Advance Preparation for an OCR HIPAA Audit

8 Tips to Implement Now

Shane Whitlatch, EVP at FairWarning, outlines the key controls companies should have in place to quickly and confidently respond to an OCR audit should they be selected.

The best time to prepare for an audit is before you’re in one. Fortunately, requirements for various regulations are widely available so that there’s no guesswork involved and you can make sure you’re compliant ahead of time. So, you can start preparing for an Office of Civil Rights (OCR) HIPAA audit long before the notification letter hits your mailbox.

Even if you aren’t chosen for a random HIPAA audit, you can still face penalties for noncompliance if you experience a patient complaint or a breach. Taking the opportunity to proactively strengthen your privacy and compliance program will help you maintain control of your patient data and avoid costly and time-consuming compliance headaches.

Assessing Compliance

The Department of Health and Human Services (HHS) oversees the OCR, which uses the HIPAA audit program to assess the compliance of covered entities. As stated by the HHS, “The audits present an opportunity to examine mechanisms for compliance, identify best practices, discover risks and vulnerabilities that may not have come to light through OCR’s ongoing complaint investigations and compliance reviews and enable us to get out in front of problems before they result in breaches.”

The HHS’s Phase 2 HIPAA Audit Program launched in 2016, and the results of more than 166 audits were released the following year. This program was notable in that both business associates and covered entities had to meet selected standards and implementation specifications under HIPAA’s Privacy, Security and Breach Notification Rules. The HHS’s Official Audit Protocol was updated in July 2018.

As care providers continue to evolve, the standards of compliance will continue to rise. Instead of viewing OCR audits as a burden, however, care providers can approach them as an opportunity to lay a foundation of compliance – a foundation upon which they can grow when adopting new tools, technologies, personnel and workflows. If not proactively prepared for an audit, the penalties for noncompliance can be burdensome.

Common HIPAA Violations

What constitutes a HIPAA breach?  It involves the acquisition, access, use or disclosure of unsecured PHI in a manner not permitted by HIPAA; the activity must pose a significant risk of harm to the affected individual, whether in the form of financial, reputational or other damages. Under the HIPAA Breach Notification Rule, covered entities and business associates are required to notify affected individuals in the event that unsecured PHI is breached.

In terms of the HIPAA violations that carry heavy fines, here are the top 10:

1. Mishandling of medical records
2. Employees disclosing information
3. Database breaches
4. Third-party disclosure of PHI
5. Improper disposal of PHI
6. Lost or stolen devices
7. Lack of training
8. Failure to encrypt PHI on portable devices
9. Failure to perform an organization-wide risk analysis
10. Employees illegally accessing patient files

The violations don’t stop here, though. Myriad advanced threats can result in a HIPAA violation or breach and, therefore, fines and settlements – including drug diversion, cybersecurity attacks, insider threats, fraud and identity theft.

Common Complaints and Investigations

The OCR has discovered 55 Privacy Rule violations and handed out close to $80 million in fines since 2003. And as of 2018, the OCR has received more than 184,000 HIPAA complaints and initiated more than 902 compliance reviews.

In order of frequency, these are the compliance issues investigated most by the OCR:

• Impermissible uses and disclosures of PHI
• Lack of PHI safeguards
• Lack of PHI patient access
• Lack of administrative safeguards of ePHI
• Use or disclosure of more than the minimum necessary PHI

Typically, these covered entities are the biggest offenders:

• Pharmacies
• Health plans
• General hospitals
• Private practices and physicians
• Outpatient facilities

More than 37,670 complaints were investigated by the HHS as of July 2018 – 69 percent of which have received corrective action.

8 Tips to Prepare for an OCR Audit

If selected for an audit, you will have just 10 days to respond to the OCR. This means you should have controls in place now so you can confidently respond. Below are eight ways you can prepare.

Tip #1: Document HIPAA Policies and Procedures

One of your most important assets is your patient data. Unless there are proper policies and procedures in place, employees and insider threats may do things to put PHI in jeopardy. Under HIPAA 164.316, organizations are required to implement “reasonable and appropriate policies, procedures and standards.” Furthermore, organizations are required to document those policies and procedures to prove they’ve set boundaries and made expectations and standards transparent.

Tip #2: Assess Your Risk

According to the terms of the Breach Notification Rule, covered entities must conduct risk assessments to determine the probability of compromised health information. The main goal is to determine whether you need to report a PHI breach under law. The Office of the National Coordinator for Health Technology (ONC) and the OCR recently updated their Security Risk Assessment Tool to guide organizations through the compliance process.

Tip #3: Secure and Protect all Forms of PHI

According to HIPAA 164.312, electronic systems holding ePHI must allow access to those persons who have granted access rights. Under HIPAA 164. 306, covered entities and business associates must ensure the confidentiality, integrity and availability of all electronic PHI (ePHI).

Covered entities would be wise to monitor all systems holding ePHI, including EHRs, cloud applications and mobile devices. By monitoring with a full life cycle platform, they can detect, investigate, mitigate and remediate inappropriate activity to address incidents. This can also help organizations identify employees who need training, sanctioning or retraining — and foster a culture of privacy and compliance that prevents future incidents from occurring.

Tip #4: Create an Incident Response Plan

By creating a well-thought-out incident response plan (IRP), you will help your organization contain security incidents that would otherwise become breaches requiring regulatory involvement. The HIPAA Security Rule requires covered entities to have IRPs.

Tip #5: Discover Unknown and Poorly Known Users

FairWarning sampled 1 million users of EHRs and cloud applications and found that 26 percent were poorly known or unknown to the care provider. This means that these users are unable to be monitored and audited, making it difficult to train or sanction them in the event of a HIPAA violation. To help, organizations can improve compliance by implementing identity correlation technology in their EHRs and cloud applications.

Tip #6: Keep Training Your Workforce

Contrary to popular belief, threats from within are more prevalent than from without. In fact, 58 percent of health care breaches involve insiders. To make sure employees are fully absorbing the policies and regulations of their day-to-day work, training should be treated as an ongoing process, not a one-time event. Once you identify employees who need training through your monitoring program, you should clearly communicate expectations about your organization’s policies and procedures and train accordingly through an LMS program.

Tip #7: Keep Your Risk Analysis Current

It’s essential to create the policies and procedures required to implement a privacy and compliance program that adheres to the final Breach Notification Rule. To do so, identify your high-risk assets and ensure that your risk analysis of these assets is current. These should include both technical and nontechnical assets that are business-critical.

Tip #8: Maintain an Inventory of Business Associate Agreements

It is a critical best practice to enter into business associate agreements (BAAs) with any vendors handling PHI. This helps ensure that both parties are held accountable for creating, receiving or transmitting PHI in a secure and intended manner. If either party violates the BAA, they may face penalties from the HHS. Most importantly, find a vendor who takes the BAA very seriously. Any organization can sign one, but do they have the proper protocols in place to responsibly handle PHI? Ask questions and investigate to assess how secure their processes really are.

Fit for the Future

Avoiding fines and bad PR are not the primary reasons for proactively planning for an OCR HIPAA audit, but those negatives can serve as the impetus to do what you already know needs to be done and perhaps just haven’t found time for. Use the tips listed above to ensure you have a proactive privacy and compliance program that will set the stage for future technology adoption – and future regulations. Above all, these best practices will help keep patient data secure and increase trust.