Key Takeaways:

  • Resumption of HIPAA Audits: HHS OCR will restart random HIPAA audits to ensure compliance with data privacy and security.
  • High Failure Rates: Covered entities failed over 80% of past audits in risk analysis and management.
  • Enforcement Focus: OCR will prioritize enforcing the HIPAA Security Rule’s risk analysis requirement, especially for smaller organizations.
  • Preparation Tips: Organizations should prepare by keeping accurate records, assembling a response team, and responding promptly to audit requests.

HSS OCR to Resume HITECH Act HIPAA Audits

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced plans to reinstate random HIPAA audits this month, which they had paused due to the pandemic.

These audits aim to ensure healthcare entities comply with HIPAA regulations, safeguarding patient data privacy and security. The move indicates a renewed focus on HIPAA enforcement, signaling potential consequences for non-compliance in the healthcare sector.

During OCR’s last round of audits conducted between 2016 and 2017, 86% of covered entities and 83% of business associates failed the risk analysis audit, while 94% of Covered Entities and 88% of business associates failed the risk management audit.

According to the Director of HHS’ Office for Civil Rights, Melanie Fontes Rainer, the HIPAA Security Rule’s requirement for conducting a risk analysis will be a critical area of enforcement focus. Risk analysis continues to be a significant weakness among many regulated organizations of all sizes, but especially for medium- and smaller-sized organizations. Poor risk analysis practices persist as a major contributing factor to many significant breaches reported to the agency.

What is the OCR HIPAA Audit Program?

With the publishing of the audit protocol by the OCR, HHS provided healthcare covered entities and business associates great insight into the questions they may face if selected for an audit.

The OCR HIPAA Audit program is designed to analyze processes, controls, and policies of selected covered entities and business associates. The OCR has established a comprehensive audit protocol that contains the requirements to be assessed through these performance audits. The entire audit protocol is organized around modules, representing separate elements of privacy, security, and breach notification.

What Does Protocol Coverage Include?

According to the OCR, the combination of multiple requirements may vary based on the type of covered entity or business associate selected for review. Protocol coverage includes:

  • Privacy Rule requirements for (1) notice of privacy practices for PHI, (2) rights to request privacy protection for PHI, (3) access of individuals to PHI, (4) administrative requirements, (5) uses and disclosures of PHI, (6) amendment of PHI, and (7) accounting of disclosures.
  • Security Rule requirements for administrative, physical, and technical safeguards.
  • Requirements for the Breach Notification Rule.

The most recent protocol is broad in its coverage, with a total of 180 areas as opposed to 165 in the version used for the original Pilot Audit program.

With this guidance from the OCR, this is a perfect time for organizations with compliance obligations under HIPAA to reexamine their adherence to the regulatory standards as well as their readiness for a possible audit. Scrambling at the last hour to respond to an audit request is not a recipe for success.

How Do We Prepare for an OCR Audit?

The time to prepare for an audit is before you have been selected. If you’ve already been selected, we can still get you ready.

Now is the time to prepare, knowing that you might be called on at some point to show evidence of compliance. Keep in mind that audits are NOT enforcement actions.

What’s the goal of an OCR audit?

The stated goal of the OCR audit program is to gauge overall HIPAA compliance across a wide variety of covered entities and business associates. The data is used by HHS to assess the overall health of cybersecurity in the industry and to identify where additional outreach or education might be necessary. If you are notified that your organization has been chosen for an OCR audit, the following guidelines will assist your response.

If You Are Chosen for an OCR Audit, Mobilize!

Assemble your team. The team should include your privacy and security officials and your organization’s compliance officer (if you have one). It’s also a good idea to notify your internal and/or external legal counsel so they can be kept apprised of all requests from the OCR and responses provided by you to the OCR. Keep your counsel on standby to provide you with guidance if necessary.

Respond completely and in a timely fashion. If you are notified that you have been selected for an audit, you will also get instructions on how and when to reply. There is documented evidence that being unresponsive will only make things worse for you if the OCR uncovers significant findings of non-compliance. Make sure you keep thorough records of all transactions during the audit process, and it’s a good idea to appoint one person to oversee all audit-related correspondence.

A few additional guidance points from the OCR include:

  • Only requested data submitted on time will be assessed.
  • All documentation must be current as of the date of the request.
  • If yours is a desk audit, auditors will not have the opportunity to contact you for clarification or to request additional information, so it is critical that your documents adequately reflect the program.
  • Do not submit extraneous information as it will increase the difficulty for the auditor to assess the required items.
  • Failure to submit responses to requests may lead to a referral for regional compliance review.

Craft responses carefully and don’t be bashful about questioning findings that you believe to be inaccurate. Historically, the OCR has allowed organizations to respond to identified issues.

Be prepared to justify your position with facts and explain your rationale for decisions about your compliance and security strategy. There are many areas where HIPAA’s lack of specific direction works in your favor, assuming you can demonstrate a thoughtful and reasonable approach to complying with all standards.

Hopefully, your OCR audit will go smoothly. If you have done a good job addressing compliance standards and building out your security program, the report will require little or no follow-up. If not, you may be subject to voluntary compliance activities or a more in-depth compliance review.

Compliance reviews that identify significant issues may require additional corrective action or lead to resolution agreements. In these cases, it’s advisable to engage attorneys and consultants who are well-versed in working with the OCR.

If your OCR audit is part of the ongoing OCR audit program, be aware that the purpose of the random audits is to gauge the compliance of the larger population. Not just you. The OCR has been charged with educating and equipping organizations with compliance strategies, and part of that mission necessarily includes a certain number of audits to find out how organizations are performing.

An OCR Audit Preparation Checklist

Here’s what your business will want to have prepared if you are selected for an OCR audit:

  1. Conduct a comprehensive risk analysis.
  2. Provide evidence of a risk management plan, including a list of known risks and strategies for addressing them.
  3. Document policies, procedures, and descriptions detailing their implementation.
  4. Maintain inventories of business associates, along with relevant contracts and Business Associate Agreements (BAAs).
  5. Account for ePHI storage locations, covering internal storage, printouts, mobile devices, media, and third parties.
  6. Monitor mobile devices and media, such as thumb drives, CDs, and backup tapes.
  7. Document breach reporting policies and provide records of responses to breaches.
  8. Record security training sessions that have been conducted.
  9. Show evidence of encryption capabilities for protecting sensitive information.

The OCR expects organizations to evaluate their procedures and the safety of ePHI with a high degree of objectivity. If you are introducing new business strategies, installing new information systems, or targeting new markets, you will be required to analyze the associated risks for each initiative.

In their pilot program, the OCR found that two-thirds of the organizations audited lacked a complete and accurate risk analysis.

To ensure compliance and safeguard your organization, it is crucial to conduct a thorough and precise risk analysis. Taking these steps now can help you avoid being part of that statistic and better prepare for an OCR audit. Prioritize your risk management efforts to protect your ePHI and maintain the integrity of your operations.

OCR Audit Essentials Checklist

Comprehensive Solutions for Healthcare Compliance and Growth

While regulatory compliance is mandatory, so is operating a successful business. A robust information security program provides essential insights into the risks your organization faces, allowing your executive team to make informed decisions. LBMC Cybersecurity stands out by offering practical, cost-effective solutions tailored to your specific risk environment, leading to real results and a measurable return on investment.

LBMC Cybersecurity excels in helping healthcare organizations achieve compliance while supporting growth. Our team of data security experts has in-depth knowledge of healthcare regulatory policies, organizational processes, and advanced data security solutions. Our comprehensive services include risk assessments, penetration testing, HIPAA and HITRUST assessments, SOC 1 and 2 audits with HIPAA mapping, security program consulting, CMS information security, GDPR and ACAB assessments, intrusion detection and prevention, and vulnerability management.

Ready to discuss your security concerns? Contact our team to ensure your healthcare organization is protected and compliant.

Content provided by Adam Nunn and Garrett Zickgraf, LBMC Cybersecurity.