Responding to an OCR
Audit
.png)
The Office for Civil Rights (OCR) has not issued much
information on the upcoming HIPAA audits, so it’s up to individual
organizations to interpret what to expect and how to prepare. However the OCR
has indicated that the audits will be conducted by OCR personnel rather than by
a third party, unlike the 2012 pilot program. Also unlike last time, the audits
will be more heavily weighted toward desk audits, with onsite audits occurring
on a case-by-case basis.
According to information in presentations from
Department of Health and Human Services personnel, here is what audited entities need to
be aware of:
●
A data request will
specify content and file organization, file names and any other document
submission requirements.
●
Only requested data
submitted on time will be assessed.
●
All documentation must
be current as of the date of the request.
●
Auditors will not have
the opportunity to contact the entity for clarification or to ask for
additional information, so it is critical that the documents accurately reflect
the program.
●
Submitting extraneous
information may increase the difficulty for the auditor to find and assess the
required items.
●
Failure to submit a
response to requests may lead to a referral for regional compliance review.
●
Document submission
will be a time-consuming task, so gathering necessary evidence up front will
minimize disruption to day-to-day operations.
Once an organization
receives notification, it should start gathering information immediately. If
subsequently chosen to submit to an audit, participants will only have a short
time to respond. The following provides basic steps for a strategic OCR audit
plan:
●
Gather a team.
Privacy and security officials should be
assigned to a task force responsible for handling audit requests. It’s also a
good idea to notify internal or external legal counsel to keep them on stand-by
should guidance be necessary.
●
Follow guidelines on
how to respond.
The OCR will provide specific instructions on
how and when to respond. The OCR will not look favorably on a delayed response,
and if unrequested documentation is submitted, it can be used in all
observations and findings. Some of the areas the OCR audits will cover include:
1.
Risk analysis.
2.
Evidence of a risk
management plan (e.g. list of known risks and how they are being dealt with).
3.
Policies and
procedures and descriptions as to how they were implemented.
4.
Inventories of
business associates and the relevant contracts and BAAs.
5.
An accounting of where
electronic protected health information (ePHI) is stored (internally, printouts,
mobile devices and media, third parties).
6.
How mobile devices and
mobile media (thumb drives, CD’s, backup tapes) are secured and tracked.
7.
Documentation on
breach reporting policies and incident response policies and procedures.
8.
A record of security
training that has taken place.
9.
Evidence of encryption
capabilities.
● Question findings if
they appear to be inaccurate. Historically, the OCR
has allowed organizations to respond to observations and findings.
Organizations that have documented all compliance decisions will fare better
when trying to defend their position. There are many areas where HIPAA lacks
specific direction; the ability to demonstrate a thoughtful and reasonable
approach (in writing) will tend to be viewed favorably.
By preparing up front and responding in a
timely fashion, most OCR audits should progress fairly smoothly. For
organizations that have instituted a reasonably compliant security program,
there may be little or no follow-up. If there are a significant number of
observations and findings, an organization may be subject to voluntary
compliance activities, or a more in-depth compliance review. Should an in-depth
review uncover significant issues, additional corrective action must be taken
and/or fines may be imposed.
(HIMSS
website)
No comments:
Post a Comment