Preparing & Responding to an OCR HIPAA Audit

Barry Mathis
Principal
PYA (Pershing Yoakley & Associates, P.C.)
Preparing & Responding to an OCR
HIPAA Audit

Learning Objectives
1. Analyze the steps of the OCR HIPAA audit process
2. Discuss tips that will assist you in your efforts to
respond accurately and efficiently
3. Demonstrate tools and techniques to help assess your
ability to respond and identify any gaps and
weaknesses
4. Discuss lessons learned from completed audits

What Starts an OCR HIPAA Audit?
 OCR HIPAA Audit Program
 In its 2016 Phase 2 HIPAA Audit Program, OCR will review
the policies and procedures adopted and employed by
covered entities and their business associates to meet
selected standards and implementation specifications of
the Privacy, Security, and Breach Notification Rules
 These audits will primarily be desk audits, although some
on-site audits will be conducted
 Desk audits (in process but likely behind schedule)

(cont.)
 Consumer complaint (as of June 30, 2017)1
 Since the compliance date of the Privacy Rule in April
2003, OCR has received over 158,834 HIPAA complaints
and has initiated over 825 compliance reviews
 OCR has resolved ninety-nine percent of these cases
(156,467)
 OCR has successfully enforced the HIPAA Rules by
applying corrective measures in all cases where an
investigation indicates noncompliance
 To date, OCR has settled 52 cases resulting in a total
dollar amount of $72,929,182
1. Data Source: Department of Health and Human Services’ Office for Civil Rights: Figures Updated June 30, 2017

(cont.)
 Breach
Year
Number of
Breaches (500+)
Number of
Records Exposed
2016 329 16,471,765
2015 270 113,267,174
2014 307 12,737,973
2013 274 6,950,118
2012 209 2,808,042
2011 196 13,150,298
2010 198 5,534,276
2009 18 134,773
Total 1801 171,054,419
According to the
Identity Theft
Resource Center, 791
data breaches have
already been reported
YTD 6/30/17
Table Data Source: Department of Health and Human Services’ Office for Civil Rights: Figures Updated February 7,
2017

Meaningful Use Compliance
 Any provider attesting to receive EHR incentive payments
for either the Medicare or Medicaid program may be
subject to audits
 Medicaid audits are performed by each state
 Medicare audits are performed by Figliozzi & Company

Whistleblower Complaints
 Employees filing an OCR complaint alleging their
employer’s failure to comply with HIPAA regulations
 OCR required to investigate 100% of complaints
 Many of these stop at the desk audit or documentation
review stage
 Some are justified and result in larger OCR or DOJ
investigations

Steps of the OCR HIPAA Audit
Process
Tips that will assist you in your efforts to respond accurately and efficiently

Responding to an OCR Audit
 Notify and retain counsel, regardless of audit focus
 In-house or outside counsel can help prepare for a
potential appeal should a penalty or fine be levied
 Have a response plan in place prior to any notification
 Respond timely--last minute submittals can be viewed as
a weakness in managing expected controls
 Send only what is requested and be honest about any
gaps

What to Expect
 Most audits will focus on:
 The seven fundamental practices of the Privacy Rule
 The administrative, physical, and technical safeguards of
the Security Rule
 The requirements of the Breach Notification Rule
 Complaint response audits may also ask for specific
documents related to a time, date, or patient

Typical Proactive Audit Process
 Notification Letter from the OCR triggers the audit
 Documentation due 10 days from the Notice date
 Start of the site visit (30-90 days from the Notice), if
required
 Period of analysis and questions
 Draft Audit Report (20-30 days from the end of the site
visit)
 Comments on Draft Audit Report due within 10 days from
the date of the Draft Audit Report
 Final Audit Report (30 days after the Comment Period)

Documentation Requests
 The request for documentation includes, but is not limited
to, the following:
 Audit logs and other system-generated information
 Organizational chart
 Policies and procedures (specifically, Uses and Disclosures)
 Breach Notification
 Complaint
 Sanctions

Documentation Requests (cont.)
 The request for documentation (cont.)
 Incident response plans
 Technical controls and information
 Physical safeguards
 Notice of privacy practices
 Network diagrams
 Training documentation
 Six years of previous HIPAA Risk Analyses

Tools and techniques to help assess your ability to respond and identify
any gaps and weaknesses
Prepare in Advance for the Audit

Have a Plan
 Develop and TEST your HIPAA audit response plan
 Identify where ALL of the documentation is stored
 It is key to know the format used so documentation can be
retrieved and read; PDF files are often best
 Ensure that you know where system-generated information,
such as audit logs, exists and the lead time necessary to
extract the information
 Practice presenting the documentation in an organized and
responsive manner that tells the story about how your
organization is committed to comply with the Privacy and
Security and Breach notification rules

Conduct a Mock Audit
 Using the published OCR Audit Protocol, conduct an
internal, or solicit an external, mock audit
 Follow the same process steps as OCR
 Use a local or secure cloud-based portal to submit
documents to a review panel
 Use the OCR 2016 Desk Audit guide as your document
request criteria:
 https://www.hhs.gov/sites/default/files/2016HIPAADeskAuditAud
iteeGuidance.pdf
 Conduct and critique in-person interviews
 Use network scanning tools to assess technical
vulnerabilities
 Update mitigation pathways for HIPAA Risk Analysis

Lessons learned from completed audits
Lessons Learned

2016 Phase 2 Audits
 On July 11, 2016, OCR notified 167 covered entities that
they were selected to participate in HIPAA desk audits
 The covered entities being audited were selected by a
random, computerized process designed to reflect an
even geographic distribution from a list of more than
10,000 covered entities that completed pre-audit
questionnaires
 OCR will not post the final reports or a list of the audited
entities, but the agency acknowledges that information
may be discoverable pursuant to a Freedom of
Information Act (FOIA) request
 The pace of these audits has slowed in 2017, but is likely
to increase for 2018

Previous Auditee Breakdown
 Large providers/health plans
 Extensive use of HIT –
complicated HIT-enabled
clinical/business work streams
 Revenues and or assets greater
than $1 billion
 Large regional hospital systems (3 to
10 hospitals/region), regional
insurance companies
 Paper- and HIT-enabled work flows
 Revenues and or assets $300 million
to $1 billion
 Community hospitals, outpatient
surgery centers, regional
pharmacies, all self‐insured
entities that do not adjudicate
their claims
 Some, but not extensive, use of
HIT – mostly paper-based
workflows
 Revenues $50 million to $300
million
 Small providers (10 to 50 provider
practices, community or rural
pharmacies)
 Little-to-no use of HIT – almost
exclusively paper-based workflows
 Revenues less than $50 million
Level 1 Entities Level 2 Entities
Level 3 Entities Level 4 Entities

Phase 2 Audit Results Highlights
No findings or observations for 13 entities (11%)
2 Providers, 9 Health Plans, 2 Clearinghouses
Security accounted for 60% of the findings and
observations (although only 28% of potential total)
Providers had a greater proportion of findings and
observations (65%) than reflected by their proportion of the
total set (53%)
Smaller, Level 4 entities struggle with all control areas

(cont.)
58 of 59 providers had at least one security finding or
observation
No complete and accurate risk assessment in two-thirds
of entities (47 of 59 providers)
Security addressable implementation specifications: Almost
every entity without a finding or observation fully
implemented the addressable specifications

(cont.)
 HIPAA found to not be an organizational priority
 Small providers had far more significant compliance
failures
 Failure to conduct regular risk assessments
 Definition of “minimum necessary” not understood
 Security issues predominate over privacy issues
 User access
 Encryption
 Media management – reuse and destruction

Helpful Tips and Links
 Review the open webinar slides from former OCR Director
Jocelyn Samuels’s Phase II HIPAA Audit Review
 https://www.hhs.gov/sites/default/files/OCRDeskAuditOpenin
gMeetingWebinar.pdf
 Review the HHS Guidance for a HIPAA Security Risk
Analysis
 https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/admi
nistrative/securityrule/riskassessment.pdf?language=es
 Use the HHS Published Audit Protocol to develop a self-
assessment
 https://www.hhs.gov/hipaa/for-professionals/compliance-
enforcement/audit/protocol/index.html?language=es

Helpful Tips and Links (cont.)
 Complete a BAA Review using HHS template
 https://www.hhs.gov/hipaa/for-professionals/compliance-
enforcement/audit/batemplate/index.html
 Consider having an independent third party conduct a
review of:
 HIPAA Policies and Procedures
 HIPAA Security Risk Analysis
 Business Associate Agreements
 HIPAA training material and documentation
 Breach Notification
 Notice of Privacy Practices
 Consider having third party conduct a mock audit

Save the Date
San Diego, CA
August 26-29, 2018

Questions?
BARRY MATHIS
Principal, IT Advisory Services
bmathis@pyapc.com
P: (800) 270-9629
C: (423) 827-7893
Thank you!

Preparing & Responding to an OCR HIPAA Audit

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Ähnlich wie Preparing & Responding to an OCR HIPAA Audit

Ähnlich wie Preparing & Responding to an OCR HIPAA Audit (20)

Mehr von PYA, P.C.

Mehr von PYA, P.C. (20)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

Preparing & Responding to an OCR HIPAA Audit