You should start preparing for an OCR HIPAA audit long before the notification letter hits your mailbox.
An auditor can easily detect a lack of preparation, making it essential for care providers to take a proactive approach to HIPAA compliance.
Even if you aren’t selected for a random audit, you can still face penalties for noncompliance if you experience a patient complaint or a breach.
Taking the opportunity to proactively strengthen your privacy and compliance program will help you maintain control of your patient data and avoid compliance headaches that are costly and time consuming.
What is the Purpose of an OCR Audit?
The Office of Civil Rights (OCR) in the Department of Health and Human Services (HHS) uses the HIPAA audit program to assess the compliance of a range of covered entities. As stated by the HHS, “The audits present an opportunity to examine mechanisms for compliance, identify best practices, discover risks and vulnerabilities that may not have come to light through OCR’s ongoing complaint investigations and compliance reviews, and enable us to get out in front of problems before they result in breaches.”
In 2016, the HHS launched its Phase 2 HIPAA Audit Program; the results of more than 166 audits were released in 2017. This program was notable in that both business associates and covered entities had to meet selected standards and implementation specifications under HIPAA’s Privacy, Security, and Breach Notification Rules. The HHS’s Official Audit Protocol was updated in July 2018.
The standards of compliance will continue to rise as care providers continue to evolve. Instead of viewing OCR audits as a burden, however, care providers can approach them as an opportunity to lay a foundation of compliance – a foundation upon which they can grow when adopting new tools, technologies, personnel, and workflows. If not proactively prepared for an audit, the penalties for noncompliance can be burdensome.
What are the Most Common HIPAA Violations?
Before you can craft a holistic compliance strategy, you should first understand the HHS definition of a HIPAA breach and the violations that commonly trigger penalties.
Essentially, the HIPAA Privacy Rule requires healthcare providers to protect and maintain any personal health information (PHI). It also sets limits and conditions on how PHI can be used and disclosed in the absence of patient authorization. The Privacy Rule gives patients the right to view their health information and medical records, as well as request corrections.
A HIPAA breach is defined as the acquisition, access, use, or disclosure of unsecured PHI in a manner not permitted by HIPAA; the activity must pose a significant risk of harm to the affected individual, whether it’s financial, reputational, or other damages.
Under the HIPAA Breach Notification Rule, covered entities and business associates are required to notify affected individuals in the event that unsecured PHI is breached
The top 10 HIPAA violations that can result in substantial fines are:
- Database breaches
- Employees disclosing information
- Mishandling of medical records
- Lost or stolen devices
- Lack of training
- Failure to encrypt PHI on portable devices
- Failure to perform an organization-wide risk analysis
- Employees legally accessing patient files
- Third-party disclosure of PHI
- Improper disposal of PHI
But the threat landscape is even broader than this list. Today, a multitude of advanced threats can result in a HIPAA violation or breach, and therefore fines and settlements – including drug diversion, cybersecurity attacks, insider threats, fraud, and identity theft.
What are common reasons for OCR settlements?
Since 2003, the OCR has levied almost $80 million worth of fines in 55 Privacy Rule violations. And as of 2018, the OCR has received over 184,000 HIPAA complaints and initiated over 902 compliance reviews.
The compliance issues investigated most by the OCR, in order of frequency, include:
- Impermissible uses and disclosures of PHI
- Lack of PHI safeguards
- Lack of PHI patient access
- Lack of administrative safeguards of ePHI
- Use or disclosure of more than the minimum necessary PHI
These issues have most often been found in covered entities like:
- General hospitals
- Private practices and physicians
- Outpatient facilities
- Health plans
As of July 2018, the HHS has investigated over 37,670 complaints, 69 percent of which have received corrective action.
How Do I Prepare for an OCR Audit?
OCR audits are ongoing; while you may not be selected for a random audit, a breach or a patient complaint could very well put you in a position of interest. If selected for an audit, you will have just 10 days to respond to the OCR, this means that you should have controls in place now, so that you can confidently respond. Below are eight tips to prepare for an OCR audit:
Step #1: Conduct a Risk Assessment
The Breach Notification Rule requires covered entities to conduct risk assessments to determine the probability of compromised health information. The main goal is to determine whether you need to report a PHI breach under law. The Office of the National Coordinator for Health Technology (ONC) and the OCR recently updated their Security Risk Assessment Tool to guide organizations through the compliance process.
Step #2: Document HIPAA Policies and Procedures
Your patient data is one of your most important assets. Without proper policies and procedures in place, employees and insider threats may do things to put PHI in jeopardy. Under HIPAA 164.316, organizations are required to implement “reasonable and appropriate policies, procedures, and standards.” Furthermore, organizations are required to document those policies and procedures to prove they’ve set boundaries are set and made expectations and standards transparent.
Step #3: Prepare an Incident Response Plan
Crafting a quality incident response plan (IRP) will help you contain security incidents that would otherwise become breaches requiring regulatory involvement. The HIPAA Security Rule, requires covered entities to have IRPs. The HHS provides a free Incident Response Plan template to help organizations handle incidents with more agility. Once created, an IRP requires frequent evaluation and changes as the organization naturally evolves.
Step #4: Safeguard and Protect all Forms of PHI
Under HIPAA 164. 306, covered entities and business associates must ensure the confidentiality, integrity, and availability of all electronic PHI (ePHI); under HIPAA 164.312, access to electronic systems holding ePHI must allow access to those persons that have granted access rights
Organizations should ensure that they monitor all systems holding ePHI, including EHRs, cloud applications, and mobile devices. By monitoring with a full lifecycle platform, they can detect, investigate, mitigate, and remediate inappropriate activity to address incidents. This can also help organizations identify employees who need training, sanctioning, or retraining — and foster a culture of privacy and compliance that prevents future incidents from occurring.
Step #5: Identify Unknown and Poorly Known Users
In a sample of 1 million users by FairWarning in EHRs and cloud applications, 26 percent were found to be poorly known or unknown to the care provider. This means that these users are unable to be monitored and audited, making it difficult to train or sanction them in the event of a HIPAA violation. To help, organizations can improve compliance by implementing identity correlation technology in their EHRs and cloud applications.
Step #6: Train Your Workforce
An organization’s greatest risk often lies with its workforce. In fact, 58 percent of healthcare breaches involve insiders. To make sure employees are fully absorbing the policies and regulations of their day-to-day work, training should be treated as an ongoing process, not a one-time event. Once you identify employees who need training through your monitoring program, you should clearly communicate expectations about your organization’s policies and procedures and train accordingly through an LMS program.
Step #7: Maintain an Inventory of Business Associate Agreements
It is imperative that organizations enter into business associate agreements (BAAs) with any vendors handling PHI. This helps ensure that both parties are held accountable for creating, receiving, or transmitting PHI in a secure and intended manner. If either party violates the BAA, they may face penalties from the HHS. Most importantly, find a vendor who takes the BAA very seriously. Any organization can sign one, but do they have the proper protocols in place to responsibly handle PHI? Ask questions and investigate to assess how secure their processes really are.
Step #8: Evidence Your Risk Management Plan
It’s important to have the policies and procedures in place to implement a privacy and compliance program that adheres to the final Breach Notification Rule. To do so, identify your high-risk assets and ensure your risk analysis of these assets is current. These should include both technical and non-technical assets that are business-critical.
By proactively planning for an OCR HIPAA audit and implementing the best practices above, you can take the necessary steps to avoid hefty fines and penalties. But most of all, a proactive privacy and compliance program will lay the foundation for your organization to build upon as technology adoption increases. In doing so, you can focus on improving patient care and fostering trust between patient and provider.