OCR Begins New Round of HIPAA Audits

Covered Entities and Business Associates Targeted

The Department of Health and Human Services Office for Civil Rights (OCR) has begun notifying a random sample of Covered Entities (CEs) and Business Associates (BAs) that they have been selected for an audit. OCR will take many factors into consideration such as size, type of organization, and operations when making audit selections. These audits are mandated by the Health Information Technology for Economic and Clinical Health (HITECH) Act to ensure CE and BA compliance with Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Breach Notification Rules. During Phase 1, OCR conducted pilot audits, including audits of 115 CEs, for HIPAA compliance. OCR found that two-thirds of the healthcare providers and health plans audited lacked complete and accurate risk assessments. OCR intends to apply what it learned from the pilot audits and test the efficacy of its new desk audits by evaluating the compliance efforts of the HIPAA regulated industry.

Suzanne Castaldo, JD, notes: “These new audits should be taken seriously. They will be conducted against a back-drop of recent record breaking OCR settlements: $1.5 million with North Memorial Health Care of Minnesota for failure to enter into a BA with a major contractor and failing to address the risks and vulnerabilities to its patient information; and, the $3.9 million settlement with Feinstein Institute for Medical Research for violating HIPAA privacy.” Camella Boateng, a HIPAA expert, states: “OCR is also aware of the fact that BAs are handling much larger volumes of patient data than when OCR conducted its Phase 1 audits and will place more attention on BAs during the new audits.” Carrie Kusserow, another HIPAA expert, notes: “most HIPAA breaches still occur as result of poor controls over mobile devices, especially laptop computers, and the failure to properly encrypt and password protect PHI. As such, those audited can expect to have this area examined closely.”

Those selected in the upcoming round of desk audits will be notified by a request for data about the organization’s size, type, and operations, as well as contact information for their BAs. Responses to these requests should be submitted within 10 business days via OCR’s secure portal. OCR will provide the audited party with draft findings and also permit 10 business days for review and comment; a final audit report will be issued within 30 business days thereafter. All desk audits in this phase will be completed by the end of December 2016.

Following the desk audits, OCR will select parties for onsite audits that will provide a more in-depth review. There will be fewer in-person visits during Phase 2 than in Phase 1, but those selected for an audit should be prepared for an onsite visit by OCR. Onsite audits will begin by notifying parties via email that they have been selected for an audit. OCR will schedule and hold an entrance conference to review information about the audit process and expectations for the audit. Each onsite audit will be conducted over a three to five day onsite visit, depending on the size of the organization. Onsite audits will cover a wider range of HIPAA requirements than desk audits.  Entities will have 10 business days to review OCR’s draft findings and to provide written comments to the auditor. The final audit report will be issued within 30 business days after the organization’s comments.

OCR will analyze all audit results to better understand HIPAA compliance across the industry; determine what types of technical assistance should be developed; determine what types of corrective action is needed; and help develop new tools and guidance on conducting self-evaluations to prevent breaches. Any audit identifying serious compliance issues may result in additional review and possible investigation. OCR will neither publish a listing of audited entities nor publish the findings of individual audits.

Tips and Suggestions for Audit Readiness

1. Keep an up-to-date list of all BAs that includes contact information.
2. Verify that all BAs have signed business associate agreements in place.
3. Conduct and complete a security risk analysis that addresses electronic protected health information (ePHI) vulnerabilities.
4. Ensure that security processes are adequate to address potential ePHI risks and vulnerabilities.
5. Develop a corrective action plan to promptly address any identified weakness.
6. Ensure laptops and mobile devices are properly encrypted and password protected.
7. Implement policies and procedures: (i) governing the receipt and removal of laptops containing ePHI; and (ii) controlling the access to ePHI by both workforce members and general users.
8. Train the workforce on all policies and procedures developed and revised.
9. Follow the basics in reviewing compliance for information security risks and PHI breaches.
10. Implement adequate policies and procedures for authorizing access to ePHI.
11. Implement safeguards to restrict access to unauthorized users.