PYA Principal Barry Mathis presented “Preparing and Responding to an OCR HIPAA Audit” at the Association of Healthcare Internal Auditors (AHIA) 36th Annual Conference.
Areas of focus included:
Understanding the steps of an OCR HIPAA audit.
Learning methods for responding accurately and efficiently to audits.
Understanding how to assess ability to respond to, and identify gaps and weaknesses in, processes.
Discussing lessons learned from completed audits.
2. Page 1
Learning Objectives
1. Analyze the steps of the OCR HIPAA audit process
2. Discuss tips that will assist you in your efforts to
respond accurately and efficiently
3. Demonstrate tools and techniques to help assess your
ability to respond and identify any gaps and
weaknesses
4. Discuss lessons learned from completed audits
3. Page 2
What Starts an OCR HIPAA Audit?
OCR HIPAA Audit Program
In its 2016 Phase 2 HIPAA Audit Program, OCR will review
the policies and procedures adopted and employed by
covered entities and their business associates to meet
selected standards and implementation specifications of
the Privacy, Security, and Breach Notification Rules
These audits will primarily be desk audits, although some
on-site audits will be conducted
Desk audits (in process but likely behind schedule)
4. Page 3
What Starts an OCR HIPAA Audit?
(cont.)
Consumer complaint (as of June 30, 2017)1
Since the compliance date of the Privacy Rule in April
2003, OCR has received over 158,834 HIPAA complaints
and has initiated over 825 compliance reviews
OCR has resolved ninety-nine percent of these cases
(156,467)
OCR has successfully enforced the HIPAA Rules by
applying corrective measures in all cases where an
investigation indicates noncompliance
To date, OCR has settled 52 cases resulting in a total
dollar amount of $72,929,182
1. Data Source: Department of Health and Human Services’ Office for Civil Rights: Figures Updated June 30, 2017
5. Page 4
What Starts an OCR HIPAA Audit?
(cont.)
Breach
Year
Number of
Breaches (500+)
Number of
Records Exposed
2016 329 16,471,765
2015 270 113,267,174
2014 307 12,737,973
2013 274 6,950,118
2012 209 2,808,042
2011 196 13,150,298
2010 198 5,534,276
2009 18 134,773
Total 1801 171,054,419
According to the
Identity Theft
Resource Center, 791
data breaches have
already been reported
YTD 6/30/17
Table Data Source: Department of Health and Human Services’ Office for Civil Rights: Figures Updated February 7,
2017
6. Page 5
Meaningful Use Compliance
Any provider attesting to receive EHR incentive payments
for either the Medicare or Medicaid program may be
subject to audits
Medicaid audits are performed by each state
Medicare audits are performed by Figliozzi & Company
7. Page 6
Whistleblower Complaints
Employees filing an OCR complaint alleging their
employer’s failure to comply with HIPAA regulations
OCR required to investigate 100% of complaints
Many of these stop at the desk audit or documentation
review stage
Some are justified and result in larger OCR or DOJ
investigations
8. Steps of the OCR HIPAA Audit
Process
Tips that will assist you in your efforts to respond accurately and efficiently
9. Page 8
Responding to an OCR Audit
Notify and retain counsel, regardless of audit focus
In-house or outside counsel can help prepare for a
potential appeal should a penalty or fine be levied
Have a response plan in place prior to any notification
Respond timely--last minute submittals can be viewed as
a weakness in managing expected controls
Send only what is requested and be honest about any
gaps
10. Page 9
What to Expect
Most audits will focus on:
The seven fundamental practices of the Privacy Rule
The administrative, physical, and technical safeguards of
the Security Rule
The requirements of the Breach Notification Rule
Complaint response audits may also ask for specific
documents related to a time, date, or patient
11. Page 10
Typical Proactive Audit Process
Notification Letter from the OCR triggers the audit
Documentation due 10 days from the Notice date
Start of the site visit (30-90 days from the Notice), if
required
Period of analysis and questions
Draft Audit Report (20-30 days from the end of the site
visit)
Comments on Draft Audit Report due within 10 days from
the date of the Draft Audit Report
Final Audit Report (30 days after the Comment Period)
12. Page 11
Documentation Requests
The request for documentation includes, but is not limited
to, the following:
Audit logs and other system-generated information
Organizational chart
Policies and procedures (specifically, Uses and Disclosures)
Breach Notification
Complaint
Sanctions
13. Page 12
Documentation Requests (cont.)
The request for documentation (cont.)
Incident response plans
Technical controls and information
Physical safeguards
Notice of privacy practices
Network diagrams
Training documentation
Six years of previous HIPAA Risk Analyses
14. Tools and techniques to help assess your ability to respond and identify
any gaps and weaknesses
Prepare in Advance for the Audit
15. Page 14
Have a Plan
Develop and TEST your HIPAA audit response plan
Identify where ALL of the documentation is stored
It is key to know the format used so documentation can be
retrieved and read; PDF files are often best
Ensure that you know where system-generated information,
such as audit logs, exists and the lead time necessary to
extract the information
Practice presenting the documentation in an organized and
responsive manner that tells the story about how your
organization is committed to comply with the Privacy and
Security and Breach notification rules
16. Page 15
Conduct a Mock Audit
Using the published OCR Audit Protocol, conduct an
internal, or solicit an external, mock audit
Follow the same process steps as OCR
Use a local or secure cloud-based portal to submit
documents to a review panel
Use the OCR 2016 Desk Audit guide as your document
request criteria:
https://www.hhs.gov/sites/default/files/2016HIPAADeskAuditAud
iteeGuidance.pdf
Conduct and critique in-person interviews
Use network scanning tools to assess technical
vulnerabilities
Update mitigation pathways for HIPAA Risk Analysis
18. Page 17
2016 Phase 2 Audits
On July 11, 2016, OCR notified 167 covered entities that
they were selected to participate in HIPAA desk audits
The covered entities being audited were selected by a
random, computerized process designed to reflect an
even geographic distribution from a list of more than
10,000 covered entities that completed pre-audit
questionnaires
OCR will not post the final reports or a list of the audited
entities, but the agency acknowledges that information
may be discoverable pursuant to a Freedom of
Information Act (FOIA) request
The pace of these audits has slowed in 2017, but is likely
to increase for 2018
19. Page 18
Previous Auditee Breakdown
Large providers/health plans
Extensive use of HIT –
complicated HIT-enabled
clinical/business work streams
Revenues and or assets greater
than $1 billion
Large regional hospital systems (3 to
10 hospitals/region), regional
insurance companies
Paper- and HIT-enabled work flows
Revenues and or assets $300 million
to $1 billion
Community hospitals, outpatient
surgery centers, regional
pharmacies, all self‐insured
entities that do not adjudicate
their claims
Some, but not extensive, use of
HIT – mostly paper-based
workflows
Revenues $50 million to $300
million
Small providers (10 to 50 provider
practices, community or rural
pharmacies)
Little-to-no use of HIT – almost
exclusively paper-based workflows
Revenues less than $50 million
Level 1 Entities Level 2 Entities
Level 3 Entities Level 4 Entities
20. Page 19
Phase 2 Audit Results Highlights
No findings or observations for 13 entities (11%)
2 Providers, 9 Health Plans, 2 Clearinghouses
Security accounted for 60% of the findings and
observations (although only 28% of potential total)
Providers had a greater proportion of findings and
observations (65%) than reflected by their proportion of the
total set (53%)
Smaller, Level 4 entities struggle with all control areas
21. Page 20
Phase 2 Audit Results Highlights
(cont.)
58 of 59 providers had at least one security finding or
observation
No complete and accurate risk assessment in two-thirds
of entities (47 of 59 providers)
Security addressable implementation specifications: Almost
every entity without a finding or observation fully
implemented the addressable specifications
22. Page 21
Phase 2 Audit Results Highlights
(cont.)
HIPAA found to not be an organizational priority
Small providers had far more significant compliance
failures
Failure to conduct regular risk assessments
Definition of “minimum necessary” not understood
Security issues predominate over privacy issues
User access
Encryption
Media management – reuse and destruction
23. Page 22
Helpful Tips and Links
Review the open webinar slides from former OCR Director
Jocelyn Samuels’s Phase II HIPAA Audit Review
https://www.hhs.gov/sites/default/files/OCRDeskAuditOpenin
gMeetingWebinar.pdf
Review the HHS Guidance for a HIPAA Security Risk
Analysis
https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/admi
nistrative/securityrule/riskassessment.pdf?language=es
Use the HHS Published Audit Protocol to develop a self-
assessment
https://www.hhs.gov/hipaa/for-professionals/compliance-
enforcement/audit/protocol/index.html?language=es
24. Page 23
Helpful Tips and Links (cont.)
Complete a BAA Review using HHS template
https://www.hhs.gov/hipaa/for-professionals/compliance-
enforcement/audit/batemplate/index.html
Consider having an independent third party conduct a
review of:
HIPAA Policies and Procedures
HIPAA Security Risk Analysis
Business Associate Agreements
HIPAA training material and documentation
Breach Notification
Notice of Privacy Practices
Consider having third party conduct a mock audit