November 15, 2016
The Office of Civil Rights (OCR) is in the midst of the latest round of HIPAA audits. If your organization is a business associate (BA) or a covered entity (CE) and it’s not already prepared, you have a challenge facing you. The CE desk audits are almost complete and the BA audits will commence any day now. Add to that — comprehensive onsite audits of CEs and BAs will kick off early in 2017. If OCR finds signs of non-compliance, e.g. your hospital hasn’t done a recent risk analysis or has outdated policies, there will be a follow up compliance investigation. In such cases, the potential of being fined is high. Should you be worried?
For thousands of covered entities and even more business associates, the answer is yes — you should be worried. Many have done little to keep up with the requirements of the HIPAA rules. The HIPAA Privacy Rule has been with us for over 13 years, the Security Rule for over 11 years and the Omnibus Rule, which provides for the most stringent protections (and penalties) went into effect in 2013. OCR has lost patience with the lack of attention to essential data protection regulations that have been with us for so long. This is evidenced by the recent high number of headlines of CEs and BAs being fined for their lack of attention to even the most basic HIPAA requirements.
We know that the desk audits of CEs and BAs were very focused but we know little about what will be included in the upcoming comprehensive audits. OCR has said more guidance will be forthcoming regarding what will be the focus of the comprehensive audits. Until that guidance arrives, it is imperative that all CEs and BAs pay attention to the published audit protocols and use them as a checklist for compliance and to address any potential audit by OCR. It’s not just about providing policies and plans. You need to prove to OCR that you’re actually complying with your own policies, documented practices and plans such as your security incident response plan.
You may be wondering: what’s the difference between a desk audit and an onsite audit? It’s pretty straight forward. In a desk audit an OCR auditor requests submission of specific information remotely. But with most desk audits to be completed in 2016, the 2017 round will be much more comprehensive onsite audits in which OCR representatives will spend three to five days in your facility. Some auditees may be subject to both a desk audit and a subsequent on-site audit.
Perhaps you think it’s unlikely that your organization will be picked for an audit. The OCR is looking at a broad cross section of CEs and BAs, using various selection factors such as size, geographic and demographic factors, affiliations with other healthcare organizations, whether the entity is public or private, and more. In fact, all CEs and BAs are eligible for audits.
The question to ask now is are you ready for OCR HIPAA Audits? Following are question sets for CEs and for BAs. While they are not inclusive they offer a place to start. Ask yourself, and your Security Officer, about your own HIPAA compliance program:
OCR will conduct a relatively small number of HIPAA audits in comparison to the vast number of CEs and BAs out there. But don’t let that cause you to put assessing and updating your HIPAA program on a back burner. You have a much higher chance of being investigated by OCR following complaints filed with OCR and following breaches. And, if you’ve been watching this year’s news about many big fines to both large and small healthcare organizations, you have been given fair warning.
OCR has indicated if you experience a breach of 500 individuals or more, you will be investigated. OCR recently announced it would be investigating smaller breaches too. In addition, OCR investigates complaints. Whether an investigation is related to a breach or a complaint, you need to be prepared to respond to OCR promptly. If you provide OCR with the documentation requested, case closed — and/or you’ll get some friendly advice from OCR about enhancements you can make in your compliance program. If you don’t provide OCR with the documentation requested, OCR will stay on your case, and its investigation may very well result in a finding of willful neglect that will lead to formal enforcement.
As we’ve seen with other governmental audit programs, it is likely the OCR will begin using the audit protocols for its investigations. That means you will not only be required to provide, as an example, all of your security policies. You’ll be required to prove you’re adhering to those policies. The time is past to build a compliance program from scratch, but if your organization has even an outdated program, you have a structure from which to rebuild it to meet current HIPAA requirements. If so, it’s critical to get going. No matter how big or small you are, OCR expects you to comply with HIPAA and if you don’t, it can get very expensive very quickly.
Our thanks to our partner, Chris Apgar, for this guest post.