«CALL TO ORDER Ms. Emily A. Youssouf Adoption of Minutes December 4, 2014 Ms. Emily A. Youssouf • INFORMATION ITEMS Audits Update Mr. Chris A. ...»
Overview of HHC’s Policies and Procedures Designed to Prevent Fraud Waste and Abuse HHC’s policies and procedures designed to prevent and detect fraud, waste, and abuse 2)
include, without limitation, the following:
HHC Guide to Compliance at the New York City Health and Hospitals Corporation HHC’S Corporate Compliance Plan The overall breadth of HHC’s Corporate Compliance Program (the “Program”) is best 3) reflected in its Corporate Compliance Plan (the “Plan”). Specifically, the Plan outlines and explains the structural and operational elements of the Program, highlighting HHC’s development and/or adoption of written policies and procedures covering compliance, including, without limitation, HHC’s Operating Procedure 50-1 - Corporate Compliance Program (“OP 50-1”), which details the structure of the Program; HHC’s Principles of Professional Conduct (“POPC”), which establishes HHC’s prohibition of fraudulent billing and other improper business practices; and HHC’s A Guide to Compliance at the New York City Health and Hospitals Corporation (“Guide to Compliance”)2, which provides a summary of important compliance issues and compliance standards and expectations at HHC. The Plan, OP 50-1, the POPC, and the Guide to Compliance may all be accessed through HHC’s Intranet under the Office of Corporate Compliance (“OCC”) at http://compliance.nychhc.org/, or by way of HHC’s public website at http://www.nyc.gov/html/hhc/html/about/About-PublicInfoCompliance.shtml. You may also contact your local Network Compliance Officer or the OCC
- by phone at (646) 458-7799 or by e-mail at COMPLIANCE@nychhc.org - to obtain copies of the same.
The Plan also underscores HHC’s commitment to routinely identify potential areas of corporate risks and vulnerabilities, and to perform self-evaluations and audits of its operations and practices, which are required under New York’s mandatory compliance program regulations.3
HHC Operating Procedure 50-1
As evidenced by its internal operating procedures,4 HHC has implemented a Program 4) that satisfies the mandatory provider compliance program regulations promulgated by the New York State Department of Social Services.5 Additionally, the Program also adopts the principles set forth in the United States Sentencing Commission 2013 Federal Sentencing Guidelines pertaining to effective compliance and ethics programs. The Program is responsible for, among other things, aggressively identifying, directing, and addressing corporate-wide and local compliance activities and concerns. The following are some key
highlights of the Program:
the appointment of a Corporate Compliance Officer (“CCO”) charged with the oversight and implementation of the Program;
the creation of an annual Corporate Compliance Work Plan (“Work Plan”) designed to proactively address compliance vulnerabilities;
the institution of a confidential process and toll-free hotline (1-866-HELP-HHC) to receive complaints;
the implementation of corporate-wide training and education regarding corporate compliance issues;
the requirement that the CCO report, at least quarterly, HHC compliance activities to the Chairperson of the Board of Directors (“BOD”), the Chairperson of the Audit Committee of the BOD, and HHC’s President and Chief Executive;
the requirement that all HHC workforce members report violations of OP 50-1, as well as of all applicable laws, rules, codes and regulations (collectively “Laws”), to the CCO;
the investigation of allegations regarding: (i) violations of applicable Laws and HHC OP 50-1; and (ii) allegations of intimidation and retaliation; and the prohibition of intimidation and retaliation against any person who, acting in good faith, engages in the Program.
HHC’s Principles of Professional Conduct (“POPC”)
5) The POPC is a guide to direct HHC employees to conduct official business in an ethical
and lawful manner. Some examples of violations of professional conduct are:
improper billing practices;
accepting gifts from a vendor;
inappropriate patient referrals;
breaches of patient confidentiality; and failure to adhere to HHC policies concerning patient care.
HHC’s Guide to Compliance
6) The Guide to Compliance defines the terms compliance, fraud, waste, and abuse. The Guide to Compliance also describes the goals of HHC’s Program, the consequences of noncompliance with applicable Laws and internal policies, and the responsibilities of each employee with regard to compliance. In addition to the foregoing, the Guide to Compliance
provides information regarding the following compliance subjects:
Certification of DRA Requirements completed
7) Senior Assistant Vice President and Chief Corporate Compliance Officer Wayne A.
McNulty certified, through OMIG’s website, HHC’s compliance with the DRA on December 29,
2014. Specifically, Mr. McNulty certified that HHC has written policies for all employees, including management, and any contractor or agent of the entity, that provide detailed information about the Federal False Claims Act, remedies for false claims and statements, and state laws pertaining to civil or criminal penalties for false claims and statements and that these
address whistleblower protections under the Federal False Claims Act and state laws;
address the role of the Federal False Claims Act and state laws in preventing and detecting fraud, waste, and abuse in Federal health care programs; and provide detailed provisions regarding the entity's policies and procedures for detecting and preventing fraud, waste, and abuse.
8) Mr. McNulty also certified that HHC has an employee handbook that includes: (i) a specific discussion of the state and federal laws covering fraud, waste and abuse and the False Claims Act; (ii) a specific discussion of the rights of employees to be protected as whistleblowers; and (iii) a specific discussion of the entity's policies and procedures for detecting fraud, waste, and abuse Report on HHC’s Compliance with the HIPAA Security Rule Risk Analysis III.
Requirements Overview Pursuant to Health Insurance Portability and Accountability Act of 1996 (“HIPAA” or 1) the “Act”) and it implementing regulations found at 45 CFR Parts 160 and 164, “The Security Standards for the Protection of Electronic Protected Health Information (the “Security Rule”) HHC is required to ensure that it implements a risk assessment program the purpose of which is to prevent, detect, contain, and correct security violations affecting electronic protected health information (“EPHI”).6 “Security Standards for the Protection of Electronic Protected Health Information” (the “Security Rule”) found at 45 CFR Part 160 and Part 164, Subparts A and C. was adopted to implement provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The HIPAA Security Rule is all about implementing effective risk management to adequately and effectively protect EPHI. The assessment, analysis, and management of risk provides the foundation of a covered entity’s Security Rule compliance efforts, serving as tools to develop and maintain a covered entity’s strategy to protect the confidentiality, integrity, and availability of EPHI See also, generally, 18 NYCRR Part 521.
AUDIT COMMITTEE OF THE
HHC BOARD OF DIRECTORS
Security Rule Requirements
2) The Security Rule requires that covered entities, such as HHC, perform periodic technical and non-technical evaluations of applications that access, house or transmit EPHI. More specifically, HHC is required to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of EPHI that is accessed, stored or transmitted by HHC’s systems and applications and is required, at minimum, to conduct periodic technical and nontechnical evaluations of those systems and applications to establish the extent to which HHC's security policies and procedures meet the requirements of the Security Rule.7 Performance of Risk Analysis
3) Pursuant to the Security Rule at 45 CFR Section 164.308(a)(1)(ii)(A), HHC is required as
to each of its applications and systems that possess EPHI to do the following:
Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the [organization].
4) To meet the risk analysis requirements under the Security Rule, HHC is required to conduct an accurate and thorough risk analysis of the vulnerabilities and potential risks to the confidentiality, integrity, and availability of EPHI of each of the systems and applications used by HHC.8 The required risk analysis is an assessment of the risks and vulnerabilities that could negatively impact the confidentiality, integrity, and availability of the EPHI held by HHC and the likelihood of that risk’s occurrence9 and its use is considered a foundational first step in identifying and implementing physical, administrative and technical safeguards that comply with and carry out the standards and implementation specifications required in the Security Rule.
5) In its risk analysis of its applications and systems, HHC must (1) demonstrate that it has evaluated the risks associated with a specific application or system that use, store or transmit EPHI; and (2) document that it has established all of the safeguards (technical, physical and administrative) that would reasonably serve to protect the information that is exchanged along its network. 10
Conducting and Inventory of Systems and Applications that House EPHI
6) As part of the risk analysis process, is required to, among other things: (1) inventory all systems and applications used by HHC that access and house EPHI; and (2) classify those systems and applications by their level of risk.
7) While it is required that HHC conduct a risk analysis of its applications and systems, there are numerous methods of performing this analysis and the Security Rule does not prescribe a specific methodology that HHC must follow, recognizing instead that methods will vary dependent on the size, complexity, and capabilities of the organization.11 With regard to performing a risk analysis, there is no single method or best practice that assures compliance with the Security Rule.12 Notwithstanding this fact, National Institute Standards Technology (“NIST”) SP 800-30 provides examples of steps that might be applied to a risk analysis process.13
8) Regardless of the methodology used, a risk analysis must at the minimum incorporate the following eight steps to satisfy the Security Rule: (i) identify the scope of the analysis; (ii) gather data; (iii) identify and document potential threats and vulnerabilities. (iv) assess current security measures; (v) determine the likelihood of threat occurrence; (vi) determine the potential impact of threat occurrence; (vii) determine the level of risk; and (viii) identify security measures and finalize documentation.14
HHC’s Compliance Status with Security Rule Risk Analysis Requirements
With regard to HHC’s compliance with the Security Rule risk analysis requirements, the 9) OCC has found, in pertinent part, that: (i) the inventory of the HHC information systems and applications that access, house, or transmit EPHI is a work in progress and therefore is not comprehensive at this juncture; and (ii) although HHC’s Enterprise Information Technology Services (“EITS”) has taken numerous and significant measures to enhance and maintain the confidentiality, integrity, and security of HHC’s information systems including the formation of an information governance and security program, the implementation of security controls, and the performance of a formal risk analysis on a handful of its applications, it appears that further http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/rafinalguidancepdf.pdf Department of Health and Human Services Office of Civil Rights (“OCR”) Guidance on Risk Analysis Requirements under the HIPAA Security Rule found at http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/rafinalguidancepdf.pdf accessed on 2/9/15.
National Institute of Standards and Technology (NIST), is a federal agency that publishes guidelines relevant to the HIPAA Security Rule. See NIST 800 Series of Special Publications (SP) – specifically, SP 800-30 - Risk Management Guide for Information Technology Systems at http://www hhs.gov/ocr/privacy/hipaa/administrative/securityrule/securityruleguidance html.. Although only federal agencies are required to follow guidelines set by NIST, the guidelines represent the industry standard for good business practices with respect to standards for securing e-PHI.
OCR Guidance on Risk Analysis Requirements under the HIPAA Security Rule, supra, note 31.
AUDIT COMMITTEE OF THE
HHC BOARD OF DIRECTORS
measures must be taken by EITS to fully satisfy the extensive risk analysis and implementation measures required under the Security Rule.
10) Based on the foregoing, OCC is recommending that the following measures be taken by
HHC’s Enterprise Technology Information Services:
Identify and inventory, as a priority and no later than within 30-days, all HHC systems and applications that access, house or transmit EPHI;
Provide a written schedule that will specify date(s), over an 12-month period, by which all inventoried HHC systems and applications that access, house or transmit EPHI will have a completed risk analysis;