Should You Wait for HHS to Come Calling?
In February, Health and Human Services’ Office for Civil Rights (HHS OCR) announced the return of the HIPAA audit program conducted in 2012. We see more details emerging about their focus in the upcoming round of audits and the process they will be using to conduct audits, this time, for both Covered Entities (CEs) and Business Associates (BAs) under the HIPAA Omnibus Rule provisions.
The scope and extent of the audits to begin later this year will be limited but this is the beginning of an audit program to be expanded in coming years. While only a small fraction (about 1500 CEs and BAs) will participate in this round of data gathering and audits, the focus areas identified for this round of audits reveal areas of weakness that you should be aware of in your own organization, and highlight the need for diligent risk mitigation and the proactive protection of health information.
What did Audits Reveal in 2012?
The round of audits conducted in 2012 was considered a pilot program for the audits that OCR is gearing up for now. This second round of audits will be based largely on what was learned in the 2012 on-site audits of 115 CEs in which OCR representatives found basic issues related to the safeguarding of electronic health information to be especially common for smaller health care providers and hospitals.
Who Will be Chosen for an Audit?
OCR has indicated that 1200 CEs will be surveyed in the coming months as a first step in this audit process. About 350 of those organizations will be notified sometime in the fall that they have been selected for an audit. In the final phase, approximately 50 companies will be selected from those listed as BAs by the CEs that were examined. The BAs selected for audit will be notified early next year.
The initial survey will ask CEs for information such as the number of patient visits conducted or the number of insured policyholders in the program, their use of electronic info, revenue data, and business (physical) locations.
Given the significance of widespread compliance gaps found in the 2012 audits among smaller health care providers and hospitals, it can be assumed that such smaller organizations, along with those who have suffered a security breach or received a significant number of complaints could be more likely to be on the list. While such organizations should take note, OCR will likely try to select a representative sample of organizations. Larger providers or hospitals, or those who have had no breach or complaints, should not assume they may not be selected.
What Will HHS OCR Auditors Look for?
Upcoming audits in 2014 will reflect requirements of the HIPAA Omnibus Rule which went into effect in September 2013 (after the 2012 audits). The audits will focus on privacy and security issues with indicated areas of focus being:
- Required Risk Analysis and Risk Management
- Breach Notification Rule Provisions (content & timeliness of notifications)
- Privacy Rule Provisions (patient notice and access to protected health info)
BA audits will focus on the risk analysis and risk management steps required by the Omnibus Rule.
OCR has indicated that future audits planned for 2015 and 2016 will focus on:
- Computing device and storage media security controls
- Transmission security
- HIPAA privacy rule safeguards (workforce training, policies, procedures)
- Encryption and decryption
- Facility and physical access control
- and Other areas as indicated by 2014 audits, breach reports, and complaints
What Should You Do Whether You are Audited or Not?
The information coming from OCR about upcoming audits tell us two things:
- These are the areas that OCR sees as the greatest threats and these are the security gaps most likely to results in fines and penalties.
- Again, it tells us that these are the areas that OCR sees as the greatest threats! In other words, these are the areas you should not ignore whether you are the subject of an OCR audit or not.
The steps you should take now to plan for a possible audit are the same steps you should also be taking now to avoid the security threats or a potential breach that could ultimately be even more costly than an audit or fine.
Internal Documentation, Incident Response Plan, and Compliance Assessment
The OCR’s planned use of desk audits over on-site visits means that thorough documentation will be the primary representation of your organization in the event of an audit. If the desk audit model is continued and/or expanded in the future, detailed, organized documentation will continue to be critical (whether you’re audited now or in the future). If notified of an audit, the organization will only have about two weeks to supply the requested documentation. Now is a good time to take a look at the documentation you currently have, be sure it presents a complete picture of the steps you have and are taking to mitigate risk, and to fill in any missing documentation or address areas that may have been overlooked.
Documentation is also critical following any information breach. Even prior to a breach, it is important that you can show that that you have a solid incident response program in place and that it is being followed. An effective incident response plan will specify steps to be taken in the event of a security incident. These steps include:
- Careful analysis of the incident – this can include any unauthorized use or exposure of information that may not necessarily rise to the level of a breach.
- Identification of the data affected, type, who had access, whether there was actual unauthorized access to that data (or just the potential).
- Detailed information what mitigation will (or has) be done to limit exposure and/or recover the data. This includes the BA Agreements in place to dictate how they manage your information day to day and in the event of an incident or breach as well.
In addition to thorough documentation and a clear (and followed) incident response plan, an internal compliance assessment should be a periodic and/or ongoing exercise within your organization. We have made available this HIPAA Privacy and Security Tool Kit. You can download this tool kit detail document or contact us for more information.
To help organizations understand what a risk assessment should include, the OCR has also developed a do-it-yourself tool that can be downloaded from healthit.gov. The disclaimer with this tool makes it clear that this tool is for informational purposes only, it doesn’t guarantee compliance, and it is not an exhaustive or definitive resource for safeguarding against privacy and security risk. OCR further encourages expert advice on applying this information to your organization’s unique risks and circumstances.
Finally, with audits expected to be increasingly tied to potential enforcement action, hiring an attorney is recommended if audited. It can’t hurt to consult one before an audit or security incident occurs.
Full Risk Assessment
For now, OCR is primarily limited to desk audits. These audits will not be as in depth as an on-site visit and a self-assessment will not be as reliable as an on-site risk assessment conducted by independent experts for the most objective and complete results possible.
Covered Entities and Business Associates are required to undergo a full risk assessment which should include the processes surrounding how health information is handled, all technology accessing health information, and an enterprise-wide examination of systems, processes, digital as well as physical security. CEs also need to evaluate the management of BA Agreements (BAAs) to ensure each BA has the necessary safeguards in place (i.e. they have conducted the necessary risk analysis as well).
Many experts question how effective OCR desk audits will be to really boost compliance. The increasing threat of fines and penalties are an encouragement to focus on compliance but, admittedly, limited resources to conduct audits limit the effort. However, the increasingly pervasive security threats, constant news of breaches and attacks, and real world business risk should do enough to boost compliance.
Don’t wait for the pressure and stress of an OCR audit, contact us today to learn more about conducting a thorough risk assessment, putting an effective incident response plan into place, and mitigating your exposure to risk.
UPDATE: Round 2 Audits On Hold
September 9, 2014
HHS/OCR officials have announced that plans to begin a new round of HIPAA audits is on hold until technology updates can be completed that will better facilitate the exchange of information between companies and OCR.
“We’re updating technology that we’ll use to get documents from the companies we are auditing,” she says. “The IT project was pushed back. We’re holding off starting [audits] while waiting for the technology.” Linda Sanches, OCR Senior Advisor via Healthcare Info Security
OCR has also indicated that there will be fewer remote audits and more will be done on-site than originally planned.
Ms. Sanches also said that OCR will focus more on companies’ periodic risk analysis for evidence of ongoing, regular efforts being made by the organization to address new and evolving risks.