Although the Office for Civil Rights (OCR) HIPAA Compliance Audits have been delayed, we do know they’re coming. Originally slated to begin in fall 2014, the audits were placed on hold when the OCR announced that the audit portals and project management software were not yet fully-functioning. The recently released budget numbers for the OCR show that they have about $3.9 million in additional funding for the coming fiscal year, with a good percentage of that earmarked for case management and enforcement activities. Until these essential tools are brought up to speed, the audit process will remain in wait mode, with no projected start date at the time of this writing.
Despite this, you should not stop getting ready. For many organizations, the road to compliance is a long one. Industry wide, there has been a decided lack of muscle behind HIPAA compliance. We can expect the OCR to come down hard on entities that are grossly negligent, since the 2012 Audit Pilot Program revealed that across the board, the effort to comply was well below par.
The results of the first round of audits were disappointing at best. Of the 115 covered entities audited, a mere 13 had no findings or observations. Do the math on that one, and you’ll realize that almost 89 percent of the entities audited were non-compliant in one or more areas. Security Rule issues accounted for 60 percent of the findings and observations, while the Privacy and Breach Notification Rules yielded 30 percent and 10 percent respectively. Providers (as opposed to clearinghouses and health plans) struggled most with the Security Rule: 58 of 59 providers audited had at least one security finding or observation.
How could so many entities have performed so poorly? The answer to that question shows up in a key finding in the report: A significant percentage of the companies audited had not even taken the critical first step of conducting a risk assessment.
The expectation is that the upcoming OCR Audits will focus on high risk areas and elements that were repeatedly lacking in the first round of audits of covered entities, and the most glaring oversight is that so many entities had not even bothered to conduct a risk assessment. So at the very least, you will want to make sure you’ve done due diligence on determining where your compliance gaps might be and work to plug any holes
With the recent headlines related to massive data breaches at large providers and health plans, it’s a safe bet that the scrutiny of covered entities and business associates will be ramped up in terms of coverage of technical security controls. Organizations that are found to be willfully negligent with respect to security and compliance can expect big trouble.
2015 OCR Audits: Getting Ready
So what if your company is selected? Don’t panic. Keep in mind that the OCR has the ultimate goal of improving compliance across the industry, rather than singling you out, harassing you, and collecting fees. The audits are not meant to be punitive; rather, they are more about correction and education.
Here’s what you will want to do to prepare for an audit ahead of time:
Conduct an accounting of where ePHI (electronic protected health information) is stored (internally, printouts, mobile devices and media, third parties).Take inventory of business associates and the relevant contracts and BAAs (business associate agreements) and document the types of data you share and your evaluation of the risks associated trading data with each vendor.Conduct and document your risk analysis. Be sure it is thorough and includes all of the assets identified in step 1 above. Maintain evidence of a risk management plan (e.g. list of known risks and how you are dealing with them).Document policies and procedures and descriptions as to how you are implementing them. Be able to map your written policies and procedures to the related safeguard requirements in the HIPAA Security Rule. Assess how you monitor mobile devices and mobile media (laptops, tablets, smartphones, thumbdrives, CD’s, backup tapes, etc.).Prepare documentation incident response plans as well as breach reporting policies and how you have responded to breaches.Make a record of security training that has taken place.Provide evidence of encryption capabilities.Conduct a “mock audit” of your security and compliance programs. Although we do not yet have a published audit protocol for the next round of audits, the prior audit protocols are a great place to start and are available on the OCR website.And write it down, write it down, write it down. (Did we mention write it down?) Documented justification of each decision you make will carry significant weight with the OCR, even if they don’t agree with you.
OCR Audits: Limited Information
Ideally, the OCR would communicate clearly with us about what to expect, but unfortunately, that doesn’t appear to be the case.
That said, here is what we have been told. The audits will be staffed primarily by OCR personnel as opposed to being outsourced (as they were in the 2012 Pilot Program). Interestingly, there is budget money allocated for contracted workers, so they may be hedging their bet on being able to cover the audits with internal resources. Additionally, a significant percentage of the audits will be desk audits, with on-site audits being conducted only as resources allow.
According to information released in a presentation by OCR officials, here is what you can expect if you are selected for a desk audit:
Data request will specify content and file organization, file names and any other document submission requirements.Only requested data submitted on time will be assessed.Auditors will not have opportunity to contact the entity for clarification or to ask for additional information, so it is critical that the documents accurately reflect the program.All documentation must be current as of the date of the request.Submitting extraneous information may increase difficulty for auditor to find and assess the required items.Failure to submit response to requests may lead to referral for regional compliance review.The OCR Audits are coming—we just don’t know when. If you are selected, you will likely have very limited time to respond to the OCR’s request for information. Submitting your documentation will most likely be disruptive to your business operations, so the more you prepare now, the less burdensome it will be if you are one of the chosen few.
About Mark Fulford
Mark Fulford is a Partner in LBMC’s Security & Risk Services practice group. He has over 20 years of experience in information systems management, IT auditing, and security. Marks focuses on risk assessments and information systems auditing engagements including SOC reporting in the healthcare sector. He is a Certified Information Systems Auditor (CISA) and Certified Information Systems Security Professional (CISSP). LBMC is a top 50 Accounting & Consulting firm based in Brentwood, Tennessee.
