OCR Audits, Phase 2: What You Need to Know About the Breach Notification Rule

If you work in healthcare compliance, chances are good that the 2016 Phase 2 HIPAA Audit Program, conducted by the HHS’ Office for Civil Rights (OCR), is a top priority.

It may also be an overwhelming priority, given the lengthy and extremely detailed audit protocol, which was updated to reflect the requirements of the HIPAA Omnibus Final Rule. Even though OCR’s director Jocelyn Samuels has said that the audit is not meant to be punitive, being selected is a big deal.

Amid the stress, it’s easy to forget that the audit program is about the basics—compliance with the HIPAA Security, Privacy, and Breach Notification Rules. A review of these basics will help you realize that you may be more in line with HIPAA requirements than you thought. On the other hand, a review may help identify some gaps in your compliance.

OCR Audit Playbook: Special Training on the Breach Notification Rule

The Breach Notification Rule: A Refresher Course

A major focus of the audit is compliance with the Breach Notification Rule. Both covered entities and business associates are required to:

• Perform a multifactor incident risk assessment for every privacy or security incident involving unsecured protected health information (PHI);
• Meet their burden of proof;
• Notify within certain timelines.

For covered entities, OCR will concentrate on the timing and content of breach notifications, according to an advisory by attorneys at Davis Wright Tremaine. Or, if notification was not made, OCR will want to know if you performed a risk assessment that indicates the privacy or security incident was not a breach. For business associates, OCR will focus on risk analysis and risk management, as well as the timing and content of breach notification to covered entities.

Let the Four Factors Decide

At the core of the Breach Notification Rule is the incident risk assessment. The assessment helps determine if a privacy or security incident meets the legal definition of a data breach that requires notification to the affected population, to regulators such as U.S. Department of Health and Human Services (HHS), and the media.

The incident risk assessment determines the probability that PHI has been compromised—the compromise standard—and must include a minimum of these four factors:

1. The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;
2. The unauthorized person who used the protected health information or to whom the disclosure was made;
3. Whether the protected health information was actually acquired or viewed;
4. The extent to which the risk to the protected health information has been mitigated.

If the risk assessment concludes there was a very low probability that PHI was compromised, you may decide the incident does not meet the legal requirements for a breach that requires notification. However, the Breach Notification Rule dictates that your organization maintain a burden of proof, should your conclusions be called into question, or demonstrate that one of the existing exceptions to the definition of a breach applies.

A proper assessment is critical, not only for compliance, but for developing a response strategy that reduces the financial, reputational, and health risks to the individuals whose information was compromised.

The Nuts and Bolts of Notification

If you decide you have a legal breach on your hands, regulators will want to know if you provided notification within the required timelines. The affected population must be notified no later than 60 days after the breach was discovered. And if the breach affects 500 or more people, you also have 60 days to notify HHS. Notification letters typically contain details of the breach, recommendations for protective action, mitigation steps (credit monitoring, etc.), and contact information.

No Rest for the Audited—Or Anyone Else

In addition to the Breach Notification Rule, OCR auditors will also scrutinize compliance with the HIPAA Privacy and Security Rules. Even though the first round of Phase 2 audits has passed—in which 167 covered entities received audit requests—there is more to come. And OCR has indicated that phase 2 is the start of a more permanent audit program.

In other words, compliance will always be top priority for OCR, and healthcare organizations should be prepared. Even if you aren’t selected for an audit, OCR may still come knocking on your door—such when you have a breach or a complaint, privacy attorney Adam Greene of Davis Wright Tremaine told HealthcareInfoSecurity.

If you’d like to learn more about Phase 2 of the audits, check out the slides from an informational webinar given by OCR. Even better, don’t miss ID Experts’ Phase 2 OCR audit webinar with Adam Greene on August 24, 2016 to get the latest updates and learn what steps to take before an audit occurs.

OCR Audit Playbook: Special Training on the Breach Notification Rule