With the publishing of the audit protocol by the OCR, HHS is providing healthcare providers and business associates great insight into the questions they may face if selected for an audit.
The OCR HIPAA Audit program is designed to analyze processes, controls, and policies of selected covered entities and business associates. The OCR has established a comprehensive audit protocol that contains the requirements to be assessed through these performance audits. The entire audit protocol is organized around modules, representing separate elements of privacy, security, and breach notification. According to the OCR, the combination of these multiple requirements may vary based on the type of covered entity or business associate selected for review. Protocol coverage includes:
- Privacy Rule requirements for (1) notice of privacy practices for PHI, (2) rights to request privacy protection for PHI, (3) access of individuals to PHI, (4) administrative requirements, (5) uses and disclosures of PHI, (6) amendment of PHI, and (7) accounting of disclosures.
- Security Rule requirements for administrative, physical, and technical safeguards.
- Requirements for the Breach Notification Rule.
It is still expected that the upcoming round(s) of audits will be based a combined approach of “desk audits” that will be performed remotely and more comprehensive on-site audits for a more limited selection of entities. The new protocol is somewhat broader in its coverage with a total of 180 areas as opposed to 165 in the version used for the Pilot Audit program.
With this new guidance from the OCR, this is a perfect time for organizations with compliance obligations under HIPAA to reexamine their adherence to the regulatory standards as well as their readiness for a possible audit. Scrambling at the last hour to respond to an audit request is not a recipe for success.
What to Do if You are Selected for an OCR Audit?
The time to prepare for an audit is before you have been selected. Now is the time to prepare, knowing that you might be called on at some point to show evidence of compliance. Keep in mind, audits are NOT enforcement actions. The stated goal of the audit program is to gauge overall HIPAA compliance across a wide variety of covered entities and business associates. The data will be used by HHS to assess the overall health of information security in the industry and to identify where additional outreach or education might be necessary. If you are notified that your organization has been chosen for an OCR audit, the following provides guidelines as to what you will want to do.
If You Are Chosen for an OCR Audit, Mobilize!
Assemble your team. The team should include your privacy and security officials and your organization’s compliance officer (if you have one). It’s also a good idea to notify your internal and/or external legal counsel so they can be kept apprised of all requests from the OCR and responses provided by you to the OCR. Keep your counsel on standby to provide you with guidance if necessary.
Respond completely and in a timely fashion. If you are notified that you have been selected for an audit, you will also get instructions on how and when to reply. There is documented evidence that being unresponsive will only make things worse for you if the OCR uncovers significant findings of non-compliance. Make sure you keep thorough records of all transactions during the audit process, and it’s a good idea to appoint one person to be in charge of all audit-related correspondence.
A few additional guidance points from the OCR include:
- Only requested data submitted on time will be assessed.
- All documentation must be current as of the date of the request.
- If yours is a desk audit, auditors will not have the opportunity to contact you for clarification or to request additional information, so it is critical that your documents adequately reflect the program.
- Do not submit extraneous information as it will increase the difficulty for the auditor to assess required items.
- Failure to submit responses to requests may lead to referral for regional compliance review.
Craft responses carefully and don’t be bashful about questioning findings that you believe to be inaccurate. Historically, the OCR has allowed organizations to respond to identified issues. Be prepared to justify your position with facts and to explain your rationale for decisions you have made about your compliance and security strategy. There are many areas where HIPAA’s lack of specific direction works in your favor, assuming you can demonstrate a thoughtful and reasonable approach to complying with all of the standards. Hopefully, your OCR audit will go smoothly. If you have done a good job addressing compliance standards and building out your security program, the report will require little or no follow up. If not, you may be subject to voluntary compliance activities or to a more in-depth compliance review. Compliance reviews that identify significant issues may require additional corrective action or may lead to resolution agreements. In these cases, it’s advisable to engage attorneys and consultants who are well-versed in working with the OCR.
If your OCR audit is part of the ongoing OCR audit program, be aware that the purpose of the random audits is to gauge the compliance of the larger population. Not just you. The OCR has been charged with educating and equipping organizations with compliance strategies, and part of that mission necessarily includes a certain number of audits to find out how organizations are performing.
An OCR Audit Preparation Checklist
Here’s what you will want to be prepared with if you are selected for an audit:
- Risk analysis
- Evidence of a risk management plan (e.g. list of known risks and how you are dealing with them)
- Policies and procedures and descriptions as to how they were implemented
- Inventories of business associates and the relevant contracts and BAAs
- An accounting of where ePHI is stored (internally, printouts, mobile devices and media, third parties)
- How you monitor mobile devices and mobile media (thumb drives, CDs, backup tapes)
- Documentation on breach reporting policies and how you have responded to breaches
- A record of security training that has taken place
- Evidence of encryption capabilities
The OCR will be expecting organizations to assess their own procedures and the commensurate safety of ePHI with a high degree of objectivity. If you are introducing new business strategies, installing new information systems or targeting new markets, you will be expected to analyze your risk for each initiative. In their pilot program, the OCR found that two-thirds of the organizations they audited did not have a complete and accurate risk analysis.
This time around, we would encourage you not to be one of those.