Responding to an OCR Audit
The Office for Civil Rights (OCR) has not issued much information on the upcoming HIPAA audits, so it’s up to individual organizations to interpret what to expect and how to prepare. However the OCR has indicated that the audits will be conducted by OCR personnel rather than by a third party, unlike the 2012 pilot program. Also unlike last time, the audits will be more heavily weighted toward desk audits, with onsite audits occurring on a case-by-case basis.
According to information in presentations from Department of Health and Human Services personnel, here is what audited entities need to be aware of:
● A data request will specify content and file organization, file names and any other document submission requirements.
● Only requested data submitted on time will be assessed.
● All documentation must be current as of the date of the request.
● Auditors will not have the opportunity to contact the entity for clarification or to ask for additional information, so it is critical that the documents accurately reflect the program.
● Submitting extraneous information may increase the difficulty for the auditor to find and assess the required items.
● Failure to submit a response to requests may lead to a referral for regional compliance review.
● Document submission will be a time-consuming task, so gathering necessary evidence up front will minimize disruption to day-to-day operations.
Once an organization receives notification, it should start gathering information immediately. If subsequently chosen to submit to an audit, participants will only have a short time to respond. The following provides basic steps for a strategic OCR audit plan:
● Gather a team.
Privacy and security officials should be assigned to a task force responsible for handling audit requests. It’s also a good idea to notify internal or external legal counsel to keep them on stand-by should guidance be necessary.
● Follow guidelines on how to respond.
The OCR will provide specific instructions on how and when to respond. The OCR will not look favorably on a delayed response, and if unrequested documentation is submitted, it can be used in all observations and findings. Some of the areas the OCR audits will cover include:
1. Risk analysis.
2. Evidence of a risk management plan (e.g. list of known risks and how they are being dealt with).
3. Policies and procedures and descriptions as to how they were implemented.
4. Inventories of business associates and the relevant contracts and BAAs.
5. An accounting of where electronic protected health information (ePHI) is stored (internally, printouts, mobile devices and media, third parties).
6. How mobile devices and mobile media (thumb drives, CD’s, backup tapes) are secured and tracked.
7. Documentation on breach reporting policies and incident response policies and procedures.
8. A record of security training that has taken place.
9. Evidence of encryption capabilities.
● Question findings if they appear to be inaccurate. Historically, the OCR has allowed organizations to respond to observations and findings. Organizations that have documented all compliance decisions will fare better when trying to defend their position. There are many areas where HIPAA lacks specific direction; the ability to demonstrate a thoughtful and reasonable approach (in writing) will tend to be viewed favorably.
By preparing up front and responding in a timely fashion, most OCR audits should progress fairly smoothly. For organizations that have instituted a reasonably compliant security program, there may be little or no follow-up. If there are a significant number of observations and findings, an organization may be subject to voluntary compliance activities, or a more in-depth compliance review. Should an in-depth review uncover significant issues, additional corrective action must be taken and/or fines may be imposed.