OCR Audit Preparation Checklist for Healthcare

Checklist, Cybersecurity Consulting, FAQs, Healthcare

OCR Audit Preparation Checklist for Healthcare

Key Takeaways:

  • Resumption of HIPAA Audits: HHS OCR will restart random HIPAA audits to ensure compliance with data privacy and security.
  • High Failure Rates: Covered entities failed over 80% of past audits in risk analysis and management.
  • Enforcement Focus: OCR will prioritize enforcing the HIPAA Security Rule’s risk analysis requirement, especially for smaller organizations.
  • Preparation Tips: Organizations should prepare by keeping accurate records, assembling a response team, and responding promptly to audit requests.

HIPAA Audits: HSS OCR to Resume HITECH Act

Originally stopped owing to the epidemic, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) revealed intentions to reinstate random HIPAA audits this month.

These audits seek to guarantee HIPAA compliance by healthcare institutions, so maintaining patient privacy and security. The action suggests a fresh emphasis on HIPAA compliance, therefore implying possible penalties for non-compliance in the healthcare industry.

While 94% of covered businesses and 88% of business associates failed the risk management audit, 86% of covered entities and 83% of business associates failed the risk analysis audit during OCR’s previous set of audits carried out between 2016 and 2017.

According to the Director of HHS’ Office for Civil Rights, Melanie Fontes Rainer, the HIPAA Security Rule’s requirement for conducting a risk analysis will be a critical area of enforcement focus. Risk analysis continues to be a significant weakness among many regulated organizations of all sizes, but especially for medium- and smaller-sized organizations. Poor risk analysis practices persist as a major contributing factor to many significant breaches reported to the agency.

When it comes to the OCR’s HIPAA audits, some covered entities and business associates are prepared, while many are not. Even some organizations that think they’re in compliance will fall short. If you are a healthcare provider, health plan or healthcare information clearing-house (or you provide services to them), now is the time to take an objective look at the policies and procedures you have in place and evaluate your degree of risk.

What is the OCR HIPAA Audit Program?

With the publishing of the audit protocol by the OCR, HHS provided healthcare covered entities and business associates great insight into the questions they may face if selected for an audit.

The OCR HIPAA Audit program is designed to analyze processes, controls, and policies of selected covered entities and business associates. The OCR has established a comprehensive audit protocol that contains the requirements to be assessed through these performance audits. The entire audit protocol is organized around modules, representing separate elements of privacy, security, and breach notification.

What Does Protocol Coverage Include?

According to the OCR, the combination of multiple requirements may vary based on the type of covered entity or business associate selected for review. Protocol coverage includes:

  • Privacy Rule requirements for (1) notice of privacy practices for PHI, (2) rights to request privacy protection for PHI, (3) access of individuals to PHI, (4) administrative requirements, (5) uses and disclosures of PHI, (6) amendment of PHI, and (7) accounting of disclosures.
  • Security Rule requirements for administrative, physical, and technical safeguards.
  • Requirements for the Breach Notification Rule.

The most recent protocol is broad in its coverage, with a total of 180 areas as opposed to 165 in the version used for the original Pilot Audit program.

With this guidance from the OCR, this is a perfect time for organizations with compliance obligations under HIPAA to reexamine their adherence to the regulatory standards as well as their readiness for a possible audit. Scrambling at the last hour to respond to an audit request is not a recipe for success.

How Do We Prepare for an OCR Audit?

The time to prepare for an audit is before you have been selected. If you’ve already been selected, we can still get you ready.

Now is the time to prepare, knowing that you might be called on at some point to show evidence of compliance. Keep in mind that audits are NOT enforcement actions.

What’s the goal of an OCR audit?

The stated goal of the OCR audit program is to gauge overall HIPAA compliance across a wide variety of covered entities and business associates. The data is used by HHS to assess the overall health of cybersecurity in the industry and to identify where additional outreach or education might be necessary. If you are notified that your organization has been chosen for an OCR audit, the following guidelines will assist your response.

If You Are Chosen for an OCR Audit, Mobilize!

Assemble your team. The team should include your privacy and security officials and your organization’s compliance officer (if you have one). It’s also a good idea to notify your internal and/or external legal counsel so they can be kept apprised of all requests from the OCR and responses provided by you to the OCR. Keep your counsel on standby to provide you with guidance if necessary.

Respond completely and in a timely fashion. If you are notified that you have been selected for an audit, you will also get instructions on how and when to reply. There is documented evidence that being unresponsive will only make things worse for you if the OCR uncovers significant findings of non-compliance. Make sure you keep thorough records of all transactions during the audit process, and it’s a good idea to appoint one person to oversee all audit-related correspondence.

A few additional guidance points from the OCR include:

  • Only requested data submitted on time will be assessed.
  • All documentation must be current as of the date of the request.
  • If yours is a desk audit, auditors will not have the opportunity to contact you for clarification or to request additional information, so it is critical that your documents adequately reflect the program.
  • Do not submit extraneous information as it will increase the difficulty for the auditor to assess the required items.
  • Failure to submit responses to requests may lead to a referral for regional compliance review.
  • Craft responses carefully and don’t be bashful about questioning findings that you believe to be inaccurate. Historically, the OCR has allowed organizations to respond to identified issues.

Be prepared to justify your position with facts and explain your rationale for decisions about your compliance and security strategy. There are many areas where HIPAA’s lack of specific direction works in your favor, assuming you can demonstrate a thoughtful and reasonable approach to complying with all standards.

Hopefully, your OCR audit will go smoothly. If you have done a good job addressing compliance standards and building out your security program, the report will require little or no follow-up. If not, you may be subject to voluntary compliance activities or a more in-depth compliance review.

Compliance reviews that identify significant issues may require additional corrective action or lead to resolution agreements. In these cases, it’s advisable to engage attorneys and consultants who are well-versed in working with the OCR.

If your OCR audit is part of the ongoing OCR audit program, be aware that the purpose of the random audits is to gauge the compliance of the larger population. Not just you. The OCR has been charged with educating and equipping organizations with compliance strategies, and part of that mission necessarily includes a certain number of audits to find out how organizations are performing.

An OCR Audit Preparation Checklist

Here’s what your business will want to have prepared if you are selected for an OCR audit:

  1. Conduct a comprehensive risk analysis.
  2. Provide evidence of a risk management plan, including a list of known risks and strategies for addressing them.
  3. Record policies, processes, and explanations of their application.
  4. Keep inventory of business associates, along with pertinent contracts and Business Associate Agreements (BAAs).
  5. Account for ePHI storage locations, covering internal storage, printouts, mobile devices, media, and third parties.
  6. Monitor mobile devices and media, such as thumb drives, CDs, and backup tapes.
  7. Document breach reporting policies and provide records of responses to breaches.
  8. Record security training sessions that have been conducted.
  9. Show evidence of encryption capabilities for protecting sensitive information.

The OCR expects organizations to evaluate their procedures and the safety of ePHI with a high degree of objectivity. If you are introducing new business strategies, installing new information systems, or targeting new markets, you will be required to analyze the associated risks for each initiative.

In their pilot program, the OCR found that two-thirds of the organizations audited lacked a complete and accurate risk analysis.

To ensure compliance and safeguard your organization, it is crucial to conduct a thorough and precise risk analysis. Taking these steps now can help you avoid being part of that statistic and better prepare for an OCR audit. Prioritize your risk management efforts to protect your ePHI and maintain the integrity of your operations.

Justifying Your Level of Data Security

While HIPAA security compliance has a basic set of tenets that are non-negotiable, each organization has a certain amount of leeway as to how to incorporate these requirements into their own HIPAA security compliance strategy. In other words, the choices you make about compliance will be up to you.

HIPAA security compliance has a degree of flexibility built into it, as the law was designed to allow organizations of all sizes to optimize resources and provide adequate protections based on risk. The ability of any given covered entity or business associate to put controls in place will differ based on size, the nature of the data, technology constraints and budget limitations. But while the HIPAA rules tend to take into consideration your organization’s constraints, every decision you make needs to be one that you can justify.

OCR Audits: Balancing Compliance and Risk

Ultimately, the security safeguards you choose and the level at which they are applied will be based on how you’ve assessed your risk in any given area. Take, for example, the requirement for Automatic Logoff, an addressable standard under the Security Rule. Since many applications lack the capability for Automatic Logoff—and in some care settings it wouldn’t be appropriate to automatically log a user off—many organizations rely on session timeouts or automatic screensavers that make the screen go blank after a period of inactivity. To regain access, a user must enter a password. The goal is to keep unauthorized parties from viewing health information at unattended workstations.

The risk of this kind of exposure varies widely, depending on the setting, location and positioning of each workstation. For example, let’s say you are an authorized person in an exam room who is responsible for recording a patient’s vitals and history. You step out of the office to get some type of verification from one of the doctors. Ideally, you will remember to lock your keyboard. But what if you forget? In this scenario, it might be best to have your workstation set to timeout quickly so that your patient can’t start scrolling through his—or anybody else’s— patient record. But timeouts need to be weighed against adequate patient care.

If the scenario above were taking place in the emergency room, short timeouts could be detrimental to responding to a patient in a timely fashion. And what about a workstation on a rolling cart? Left unattended, anyone walking by is invited to see what’s on the screen. Here again, we might be looking at a short timeout.

Unless procedure dictates that a cart is never left without authorized personnel in attendance—except when it’s behind the nurses’ station. In this case, as long as your staff is well-trained, you might want to set your timeouts longer for the sake of convenience. Regardless of your decision, you will want a justifiable rational for the internal standards you choose. When in doubt, it’s best to adhere to the industry standard of care for each requirement. If you are planning to stray from the norm, it’s especially important that you have a well-documented reason as to why.

OCR Audits: Making Decisions on Security Safeguards

Here are the basics for you to keep in mind as you examine the rules and make your decisions about getting ready for the upcoming OCR audits:

  1. Industry standards: Consider the industry standards for any decision you make. A framework like the Health Information Trust Alliance (HITRUST) can help you do this. HITRUST is more prescriptive than HIPAA and provides recommendations about password length, timeouts etc. NIST has also published a guide on complying with the Security Rule (NIST SP 800-66) that may be helpful.
  1. Environment: Consider your own work environment. What’s unique about it? Is it riskier than other environments? Less so? You may need to actually exceed industry standards, or if you are in a low-risk environment, you might be able to go below them. In all cases, you will still need to address and meet the required standards and implementation specifications of the Security Rule.
  2. Documentation: Document justification for each decision you make. OCR audits take into consideration how well you’ve documented the reasoning behind each of them.

All-Inclusive Solutions for Growth and Healthcare Compliance

While managing a profitable company is required, regulatory compliance is just mandated. A strong information security program gives your executive team vital understanding of the hazards your company runs across, so guiding decisions. Offering sensible, reasonably priced solutions catered to your particular risk scenario, LBMC Cybersecurity distinguishes itself by producing actual outcomes and a clear return on investment.

LBMC Cybersecurity shines in enabling healthcare companies to reach compliance and supporting expansion. Advanced data security solutions, organizational procedures, and healthcare regulatory policies are deeply known to our team of data security professionals. Risk assessments, penetration testing, HIPAA and HITRUST assessments, SOC 1 and 2 audits with HIPAA mapping, security program consulting, CMS information security, GDPR and ACAB assessments, intrusion detection and prevention, and vulnerability management comprise our complete services.

All set to go over your security issues? Contact our team to ensure your healthcare organization is protected and compliant.

Content provided by Adam Nunn and Garrett Zickgraf, LBMC Cybersecurity.

Scroll to Top
LBMC
Powered by  GDPR Cookie Compliance
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.