Novels

COMMUNITY SERVICES BOARD PERFORMANCE AUDIT

Categories
Published
of 26
All materials on our website are shared by users. If you have any questions about copyright issues, please report us to resolve them. We are always happy to assist you.
Related Documents
Share
Description
COMMUNITY SERVICES BOARD PERFORMANCE AUDIT FISCAL YEAR 2005 CITY OF CHESAPEAKE, VIRGINIA AUDIT SERVICES DEPARTMENT City of Chesapeake Chesapeake Community Services Board Audit Services July 1, 2004 to
Transcript
COMMUNITY SERVICES BOARD PERFORMANCE AUDIT FISCAL YEAR 2005 CITY OF CHESAPEAKE, VIRGINIA AUDIT SERVICES DEPARTMENT City of Chesapeake Chesapeake Community Services Board Audit Services July 1, 2004 to June 30, 2005 September 15, 2005 A. Objective, Scope, and Methodology Managerial Summary We have completed our review of the Chesapeake Community Services Board (CCSB) for the Fiscal Year (FY) Our review was conducted for the purpose of determining whether CCSB was in full compliance with the Health Insurance Portability and Accountability Act (HIPAA) of 1996 and other policy and procedures requirements. The review was conducted in accordance with Government Auditing Standards and included such tests of records and other audit procedures as we deemed necessary in the circumstances. CCSB provided comprehensive community-based services and support to Chesapeake residents with mental health, mental retardation, and/or substance abuse services needs. For FY 2005, CCSB had an operating budget of $13,306,495 with over 150 full-time positions. CCSB funding sources included federal, state, and City funds, and client payments. CCSB must comply with applicable federal, state and City laws and regulations. One such federal law, HIPAA, was enacted in 1996 to improve the Medicare and Medicaid programs by encouraging the development of a health information system through the establishment of standards and requirements to facilitate the exchange, and to protect the privacy and security, of certain health information. Specifically, the U.S. Department of Health & Human Services issued and enforced the HIPAA regulations that required that covered entities, such as CCSB, meet transaction and code sets standards by October 16, 2002, privacy standards by April 14, 2003, and security standards by April 20, To determine how well CCSB complied with the HIPAA requirements and standards relating to transactions and code sets, privacy, and security, we reviewed the federal law and corresponding regulations, state requirements, and CCSB policies and procedures. We discussed and documented information from CCSB management and staff and associated City department s officials that related to HIPAA privacy and security requirements. Also, we reviewed, analyzed, and obtained the status of CCSB implementation of report recommendations of KPMG s July 2004 Executive Summary entitled City of Chesapeake, Fire and Community Services Departments, HIPAA Security Standards Gap Analysis and Strategy Planning Engagement. In addition, we reviewed CCSB administrative and operational processes, documentation, and reports pertaining to quality assurance, reimbursement, budget, privacy, security, and client recordation. We reviewed Quality Management Services chart review results and follow-up audits conducted in FY 2004 and 2005 to determine the quality of the reviews and the level of compliance with HIPAA standards and CCSB policy and procedures. In MS - 1 addition, we judgmentally selected 5 of 10 supervisors in CCSB s mental health, mental retardation, and substance abuse programs and reviewed their FY 2005 audit results of staffs client charts for compliance with HIPAA privacy and the related CCSB policy and procedures. Finally, we reviewed documentation to determine the status of CCSB implementing two recommendations presented in our June 2002 report entitled, Service Practices of the Community Services Board, Preliminary Review. Major Observations and Conclusions Based on our review and analysis, we have determined that CCSB had made significant and substantial progress in implementing the comprehensive HIPAA standards. Specifically, CCSB had been very effective in meeting the requirements of HIPAA regulations concerning transactions and code sets and privacy of its clients protected health information and had made substantial progress in meeting the HIPAA security standards. However, we did identify several areas that CCSB needed to address to assure itself of HIPAA compliance. Specifically, CCSB needed to finalize Business Associate agreements with the Departments of Finance and Information Technology and with the City Treasurer. Also, the City had not developed a risk analysis methodology and written policies and procedures, and had not completed disaster recovery backup requirements to fully implement the HIPAA security standards. This report, in draft, was provided to CCSB officials for review and response. Their comments have been considered in the preparation of this report. These comments have been included in the Managerial Summary, the Audit Report, and Appendix A. CCSB management and staffs were very helpful throughout the course of this audit, and we appreciate their courtesy and cooperation on this assignment. B. HIPAA Privacy and Security Issues As previously noted, we have determined that CCSB had made significant and substantial progress in complying with the comprehensive HIPAA standards. Specifically, CCSB has been very effective in meeting the requirements of HIPAA regulations concerning transactions and code sets and privacy of its clients protected health information. In addition, it has made substantial progress in meeting the HIPAA security standards. However, we did identify several areas that CCSB needed to address to assure itself of HIPAA compliance. Specifically, CCSB needed to finalize the Business Associate agreements with the Departments of Finance and Information Technology and with the City Treasurer. Also, the City had not developed a risk analysis methodology and written policies and procedures, and has not met disaster recovery backup requirements to fully implement the HIPAA security standards. (See additional details and analysis concerning the HIPAA security standards in Appendix B). MS - 2 HIPAA Privacy Issues 1. Memorandum of Understanding with Business Associates Finding CCSB had not finalized a Memorandum of Understanding with three of its Business Associates - the Departments of Finance and Information Technology and the City Treasurer as required by HIPAA. Recommendation CCSB should seek approval of individual Memorandum of Understanding with the City s Departments of Finance and Information Technology and with the City Treasurer as Business Associates. Response - The Memorandums of Understanding with the Departments of Finance and Information Technology have been finalized and signed as of 8/31/05. The Deputy City Attorney is working with the City Treasurer s attorney to finalize this MOU, and we hope to have this completed within a month. 2. Quality Assurance Checklist Finding - The Infant Intervention Service did not use the approved CCSB agency Quality Assurance Checklist when doing its supervisory audits of staffs client charts. Recommendation - CCSB should assure itself that all program supervisors use the approved Quality Assurance Review Checklist form when performing audits of staffs client charts. Response - The program supervisor for Infant Intervention Services has a completed quality assurance checklist that includes all the universal, standardized criteria of the agency including those individualized for the unique stream of funding received in that program area. Please see attached checklist. (Audit Services did not include the checklist in this Report.) During the annual audit of Infant Intervention Services, scheduled September 2005, the QA Office staff will assure that the program supervisor is utilizing the standardized section of the Quality Assurance Review Checklist. HIPAA Security Issues 1. Risk Analysis Methodology Finding The City had not developed a risk analysis methodology to determine the risks and vulnerabilities to clients electronic protected health information. Recommendation - To ensure the safeguard of client s electronic protected health information, CCSB should assist the Department of Information Technology to expeditiously move towards completion of the outsourcing process for developing a risk analysis. MS - 3 Response - As of 5/12/05, CCSB has not created a Risk Analysis methodology to determine the risks and vulnerabilities to electronic protected health information. Thus no documentation exists. Prior to May 2005 the City s Information Technology Department approved a Management Analyst position and was in the process of conducting interviews. The Analyst was to do the risk assessment to identify technical and non-technical threats and vulnerabilities to electronic protected health information. However, on 5/12/05, the CCSB MIS Administrator said that they would not hire a management analyst to do this work but would outsource the work regarding the creation, performance and documentation of a risk assessment during the next fiscal year (2006). In addition the outsourced company would implement a process to perform periodic updates to the risk analysis. The MIS Administrator indicated that they would follow the NIST guide exclusively to create the risk assessment. The RFP has been written to contract for the services of a Risk Manager. Once this position has been outsourced we will be able to move forward with the risk analysis and implement a risk methodology that will bring us into compliance with HIPAA. 2. Written Policies and Procedures Finding CCSB had not developed written policies and procedures for several administrative and physical safeguards concerning HIPAA security. Recommendation CCSB should establish written policies and procedures as required by the HIPAA security standards. Response - Due to limited resources in funding and staff, have not been able to further develop and complete HIPAA security policies and procedures. 3. Disaster Recovery Plan Requirements Finding CCSB had not completed HIPAA disaster recovery plan requirements for electronic protected health information. Recommendation CCSB should work with the City to address its disaster recovery plan needs, hardware and software services, and identify a temporary alternate location. Response - The CCSB by nature of services provided could continue to function and capture data on paper, the consumers charts are keep in paper mode thereby allowing the clinical staff to have access to pertinent data. Any long term lost of the computer resources in excess of two weeks would disable the CCSB s ability to bill its payers, and access to the City Financial System would not be available thereby restricting ability to properly pay employees. However if the disaster event is City wide, where emergency shelters are open, all clinical staff are required to man those sites so the CCSB would not be able to provide services to consumers until the shelter were closed. The CCSB MIS Administrator will meet with the City s Information Technology Communications Coordinator in late September 2005 to discuss a cooperative effort in the event of disaster. MS - 4 CHESAPEAKE COMMUNITY SERVICES BOARD PERFORMANCE AUDIT FISCAL YEAR 2005 Table of Contents Contents Page A. Objective, Scope, and Methodology 1 B. HIPAA Privacy and Security Issues 4 Appendix A Responses from Chesapeake Community Services Board Officials Appendix B HIPAA Security Standards, Gap Analysis and CCSB Status, as of June 30, 2005 A. Objectives, Scope, and Methodology We have completed our review of the Chesapeake Community Services Board (CCSB) for the Fiscal Year (FY) Our review was conducted for the purpose of determining whether CCSB was in full compliance with the Health Insurance Portability and Accountability Act (HIPAA) of 1996 and other policy and procedures requirements. The review was conducted in accordance with Government Auditing Standards and included such tests of records and other audit procedures as we deemed necessary in the circumstances. CCSB provided comprehensive community-based services and support to Chesapeake residents with mental health, mental retardation, and/or substance abuse services needs. CCSB services included 24 hour-a-day emergency services and outpatient services to mental health clients; mental retardation services including infant intervention and case management services; and vocational training; and substance abuse services including individual, group, and family counseling and treatment. CCSB was governed by a twelve-member community-based board appointed by the City Council. CCSB employed an Executive Director, an Assistant Director, and Fiscal, Quality Assurance, and Management Information Systems Administrators; Clinicians, Nurses, Counselors, and other medical specialists and support staff. For FY 2005, CCSB had an operating budget of $13,306,495 with over 150 fulltime positions. CCSB funding sources included federal, state, and City funds, and client payments. CCSB must comply with applicable federal, state and City laws and regulations. One such federal law, HIPAA, was enacted in 1996 to improve the Medicare and Medicaid programs by encouraging the development of a health information system through the establishment of standards and requirements to facilitate the exchange, and to protect the privacy and security, of certain health information. Specifically, the U.S. Department of Health & Human Services issued and enforced the HIPAA regulations that required that covered entities, such as CCSB, meet transactions and code sets standards by October 16, 2002, privacy standards by April 14, 2003, and security standards by April 20, Major Observations and Conclusions Based on our review and analysis, we have determined that CCSB had made significant and substantial progress in implementing the comprehensive HIPAA standards. Specifically, CCSB had been very effective in meeting the requirements of HIPAA regulations concerning transactions and code sets and privacy of its clients protected health information and had made substantial progress in meeting the HIPAA security standards. However, we did identify several areas that CCSB needed to address to assure itself of HIPAA compliance. Specifically, CCSB needed to finalize Business Associate agreements with the Departments of Finance and Information Technology and with the City Treasurer. Also, CCSB had not developed a risk analysis methodology and written policies and procedures, and had not completed disaster 1 recovery backup requirements to fully implement the HIPAA security standards. (See additional details and analysis concerning the HIPAA security standards in Appendix B). This report, in draft, was provided to CCSB officials for review and response. Their comments have been considered in the preparation of this report. These comments have been included in the Managerial Summary, the Audit Report, and Appendix A. CCSB management and staffs were very helpful throughout the course of this audit, and we appreciate their courtesy and cooperation on this assignment. Methodology To determine how well CCSB complied with the HIPAA requirements and standards relating to transactions and code sets, privacy, and security, we reviewed the federal law and corresponding regulations, state requirements, and CCSB policies and procedures. We discussed and documented information from CCSB management and staff and associated City department s officials that related to HIPAA privacy and security requirements. Also, we reviewed, analyzed, and obtained the status of CCSB implementation of report recommendations of KPMG s July 2004 Executive Summary entitled City of Chesapeake, Fire and Community Services Departments, HIPAA Security Standards Gap Analysis and Strategy Planning Engagement. In addition, we reviewed CCSB administrative and operational processes, documentation, and reports pertaining to quality assurance, reimbursement, budget, privacy, security, and client recordation. We reviewed Quality Management Services chart review results and follow-up audits conducted in FY 2004 and 2005 to determine the quality of the reviews and the level of compliance with HIPAA standards and CCSB policy and procedures. In addition, we judgmentally selected 5 of 10 supervisors in CCSB s mental health, mental retardation, and substance abuse programs and reviewed their FY 2005 audit results of staffs client charts for compliance with HIPAA privacy and the related CCSB policy and procedures. Finally, we reviewed documentation to determine the status of CCSB implementing two recommendations presented in our June 2002 report entitled, Service Practices of the Community Services Board, Preliminary Review. 2 Authorized staff accessing the Management Information System Center where electronic protected client health information was stored. CCSB Chart Room where clients charts were filed. 3 B. HIPAA Privacy and Security Issues As previously noted, we have determined that CCSB had made significant and substantial progress in complying with the comprehensive HIPAA standards. Specifically, CCSB has been very effective in meeting the requirements of HIPAA regulations concerning transactions and code sets and privacy of its clients protected health information. In addition, it has made substantial progress in meeting the HIPAA security standards. However, we did identify several areas that CCSB needed to address to assure itself of HIPAA compliance. Specifically, CCSB needed to finalize the Business Associate agreements with the Departments of Finance and Information Technology and with the City Treasurer. Also, CCSB had not developed a risk analysis methodology and written policies and procedures, and has not met disaster recovery backup requirements to fully implement the HIPAA security standards. (See additional details and analysis concerning the HIPAA security standards in Appendix B). HIPAA Privacy Issues 1. Finding CCSB had not finalized a Memorandum of Understanding with three of its Business Associates - the Departments of Finance and Information Technology and the City Treasurer as required by HIPAA. The HIPAA Privacy Rules required that, if a covered entity such as CCSB had business associates that performed services on behalf of the covered entity and received protected health information about clients of the covered entity in the course of performing those services, the covered entity must enter into a written Business Associate Agreement in which the business associate agrees not to disclose the protected health information it received from the covered entity except to the extent permitted under the agreement, consistent with the business associate s services on behalf of the covered entity, and then only as allowed under the HIPAA Privacy Rules. Further, if the covered entity and the business associate were governmental entities, the requirement for a Business Associate Agreement could be satisfied through a Memorandum of Understanding between the government entities. Without a Business Associate Agreement or a Memorandum of Understanding, the covered entity was not authorized under the HIPAA Privacy Rule to disclose protected health information to the Business Associate without the prior written authorization of the client. However, CSSB had been successful in finalizing a number of Memorandums of Understanding with City departments and its vendors. The City s Departments of Finance and Information Technology and the City Treasurer were Business Associates that had no approved Memorandum of Understanding with CCSB. The Finance Department s Office of Risk Management (Risk Management) received information from CCSB about any incident occurring within CCSB, or involving CCSB clients that had the potential for creating a financial obligation or liability for CCSB. Risk Management was responsible for arranging for investigations of such incidents and contacting appropriate insurers and other parties to address and resolve actual and potential claims arising out of such incidents. In addition, from time to time CCSB may purchase services or 4 products for a client, resulting in the name of the client appearing on the purchasing documents from CCSB. Such purchasing documents were processed
Search
Related Search
We Need Your Support
Thank you for visiting our website and your interest in our free products and services. We are nonprofit website to share and download documents. To the running of this website, we need your help to support us.

Thanks to everyone for your continued support.

No, Thanks