Skip to content Skip to navigation

OCR Audits: Forewarned is Forearmed

February 9, 2015
by Mark Fulford
| Reprints
Mark Fulford

Although the Office for Civil Rights (OCR) HIPAA Compliance Audits have been delayed, we do know they’re coming. Originally slated to begin in fall 2014, the audits were placed on hold when the OCR announced that the audit portals and project management software were not yet fully-functioning. The recently released budget numbers for the OCR show that they have about $3.9 million in additional funding for the coming fiscal year, with a good percentage of that earmarked for case management and enforcement activities. Until these essential tools are brought up to speed, the audit process will remain in wait mode, with no projected start date at the time of this writing.

Despite this, you should not stop getting ready. For many organizations, the road to compliance is a long one. Industry wide, there has been a decided lack of muscle behind HIPAA compliance. We can expect the OCR to come down hard on entities that are grossly negligent, since the 2012 Audit Pilot Program revealed that across the board, the effort to comply was well below par.

The results of the first round of audits were disappointing at best. Of the 115 covered entities audited, a mere 13 had no findings or observations. Do the math on that one, and you’ll realize that almost 89 percent of the entities audited were non-compliant in one or more areas. Security Rule issues accounted for 60 percent of the findings and observations, while the Privacy and Breach Notification Rules yielded 30 percent and 10 percent respectively. Providers (as opposed to clearinghouses and health plans) struggled most with the Security Rule: 58 of 59 providers audited had at least one security finding or observation.

How could so many entities have performed so poorly? The answer to that question shows up in a key finding in the report: A significant percentage of the companies audited had not even taken the critical first step of conducting a risk assessment.

The expectation is that the upcoming OCR Audits will focus on high risk areas and elements that were repeatedly lacking in the first round of audits of covered entities, and the most glaring oversight is that so many entities had not even bothered to conduct a risk assessment. So at the very least, you will want to make sure you’ve done due diligence on determining where your compliance gaps might be and work to plug any holes

With the recent headlines related to massive data breaches at large providers and health plans, it’s a safe bet that the scrutiny of covered entities and business associates will be ramped up in terms of coverage of technical security controls. Organizations that are found to be willfully negligent with respect to security and compliance can expect big trouble.


2015 OCR Audits: Getting Ready

So what if your company is selected? Don’t panic. Keep in mind that the OCR has the ultimate goal of improving compliance across the industry, rather than singling you out, harassing you, and collecting fees. The audits are not meant to be punitive; rather, they are more about correction and education.

Here’s what you will want to do to prepare for an audit ahead of time:

  1. Conduct an accounting of where ePHI (electronic protected health information) is stored (internally, printouts, mobile devices and media, third parties).

  2. Take inventory of business associates and the relevant contracts and BAAs (business associate agreements) and document the types of data you share and your evaluation of the risks associated trading data with each vendor.

  3. Conduct and document your risk analysis. Be sure it is thorough and includes all of the assets identified in step 1 above.

  4. Maintain evidence of a risk management plan (e.g. list of known risks and how you are dealing with them).

  5. Document policies and procedures and descriptions as to how you are implementing them. Be able to map your written policies and procedures to the related safeguard requirements in the HIPAA Security Rule.

  6. Assess how you monitor mobile devices and mobile media (laptops, tablets, smartphones, thumbdrives, CD’s, backup tapes, etc.).

  7. Prepare documentation incident response plans as well as breach reporting policies and how you have responded to breaches.

  8. Make a record of security training that has taken place.

  9. Provide evidence of encryption capabilities.