OCR Audits Phase 2 Is Here—Are You Ready?

The long-awaited second phase of the OCR Audits has finally arrived. After the dismal results of the phase 1 audits, healthcare organizations—both covered entities and business associates—have their work cut out for them.

As its official name indicates, the HIPAA Privacy, Security, and Breach Notification Audit Program is a mechanism by which the U.S. Department of Health and Human Services Office for Civil Rights (OCR) measures compliance with the HIPAA Rules. HHS will use the results of phase 2 audits to develop a permanent HIPAA audit program, according to HealthcareInfoSecurity.

In March 2016, OCR’s director Jocelyn Samuels said that the audit “is a critical tool for us. We don’t intend it to be a punitive mechanism. We do intend to use it to enable us to get out in front of the kinds of problems that have led to the breach reports that we have received.”

Successful Data Breach Response: A Proven 12-Step Process

Even though the audits are not meant to be punitive, OCR is not taking a kindly view toward noncompliance. “We are beginning to raise our expectations about compliance.” Barbara Holland, OCR’s regional manager of the Mid-Atlantic region, said in Cybersecurity Today blog post. “We know some people have struggled to comply, but we are expecting more from traditional providers. We have a lower tolerance for noncompliance.”

Phase 2 audits will be conducted in three rounds: the first two are desk audits—one for covered entities, the other for business associates—and the last one is onsite audits. The desk audits, according to OCR, are targeted toward compliance with specific requirements of the three HIPAA Rules. The onsite round of audits will be more general.

Audited or Not, Compliance Still Matters

According to a thought piece by attorneys at McDermott Will & Emery written in April, pre-screening questionnaires have already been emailed to potential audit targets. Based on this information, OCR will—if it hasn’t already—select approximately 200 organizations for the desk audits, scheduled to be done by the end of the year.

Only a tiny percentage of healthcare organizations will be selected for the audits. But the fact that the audits are underway, plus recent, staggering fines for noncompliance with HIPAA demonstrate that OCR is taking this seriously. And, as the attorneys at McDermott Will & Emery pointed out, OCR has collected $11 million in settlements since last fall.

How to Prepare for the Audits or Compliance Reviews

Even if you “escape” the audits, OCR may still come knocking on your door—such when you have a breach or a complaint, privacy attorney Adam Greene of the law firm Davis Wright Tremaine (DWT) told HealthcareInfoSecurity.

“OCR is using the audit program to highlight areas where it has seen significant non-compliance and where it is likely to focus its enforcement efforts,” Greene and two of his colleagues wrote in a firm advisory. “Accordingly, covered entities and business associates may wish to focus on reviewing compliance with those areas.”

And if you want to know what auditors—and regulators—are looking for, become familiar with the audit protocol, which was updated to reflect the requirements of the HIPAA Omnibus Final Rule. It is very specific, listing about 180 areas within the three HIPAA rules that may be scrutinized by auditors.

In the HealthcareInfoSecurity article, Greene said that the protocol “is a very useful tool for any company to use in evaluating their overall compliance status and their ability to do well in an audit or investigation.” However, he also called it “intimidating” and “far beyond what many companies will have in place,” sentiments echoed by other subject-matter experts in the article.

In addition to becoming familiar with the protocol, healthcare organizations can prep for the audits or other regulatory inquiries by:

1. Ensuring business associate agreements are in place and up to date.
2. Providing documentation to prove compliance.
3. Having the basics in place, such as an incident response plan, a recent security risk analysis, and appropriate privacy policies and procedures.

OCR is ramping up its scrutiny and enforcement, whether by audits or by other means. Smart healthcare organizations will see beyond the immediate regulatory pressures, however, and realize that compliance is not a one-and-done proposition. Compliance is—or should be— a mindset that motivates employees to care about the security and privacy of sensitive patient information.

Successful Data Breach Response: A Proven 12-Step Process