This year, after piloting it since 2015, the Office for Civil Rights (OCR) formally implemented an audit program whose subjects include a wide variety of healthcare organizations (covered entities and business associates alike). Healthcare organizations covered by the Health Insurance Portability and Accountability Act (HIPAA) will want to ensure they are prepared for audits of their HIPAA compliance.
The OCR is tasked with enforcing compliance with HIPAA, and their approach thus far has been a supportive one; an OCR speaker at an industry conference put it this way earlier this year: “We are not in the business of putting healthcare organizations out of business.” Other OCR representatives have demonstrated willingness to coach covered organizations on where to focus their HIPAA compliance efforts. But, while the OCR has taken a lenient and supportive tone up until now, those in the healthcare industry will not want to rely on the OCR’s current benevolence continuing indefinitely. The possibility of financial penalties, patient safety concerns and damage to an enterprise’s reputation remain very real, and organizations need to be prepared to pass these audits, proactively manage their HIPAA compliance efforts, and ultimately protect the sensitive information they maintain.
Enterprises may find themselves subject to a HIPAA audit following a breach or a complaint, but they could also be targeted randomly, as the OCR proactively seeks to identify recurring issues as well as industry best practices. Through random audits, the OCR hopes to uncover weaknesses in the industry overall, so that all entities subject to HIPAA can benefit.
The OCR has taken some enforcement actions, but they also have provided additional resources and educational materials. With the variety of resources available to strengthen their HIPAA compliance programs, any organization can prepare to face an audit with greater confidence.
For example, the OCR publishes an Audit Protocol to familiarize compliance teams with the audit procedures the OCR may undertake. Their Guidance on Risk Analysis Requirements Under the HIPAA Security Rule outlines the security risk analysis process that is fundamental to HIPAA security and is a key area of OCR scrutiny. In addition, in the past year, the OCR has shared insights resulting from audit findings during various presentations by relaying their continuing enforcement Issues. Based on the currently identified issues, healthcare organizations can safely assume that any upcoming audit will check for the specific violations uncovered in recent audits elsewhere. These include insufficient risk analysis processes, failure to ensure business partners have formal and current business associate agreements to safeguard protected health information (PHI), failure to secure electronic devices, running unsupported software, or screening personnel inadequately, among other things. Furthermore, patient safety is quickly becoming an area of emphasis as recent ransomware attacks have directly impacted the clinical/caregiving setting.
To be thoroughly prepared, organizations should take the actions outlined below. As they undertake these actions, organizations should document precisely how they comply, what is remediated, and how. They need to demonstrate the plans made to address existing shortfalls. Organizations should assume that an OCR auditor will be reviewing their documents without their help and there likely won’t be an opportunity to assist OCR auditors in the interpretation of documents. Therefore, the documented record needs to be clearly written with that in mind. Otherwise, the list of issues the OCR may have to clear with the organization is likely to be longer than necessary.
To identify gaps in their HIPAA compliance, organizations should do the following:
- Review their practices and standards against these rules:
- HIPAA Privacy Rule
- HIPAA Security Rule
- HIPAA Breach Notification Rule
- Create plans to address any shortfalls. These plans should include specific actions, the time by which they’ll be completed, and the parties responsible for carrying them out.
- Conduct and maintain a security risk analysis aligned with the Security Rule in §164.308(a)(1)(ii)(A). The analysis should be clearly documented to demonstrate how the organization has addressed data collection and threat/vulnerability identification, to demonstrate the extent of current security measures, quantify the likelihood and potential impact of each threat, calculate residual risk to the organization, and prioritize management of the key risks identified through varying strategies until the organization feels the risk has been managed to an acceptable level.
By preparing for a potential HIPAA audit, we can all help strengthen our organizations’ audit preparedness, and we can do so motivated by the spirit of HIPAA – to protect the privacy and safety of the patients we may one day be.