In March of 2014, the Office for Civil Rights (OCR) announced that HIPAA audits would start in the fall of 2014. To date, no audits have taken place, and as of this writing, the audit program is still on hold. That said, the OCR is gearing up for the pre-selection process and has announced that audits will commence when the audit portals and project management software are completed.
Like the start-date, the exact number and types (desk vs. on-site) of audits has been in a state of flux. All indicators, however, point to significantly more than the 115 that were selected as part of the pilot audit program of 2011/2012. Participants will include health plans, healthcare providers and clearinghouses (covered entities), and in a second round, a cross section of business associates.
For some healthcare organizations, submitting to an OCR audit will be challenging at best. The HIPAA audit pilot program revealed an egregious lack of attention to HIPAA rules and regulations across the industry. As a result, the 2015 OCR Audit participants can expect a particular focus on areas that had the most significant observations and findings in 2012: lack of risk assessments; attention to media movement and disposal; and institution of audit controls and monitoring.
But even if an entity has been reasonably attentive to compliance, it still behooves them to do some upfront research on what to expect should they be selected.
How to respond
The OCR has not been particularly forthcoming with information on the upcoming audits, so it’s up to individual organizations to interpret what to expect and how to prepare. But the OCR has indicated that — unlike the 2012 pilot program — the audits will be conducted by OCR personnel rather than by a third party. And unlike last time, the audits will lean more heavily toward desk audits, with onsite audits occurring on a case-by-case basis.
According to information in presentations from Department of Health and Human personnel, here is what audited entities need to be aware of:
1. Data request will specify content and file organization, file names and any other document submission requirements.
2. Only requested data submitted on time will be assessed.
3. All documentation must be current as of the date of the request.
4. Auditors will not have opportunity to contact the entity for clarification or to ask for additional information, so it is critical that the documents accurately reflect the program.
5. Submitting extraneous information may increase difficulty for auditor to find and assess the required items.
6. Failure to submit response to requests may lead to referral for regional compliance review.
Document submissions will be no small task, so gathering necessary evidence up front will minimize disruption to day-to-day operations.
Getting ahead of OCR
Once an organization receives notification, it should immediately mobilize. If subsequently chosen to submit to an audit, participants will only have a short time to respond. The following provides basic steps for a strategic OCR Audit plan:
Gather a team. Privacy and security officials should be assigned to a task force responsible for handling audit requests. It’s also a good idea to notify internal or external legal counsel to keep them on stand-by should guidance be necessary.
Follow guidelines on how to respond. The OCR will provide specific instructions on how and when to respond. The OCR will not look favorably on a delayed response, and if unrequested documentation is submitted, it can be used in all observations and findings.
Here are some of the areas the OCR audits will cover:
1. Risk analysis
2. Evidence of a risk management plan (e.g. list of known risks and how they are being dealt with)
3. Policies and procedures and descriptions as to how they were implemented
4. Inventories of business associates and the relevant contracts and BAAs
5. An accounting of where electronic protected health information (ePHI) is stored (internally, printouts, mobile devices and media, third parties)
6. How mobile devices and mobile media (thumbdrives, CD’s, backup tapes) are secured and tracked
7. Documentation on breach reporting policies and incident response policies and procedures
8. A record of security training that has taken place
9. Evidence of encryption capabilities
Question findings if they appear to be inaccurate. Historically, the OCR has allowed organizations to respond to observations and findings. Organizations that have documented all compliance decisions will fare better when trying to defend their position. There are many areas where HIPAA lacks specific direction; the ability to demonstrate a thoughtful and reasonable approach (in writing) will tend to be viewed favorably.
By preparing up front and responding in a timely fashion, most OCR audits should progress fairly smoothly. For organizations that have instituted a reasonably compliant security program, there may be little or no follow-up.
If there are a significant number of observations and findings, an organization may be subject to voluntary compliance activities, or a more in-depth compliance review. Should an in-depth review uncover significant issues, additional corrective action must be taken and/or fines may be imposed.
Mark Fulford is a Partner in LBMC’s Information Security practice group. LBMC is a top 50 Accounting & Consulting firm based in Brentwood, Tennessee.
As featured in Government Health IT.