OCR Audits

Widespread adoption of health information technology has improved care coordination, but also puts consumer privacy increasingly at risk. As more patient medical records are stored and shared digitally, the greater the chance of accidental exposure or intentional information theft of this protected health information (PHI).

To address the threat of compromised PHI, the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH) set U.S. standards for privacy and security of PHI, as well as consumer notification protocols in the event of a breach. HITECH also requires the U.S. Department of Health and Human Services (HHS) to enforce HIPAA compliance by periodically auditing covered entities and business associates (BAs) through HHS’s Office of Civil Rights (OCR).

The HIPAA final omnibus rule,¹ which strengthened PHI safeguards and the government’s ability to enforce the law, took effect last September. Under this rule, covered entities are subject to random OCR audits, and BAs will be audited beginning in 2015.

Audits Are Preventive Undertakings

It’s important for every covered entity to understand that the function of OCR audits is not to discover HIPAA violations and levy fines, but rather to determine compliance with HIPAA regulations and to help identify gaps in an organization’s privacy and security program that increase the risk of accidental breaches or disclosures.

In a 2011-2012 OCR pilot project that included audits of 115 covered entities, two-thirds of those audited were found not to have performed internal risk assessments, and the most common cause of non-compliance was simply a lack of awareness of applicable HIPAA requirements. Findings from the pilot project helped shape the OCR audit program’s focus and its efforts to encourage best practices.

There is good reason to put those best practices in place. Any actual disclosure or compromise resulting from privacy and security program deficiencies – which the audits are designed to correct – can result in fines of up to $1.5 million per incident. Such consequences make it prudent for every covered entity to view an OCR audit as an opportunity to improve its compliance and security program now.

Establishing a Team for Organizational Assessment

The first step in audit readiness is to form an audit committee. As readiness policies and procedures for securing PHI reach across an organization, the audit committee should include:

• the CIO, plus the CEO or CFO for high-level sensitivity to timeliness and urgency;
• the human resources education manager, who is ultimately responsible for employee training and awareness;
• representatives from nursing and physician staffs;
• privacy, compliance and security officers; and
• legal counsel, who may be asked to provide interpretations of compliance rules.

The first order of business for the audit committee is to identify all elements in the OCR HIPAA Audit Program Protocol² that apply to their operation, and to assign responsibility for ensuring compliance in each area to appropriate team members.

The audit committee should also conduct an organizational assessment to identify gaps in your security policies or procedures and to determine if existing policies are being followed. The assessment and gap analysis will help pinpoint those areas that need updating to improve compliance. While no security program is ever completely airtight, it’s important to identify as many risks as possible and make a concerted effort to reduce them.

As a final step, the audit committee should identify two or three members who will meet face-to-face with OCR representatives should an audit occur.

Refocus Training, Awareness & Education

As the OCR pilot-project audits revealed, HIPAA noncompliance most often resulted from a simple lack of awareness. The importance of staff training and education to improve compliance cannot be overstated. All staff members who handle PHI work should receive job-specific training to help them understand how to best handle and protect sensitive information. Training should be broken down into digestible segments that make it clear which HIPAA requirement is being addressed, and those who complete training courses should be tested to ensure comprehension. In addition, once training is completed, staff members should sign a form documenting that they understand all the compliant privacy and security practices related to their jobs. Should a breach still occur, a training log that records this activity will assist with risk mitigation and reduction in OCR fines and penalties.

Conducting a Mock Audit & Formalizing a Method for Audit Tracking

The completion of training is an opportune time to conduct an internal mock audit to assess readiness and uncover lingering issues that still need attention. The compliance officer is a good candidate to lead the mock audit, and it can be helpful to choose one of the audit-tracking software packages available to help organize the effort and document its findings.

Covered entities that complete this step with an eye toward real discovery will find it invaluable not only for audit readiness, but in improving overall compliance by uncovering shortcomings that might otherwise never be detected as a valuable complement to your overall security program.

Keeping High-risk & Problematic Security Areas in Focus

Maintaining HIPAA compliance and audit readiness is an ongoing project. Training should be kept current, with training extended immediately to each new hire and to each employee moved into a new information-handling role. The following high-risk security areas are worthy of special ongoing attention:

• EHR access: Ensure that access is limited only to authorized personnel, with safeguards against accidental disclosure.
• Lost/stolen devices: Any device that stores PHI – laptops, mobile devices, thumb drives, etc. – MUST have that data encrypted, and people who carry them must never leave them unattended.
• Logons and logoffs: Ensure employees who can access PHI comply with access procedures including frequent changing of passwords and proper handling of passwords.
• Minimum necessary information: Grant each employee access to only the PHI needed for to perform their job.
• Patient right of access : Patients who request their medical records have every right to them as unprocessed requests or delays in granting access can lead to very significant fines.

While BAs themselves won’t be audited until 2015, it’s essential that covered entities protect themselves against BA-related issues. As many as 58 percent of all breaches have been caused by BAs. At minimum, gather your BAs’ proofs of risk assessment, along with documents regarding their policies and procedures, to ensure their activities aren’t causing shared risk. Be sure to update any outdated contractual agreements, such as defining the BA’s scope of engagement when a BAs’ scope of engagement and the responsibilities of the BA upon a breach from notifications of PHI breaches to the covered entity to notification to the individual.

If You Receive an OCR Audit Letter

Any covered entity selected for a random audit will receive notification sent via registered mail 30 days prior to the audit date. From the time the letter is accepted, the recipient has 10 days to provide supporting documentation to the OCR, including all policies and procedures in final form. The audit occurs within 3-10 days of delivery of those policies and procedures, lasts up to 10 days and can involve as many as five auditors. Audit findings are typically communicated within 30 days of audit completion and are kept confidential between the OCR and the covered entity.

If you’ve prepared properly and thoroughly, you should perform just fine in the audit, and any findings in the audit report that require attention will likely be minor. Whatever those items may be, remember that this is a valuable process for everyone involved. The OCR wants to make sure sensitive patient information is kept confidential. Patients expect that their confidential information to be protected by their caregivers. Ultimately, honoring the privacy and security of all your patients’ records is a hallmark of top-performing organizations and another important facet in delivering quality care.

Amy Derlink is chief privacy officer for IOD Incorporated.

References