When it comes to the OCR’s HIPAA audits, some covered entities and business associates are prepared, while many are not. Even some organizations that think they’re in compliance will fall short. If you are a healthcare provider, health plan or healthcare information clearing-house (or you provide services to them), now is the time to take an objective look at the policies and procedures you have in place and evaluate your degree of risk.

Our free guide, OCR Audits Demystified, features:

  • A Compliance Primer: HIPAA and OCR Audits
  • Myths About Healthcare Security Compliance
  • 5 Steps to Bolster Your OCR Audit Readiness
  • HIPAA Security Compliance and OCR Audits: Justifying Your Level of Data Security
  • OCR Audits for Compliance: Gearing Up
  • What to Do If Your Are Selected for an OCR Audit

Not sure where to start? This guide provides a framework for how to prepare for an OCR audit.



Justifying Your Level of Data Security

While HIPAA security compliance has a basic set of tenets that are non-negotiable, each organization has a certain amount of leeway as to how to incorporate these requirements into their own HIPAA security compliance strategy. In other words, the choices you make about compliance will be up to you.

HIPAA security compliance has a degree of flexibility built into it, as the law was designed to allow organizations of all sizes to optimize resources and provide adequate protections based on risk. The ability of any given covered entity or business associate to put controls in place will differ based on size, the nature of the data, technology constraints and budget limitations. But while the HIPAA rules tend to take into consideration your organization’s constraints, every decision you make needs to be one that you can justify.

OCR Audits: Balancing Compliance and Risk

Ultimately, the security safeguards you choose and the level at which they are applied will be based on how you’ve assessed your risk in any given area. Take, for example, the requirement for Automatic Logoff, an addressable standard under the Security Rule. Since many applications lack the capability for Automatic Logoff—and in some care settings it wouldn’t be appropriate to automatically log a user off—many organizations rely on session timeouts or automatic screensavers that make the screen go blank after a period of inactivity. To regain access, a user must enter a password. The goal is to keep unauthorized parties from viewing health information at unattended workstations.

The risk of this kind of exposure varies widely, depending on the setting, location and positioning of each workstation. For example, let’s say you are an authorized person in an exam room who is responsible for recording a patient’s vitals and history. You step out of the office to get some type of verification from one of the doctors. Ideally, you will remember to lock your keyboard. But what if you forget? In this scenario, it might be best to have your workstation set to timeout quickly so that your patient can’t start scrolling through his—or anybody else’s— patient record. But timeouts need to be weighed against adequate patient care.

If the scenario above were taking place in the emergency room, short timeouts could be detrimental to responding to a patient in a timely fashion. And what about a workstation on a rolling cart? Left unattended, anyone walking by is invited to see what’s on the screen. Here again, we might be looking at a short timeout.

Unless procedure dictates that a cart is never left without authorized personnel in attendance—except when it’s behind the nurses’ station. In this case, as long as your staff is well-trained, you might want to set your timeouts longer for the sake of convenience. Regardless of your decision, you will want a justifiable rational for the internal standards you choose. When in doubt, it’s best to adhere to the industry standard of care for each requirement. If you are planning to stray from the norm, it’s especially important that you have a well-documented reason as to why.

OCR Audits: Making Decisions on Security Safeguards

Here are the basics for you to keep in mind as you examine the rules and make your decisions about getting ready for the upcoming OCR audits:

  1. Industry standards: Consider the industry standards for any decision you make. A framework like the Health Information Trust Alliance (HITRUST) can help you do this. HITRUST is more prescriptive than HIPAA and provides recommendations about password length, timeouts etc. NIST has also published a guide on complying with the Security Rule (NIST SP 800-66) that may be helpful.
  1. Environment: Consider your own work environment. What’s unique about it? Is it riskier than other environments? Less so? You may need to actually exceed industry standards, or if you are in a low-risk environment, you might be able to go below them. In all cases, you will still need to address and meet the required standards and implementation specifications of the Security Rule.
  2. Documentation: Document justification for each decision you make. OCR audits take into consideration how well you’ve documented the reasoning behind each of them.