice before you engage in these types of transactions. That's just a quick overview of it.

Regina: Okay. That's all that I have. I'm going to go ahead and mute the lines, and we can move on.

Meaningful Use Program Audits – Meaningful Use Basics

David: I want to move into the area of program audits for the Meaningful Use program. Meaningful Use was the EHR Incentive Program that was passed or authorized by Congress as part of the ARRA, the American Recovery Reinvestment Act, and it's also referred to as part of HITECH.

Its purpose was to incentivize the purchase and implementation of certified electronic health record technology by healthcare providers who are providing direct patient care.

Not all healthcare providers are eligible to participate in the Meaningful Use program, and in addition, the Meaningful Use program also is available for participation by hospitals and critical access hospitals.

The Meaningful Use program is administered by CMS, the Centers for Medicare and Medicaid Services. It began in 2011, and there are two separate programs that are administered as a part of Meaningful Use, one that is for the Medicare program and one that is for the Medicaid program. Most healthcare providers are participating in the Medicare Meaningful Use program.

Over $25 billion in Meaningful Use incentive payments have been paid since 2011. That has created a real sense of urgency and concern in Congress, as well as in other areas of government watchdogs. They're beginning to be very concerned about how the money has been spent.

Meaningful Use Objectives: Stage 1

Under Meaningful Use, providers are required to attest, sign a document that says that they have implemented or met the 13 mandatory core measures and a series of menu measures.

The core measures range from privacy and security protections to adopting the certified technology, to certain base levels of activity that are being engaged in, such as providing a percentage of patients with a copy of their electronic record of the treatment encounter, as an example.

There are other measures that are specifically changed somewhat or modified somewhat for hospitals, but for purposes here, we're not going to focus on those.

Meaningful Use is being implemented in two stages. Stage 1 was in place from 2011 and was due to expire in 2013. However, it has been extended through 2014, I believe.

Meaningful Use Objectives: Stage 2

We are currently in the period of transition where healthcare providers are, or should be, adopting Stage 2 of Meaningful Use. There has been some controversy this year involving the adoption of Stage 2 of Meaningful Use, and healthcare providers have been provided some flexibility in adopting Stage 2 of Meaningful Use.

If you go to our website at CynergisTek.com, we have a lot more information that explains that controversy and how providers can learn more about that.

Meaningful Use Audits

For purposes of our discussion today, let's talk about the audits that are taking place for healthcare providers that are participating in Meaningful Use.

CMS has adopted an audit program in which they are auditing 5%, or 5 out of 100, of every healthcare provider who is sending in an attestation, which is an affirmation under your signature, that you have met the requirements as required under the Meaningful Use program, and are eligible for an EHR incentive.

CMS has had a contractor in place for several years, Figliozzi & Co., that conducts these audits on their behalf.

Unlike the OCR audits, which are informational and are only used for enforcement if you fail to respond to their audits and audit requests, the Meaningful Use audits are pass/fail audits.

If you do not pass the Meaningful Use audit, you are required to return any Meaningful Use incentive funds that are covered in that audit period.

Meaningful Use Audit Approach

The approach to a Meaningful Use audit is, you will receive a letter from CMS and Figliozzi & Co. with specific audit requests for documentation related to your Meaningful Use attestation.

You will have 10 business days, or two calendar weeks, to provide the documentation submitted through a designated website. The auditor who reviews the documentation, will measure it against the standards and requirements, as well as evaluating the measures, based on the information that you have provided concerning measures and what is called the "numerator and denominator." You'll receive feedback only if additional documentation is necessary.

If the documentation that's submitted is insufficient, then an on-site audit will likely follow. The on-site audit is often used as a way to confirm the questions that are raised through the desk audit.

Meaningful Use Audit: Primary Review

There are a number of primary review areas in a Meaningful Use audit. What is key is that you are able to document through the certification for the technology that you have adopted.

That certification is usually available through your vendor or through the website maintained by the Office of National Coordinator. That web address, in case you don't have it, is www.HealthIT.gov, and you click the tab on "Certification."

In addition, you'll be asked for information to support the methodology that you have chosen for achieving your Meaningful Use measures, and there are two choices for which methodology. The observation method, for example, but this is primarily for hospitals.

As well as the numerators and denominators for each of your measures, a key issue is the Risk Analysis and risk mitigation plan, the same Security Risk Analysis we talked about for compliance with the HIPAA Security Rule. That is a core component or a core measure of Meaningful Use, and screenshots to support how that you've implemented or are using the key features of your EHR technology.

Meaningful Use On-site Audits

If you are selected for an on-site audit, there are a number of key features that you are asked to demonstrate. There is some variation between providers who are practicing independently and providers who are practicing through a hospital, or using a hospital EHR, and because of the short time that we have today, we'll just skip over that part.

Core Measure: Security Risk Analysis

I do want to return to a core measure, which is the Security Risk Analysis that is found in both Stage 1 and Stage 2 of Meaningful Use. Under Meaningful Use, you are required to perform the HIPAA Security Risk Analysis that you would perform to comply with the Security Rule.

Security Risk Analysis – What's Covered

There is a myth out there, that to fulfill the requirements of Meaningful Use, your Risk Analysis only needs to cover your electronic health record. I want to dispel that myth. 

The HIPAA Security Risk Analysis that is required to meet the Meaningful Use requirement is any information system that interacts or creates, stores, or maintains data that is used or is accessible through your EHR. That would include any devices or what we call "end user devices," like laptop computers, tablets, or smartphones, that can access your EHR.

Protect ePHI – Measures Stage 1

One of the core measures under Stage 1 is to protect electronic protected health information, and to meet that core measure, you have to, of course, as we discussed, conduct a Security Rule Risk Analysis.

You have to implement security updates, or critical patches and updating, that are put out or produced by your EHR vendor, as well as patches and updates to maintain your overall information systems.

In addition, you have to identify a mitigation plan, how do you fix those areas that are found to be deficient in your Security Risk Analysis.

For example, your Risk Analysis may find that you have gaps in establishing policies and procedures, or that you don't have specific technical safeguards in place, like a password update policy. Or that you have laptops that store data, and you've decided not to encrypt. There will need to be a schedule or a plan on how to address or fix those items.

This is a process that has to be reviewed every year. Every year that you attest to Meaningful Use requires a new review of your Security Risk Analysis.

Protect ePHI – Measures Stage 2

Under Stage 2, there are additional core measures to protect privacy and security. In addition to the Risk Analysis and the mitigation plan, or the plan to address gaps identified through the Risk Analysis, you are specifically required to document the decisions you have made to adopt encryption or not adopt encryption in those end user devices, and network devices that handle electronic protected health information.

Now, that's not to say that you're required to have encryption, but you are required to document what other features or safeguards are in place, that are just as effective and protective as encryption of devices.

The challenge here is that it is difficult to put in safeguards that are as protective under normal circumstances. That's why many organizations are choosing to invest in encryption technology for their mobile or portable devices.

We do want to note that if you are a healthcare provider that handles behavioral health information or substance abuse treatment records, you should be aware of the separate requirements that protect these classes of data. This information is available through another federal agency, SAMHSA, the Substance Abuse and Mental Health Services Administration, and their website is www.SAMHSA.gov.

Many states also have special protections for special populations or special data, like HIV information, communicable or sexually transmitted diseases, as well as mental health and substance abuse treatment information.

Meaningful Use Stage 2 Capabilities & Standards

In the interest of time, I'm going to just briefly mention that there are capabilities and standards in Stage 2 of Meaningful Use for your EHR technology, and you must be able to demonstrate that you're using these features.

Summary

To wrap it up, it is a good best practice to make sure that you have the appropriate policies and procedures in place. It's also a good best practice to test yourself to see, to evaluate your compliance state. It's good because it assures that you are able to protect and safeguard the health information in all forms, whether it's in paper or it's electronic fashion.

Frankly, it is something that is expected by patients. Patients are very sensitive to how healthcare providers are safeguarding and securing their information.

In addition, federal agencies are very active in enforcing the HIPAA privacy and security regulations. I know that we've all heard of the corrective action plans and resolution agreements that have been signed by OCR. Oftentimes they are in the hundreds of thousands or millions of dollars. But the fact is that 99.9% of cases that are resolved by OCR in which a violation is found are resolved informally and through voluntary corrective action.

Now, that may mean that you're not having to pay a fine or a penalty, but OCR will require that you engage in corrective action that can be quite expensive to implement, and is very disruptive in the time and resources that are required to resolve these complaints and compliance reviews.

That's why it's so much better to be proactive, and to adopt and implement the policies and procedures that have been in place for a number of years.

So with that, I'll open it up for questions.

Paper Charts Question

Regina: I have one question on the chat line. "What if you still use paper charts? How will you be able to submit the required documents?"

David: If you use paper charts, assuming you are a covered entity, you should look for an opportunity to convert this documentation into an electronic format and send it in encrypted fashion.

Or I would respond to whoever the audit-request recipient is and respond with an email well ahead of any deadline, that you are a paper-only practice, and ask them how they would like the documentation submitted. Perhaps they would suggest an alternative method.

My sense is that perhaps you're not a HIPAA covered entity, and you should take the opportunity now and double-check by going to the OCR website, and there is a specific tab, "Am I a Covered Entity?" And you can go through the work flow.

Regina: Okay. Thank you. I'm going to unmute the lines now. So if anyone has questions, feel free to speak up.

Steve: I saw one flash up on the chat room. I think David had said, "Where can we find a third party that can assist with risk analysis," is what I saw.

Regina: And help draft policies and plans of action.

Third Parties Providing Risk Analysis Assistance Question

David: I don't want to make this a sales call. CynergisTek does offer those services, and you are welcome to contact us. We'd be happy to discuss that with you outside of this call.

Rules and Regulations for Cloud-based Services

Regina: Another question that came up, because you mentioned translating paper documentation into perhaps, encrypted images. Are there any safe harbor rules in place that you're aware of, or are there any specific regulations around cloud-based services?

Even, let's say, for example, that you have a Business Associate Agreement signed, but is there anything particular about using cloud-based archiving services, EHR applications, email applications, that the practices should be aware of with regard to preparing for an audit?

David: Well, it's an issue that is larger than an audit preparation. Generally, if you are using a vendor in which, that will hold your protected health information, regardless of whether you send the information in encrypted fashion or they hold it in an encrypted fashion, they are a business associate because the definition of business associate relates to any vendor or contractor who creates, transmits, or maintains PHI and the data is persistent. That's the term they use. The data is persistent with them.

The same would apply to paper documentation. Let's say you use Iron Mountain or some other provider. If you are sending a sealed box to a third party storage facility, and the facility has no way to access the contents of the box, there is an exception in the Privacy Rule that would provide that they are not likely a business associate.

It's a very narrow exception. It's called the conduit exception. The same exception applies to mail that is sent through the postal service, or packages that are sent via UPS or other shipping service.

The test is, can the vendor, or whoever's carrying the PHI, can they access the data? If not, then generally they are not a business associate.

But in the electronic area, there has been a clear discussion, or clear guidance, that whether or not data is encrypted, if someone is holding the PHI, they are a business associate.

Backdating Documentation Question

Steve: I think we have time for one or two final questions. There is one that came in, and I'll go ahead and read this one for you. It says, "If you are creating a HIPAA binder and are missing policies, and you add them to it, or if you are missing a Business Associate Agreement, is it safe to use the current date, or should it be backdated?"

David: You should never backdate something. The cover-up is always the worst part of the crime. So it's better to, if you're creating policies, unless you can provide documentation that the policy was in existence at a prior date, then it should be the current date. You know, you can show that it is a revision of an earlier policy. In other words, you can show that this is a current version based on a prior version.

The HIPAA rules do require that you document and maintain documentation for six years.

Steve: Well, I'm positive that my CPA would agree with this, as well. Any other final questions here for David before we have just a couple of minutes of wrap-up? Regina, are the lines still open at this time?

Regina: I will close them now.

Steve: Okay, very good. I'm going to go ahead and just share my screen for a moment, just to remind of a couple of items. First off, what I wanted to do is thank David for his in-depth discussion today about HIPAA audits.

I trust that no matter what kind of practice you may be running, the information here will prove to be useful and help you to prepare in a practical way. So, again, my thanks to David, who is a very popular speaker, as you would imagine, in the healthcare industry, for joining us in this informative webinar.

With regard to discounts, up on the screen is the discount information that is being offered by Quill Healthcare for medical supplies. This discount applies to medical supplies only, and it's a $15 off certificate if you spend up to $50 on medical supplies, with $30 off when you spend $100 or more on medical supplies.

You can redeem the offer at the URL specified here, and also I will be providing the information about how you can go about obtaining a copy of the charts right here, which is right at the bottom of the screen. You simply send an email at any time, which will go to charts@healthcents.com.

Also, if you would like to reach out and contact any of us, which would extend now to Regina, Steve, Susan, David, or Regina, you can use that phone number or email. Also for more information about Quill Healthcare, you can dial the 800 number at any time.

Just for one moment with Lena on the line, I saw one thing flash about the discount, I think, has a legacy date of 9/14. I believe that's been extended. So I just would like Lena, if you could confirm that, please, and if you could open up the line, Regina, one more time for her to do that, which would be *3.

And Lena, if you can press *6 just to confirm that, that would be great.

Lena: Hi, everyone. Lena is here.

Steve: Okay, great. One of the viewers noticed that the discount had a 9/28 expiration date. I just need you to confirm that that's been extended to accommodate all of the enrollees in these sessions.

Lena: That is correct. That has been extended to the end of November.

Steve: Good, good. And . . .

Lena: But the expiration day is November 30th. I apologize for the confusion.

Conclusion

Steve: Okay. Terrific. Well, I just wanted, once again, to thank David for his participation, and for all of the enrollees, we will be having our next session a little bit early, an early Christmas present. Which will be Tuesday, December 16, same bat-time, same bat-place, and it will be a fun topic, but yet a very relevant one to expanding your practices. It's going to be all about how to leverage social media in your practices. We're very much looking forward to that topic, as well.

We appreciate your active participation in these sessions, and once again, thank you for attending, and have a good afternoon.


Have questions? Contact us

Helping your business win

Get supplies, get rewards

Earn one point for every dollar spent, with so many ways to use them.

Your order has arrived

Fast, free shipping on orders $25 or more. Returns are easy, too.

Savings on savings on savings

Stack promotions, coupons, & rewards, stretching your dollars.

We love phone calls

Our award-winning customer service is here to help anytime.
Just call 1-800-982-34001-800-982-3400

How'd we do?

Share your experience on

Quill help center

Call us 1-800-982-3400

New to Quill? Would you like to learn more about how we can help your business?

Start a chat.
Email us.
Looking for coupons?
You will be redirected to travel.quill.com in a new tab. Hit Okay to continue.
Okay
Go to Cart
Subtotal: ( items / rewards):
Rewards balance:
Rewards & coupons center
Loading your cart
Quick view
Shared Cart Details
Please review this product
Upgrade to Rewards+
$49.99/year
Member benefits
$41.99 Quill 10-Ream Copy Paper
Up to 5 cartons per order, limit 10 cartons per month
10% in QUILLCASH Rewards on ink & toner
View policy
$15 off monthly coupon (with 100 points)
Always free shipping
View policy
Earn 10% more points + more time to use
5% off everday prices
10% off discount on in-house brands
Member exclusive rewards
Site-wide price match guarantee
View policy
Disclaimer
Offers and discounts exclude HP,Samsung and Epson. We offer a worry-free enrollment guarantee - if you are not satisfied with your Rewards+ membership, you can cancel at any time for a prorated refund. By enrolling into the Reward+ program, you are agreeing to the Terms and Conditions.
See full membership details