The Office for Civil Rights (OCR) of the Department of Health & Human Services has launched Phase 2 of its HIPAA audits for providers and business associates. Although the number of organizations being audited is small, everyone in the industry should be prepared for a visit from OCR.
On Aug. 24, Adam Greene, J.D., M.P.H., a partner at law firm Davis Wright Tremaine LLP and an expert on HIPAA compliance, gave a webinar presentation hosted by ID Experts on what the Phase 2 “desk audits” and upcoming on-site audits involve.
First, a little history: Greene, who previously played a key role in administering and enforcing the HIPAA rules at HHS, noted that for many years OCR didn’t audit providers on HIPAA compliance. It followed up on complaints from patients and whistleblowers or media reports with compliance reviews. Or if an organization files a breach report, that could bring it into OCR’s crosshairs. A breach affecting 500 or more people will invariably open up an investigation, Greene said, and just within the last week OCR said that it is going to do more investigations of small breaches.
But there was some criticism, including from the Office of the Inspector General, that OCR wasn’t proactive enough in monitoring entities, so in the HITECH Act an audit program was created with the goal of finding problems and trying to get them corrected before they become breaches.
Phase 1 of the audit program took place in 2011 and 2012 and was conducted by a contractor, rather than OCR itself. Greene said that in Phase 1 only 11 percent of providers got an “A plus” score with no negative findings. They also found that 60 percent of findings dealt with security issues and 40 percent with privacy.
Phase 2 was supposed to start in 2014, but after significant delay it got under way this summer. The desk audits, conducted by OCR staff, began in July, with 200 to 250 covered entities and business associates scheduled for Round One. (Late September is OCR’s forecast of when the business associate audits will begin.) In 2017, a smaller number of providers, perhaps only 25, will face on-site audits, which are more comprehensive, Greene said.
For the desk audits, providers had only 10 business days to respond. OCR held a webinar for those being audited and followed up with a Frequently Asked Questions document, which Greene called “invaluable” for helping providers understand how they need to respond.
Here are the topics the desk audits focus on:
Notice of privacy practices
• Right of access
• Timeliness of breach notification
• Content of breach notification
• Risk analysis
• Risk management
The providers are also asked to provide a list of business associates, as well as the contact information for both the first and second points of contact at those firms. He mentioned that no one he works with had a second point of contact available for business associates. Greene recommends having that contact information for business associates on file. “You only have 10 days to respond. You don’t want to have to spend that time going to departments that have contracting authority trying to get that information.”
Greene described the desk audit process: After an e-mail verification and a pre-screening questionnaire, providers have 10 days to respond to the request. “That is a very short period of time to respond,” Greene said. After responding, providers receive a draft audit report and have 10 business days to respond to it, and then a final audit report within 30 days. The plan is that the report will go only to the provider. OCR is not planning to publish that information, although Greene said there could be questions about whether that data would be open to a Freedom of Information Act request.
The requests ask providers to look back at their policies over a six-year period, so it is essential that providers retain their compliance documents for that period, Greene said. (If you don’t have information going back that far, you may fail that part of the audit.)
OCR also asks for proof that risk analysis policies are available to the people responsible and is periodically reviewed. “OCR is looking for a very significant amount of support documentation that the risk analysis is available to those who need it,” Greene said.
OCR asks providers to upload policies and procedures regarding the entity’s risk analysis process. Providers must upload documentation of the current risk analysis and the most recently conducted prior risk analysis.
Remember that this is just Round 1 of these Phase 2 audits, Greene said. The next round might focus more on device and media controls for USB drives and laptops, and transmission security for e-mails.
Greene said the newly revised audit protocol for onsite audits is “not for the faint of heart.” It is over 300 pages long, he said, and reading through it is a fairly daunting endeavor.
He noted that adverse audit findings in a desk audit could escalate to an on-site audit. If providers do poorly on both, they could be facing a significant enforcement action, Greene said, and that process could take a number of years to play out. “We are talking about a number of years before settlements occur,” he said. Phase 1 did not lead to any financial settlements. It will be 2019 before we find out if Phase 2 audits lead to financial settlements, but that would be a small minority, he predicted.
Greene said admittedly the chances of being audited are very small, but providers can use the audit protocol to start preparing. But you must treat preparation as a significant project. But he warns that providers shouldn’t get “onsite audit tunnel vision.”
Breach preparedness may be a more important compliance priority. The chances of an audit are far less than the chances of a breach. “You will be judged by your breach response,” he said. You should keep an audit in reference, he added, but the other ways you might come to OCR’s attention are more likely. And if you work on breach response it will improve your compliance posture.