Healthicity

About the New Guidance on OCR Audit Program

August 11, 2016 | Posted by :  Picture of Steve Spearman Steve Spearman

Share:

  

compliance, hipaa compliance, OCR audits

The OCR HIPAA Audit program is off and running. OCR has selected 167 Covered Entities for desk audits and has published three new guidance documents. The guidance documents were published for public view but are all part of responses to questions that audit targets had after being notified that they had been selected for desk audits.

In preparation for the audits, OCR conducted a remote PPT webinar for participation of the audits. The presentation deck, which you can find here, discusses the purpose of the program and the audit process. Another document (here) lists the protocols that will be the focus of the audits (more on that in a bit). The last document is a Q & A in which OCR responds to questions submitted by audit targets.

9 Key Takeaways

In case you don’t want to wade through it all, here are 9 important new takeaways from the new guidance documents:

  1. For the desk audits, there will be two types of audits: A Security-focused and Privacy/breach type. 
  2. For each of these audit types, the focus will be on seven areas of greater risk to the security of protected health information (PHI) and pervasive non-compliance based on OCR’s Phase I Audit findings and observations, rather than a comprehensive review of all of the HIPAA Standards. 
    • Privacy Rule Controls
      • Notice of Privacy Practices & Content Requirements [§164.520(a)(1) & (b)(1)]
      • Provision of Notice – Electronic Notice [§164.520(c)(3)]
      • Right to Access
[§164.524(a)(1), (b)(1), (b)(2), (c)(2), (c)(3), (c)(4), (d)(1), (d)(3)]
    • Breach Controls
      • of Notification [§164.404(c)(1)]
      • Timeliness of Notification [§164.404(b)]
    • Security Controls
      • Security Management Process -- Risk Analysis [§164.308(a)(1)(ii)(A)]
      • Security Management Process -- Risk Management [§164.308(a)(1)(ii)(B)]
  3. The Phase 2 Audits appear to be intended to identify best practices and uncover risks and vulnerabilities that OCR has not identified through other enforcement activities.These seven components are a much more realistic and simpler area of focus then having to supply documentation to all the published protocols (which print out to over 400 pages). 
  4. OCR makes it clear that participants must provide all the documentation on the day of the notice. Several participants asked whether they could use risk analyses or policies that were in “draft” and the answer was “no.” Documentation had to be current and in place as of July 11th, the date notices were sent. 
  5. All responses were required to be submitted by July 22nd. 
  6. The slide deck includes a screen shot of all the submission screens from the upload portal. 
  7. At least one “small pharmacy” was selected to be audited. 
  8. An “energy company” with a self-funded health plan was selected for an audit, which I’m sure came as a surprise.
  9. There were a lot of questions about risk analysis, especially how you document and communicate your response to the risk analysis via your risk management plan. With all risk analyses that we conduct, Healthicity includes the risk management plan with clear guidance on how to document activities and mitigate risks associated with the findings. 

The key takeaways from the guidance is that it will not be possible to comply on short notice. Entities need to get their HIPAA compliance going now, if they haven’t done so already, and keep it updated with the supporting documents needed to manage and prove compliance. Consider watching this free webinar, "OCR (HIPAA Stage 2) Audits: What to Expect and How to Prepare," for more insights on how to prepare. Lastly it is important to note that in circumstances where an audit reveals a serious compliance concern, OCR may initiate a compliance review of the audited organization that could lead to civil money penalties.

OCR PPT Webinar Notes

Intent:

  • Identify industry best practices
  • Discover risks and vulnerabilities not discovered through enforcement activities
  • Get in front of problems before they result in breaches
  • Not enforcement, compliance improvement activity

OCR wants to: 

  • Better understand compliance activities 
  • Types of technical assistance OCR should develop 
  • Develop tools/guidance for compliance self-evaluation and to prevent breaches 

Sampling criteria covering a range of entities: 

  • Size 
  • Affiliation 
  • Location 
  • Public
  • Private 

Health plans divided into: 

  • Group plans and 
  • Issuers

Providers categorized by type:

  • Hospital 
  • Practitioner 
  • Elder care/SNF 
  • Health system 
  • Pharmacy 

Randomized algorithm that drew from each of the groups: 

  • 167 CE’s selected 
  • Two types of audits 
    • Security 
    • Privacy/Breach 

Onsite audits: 

  • Begin early 2017 
  • Onsite will evaluate auditees against comprehensive set of compliance controls 
  • Desk auditees may be subject to onsite – in fact in the Q & A, being uncooperative makes a desk audit target more likely to receive an onsite audit 

Audit process:

  • 10 days to provide responses 
  • Specified documentation 
    • Policies and procedures 
    • Evidence of implementation 
  • Provide complete and relevant materials 
  • Refrain from providing superfluous documents 
  • 10 MB size limit (surprising) 

BA Desk audits:

  • Will commence in late September 
  • Same rules and expectation 
  • Pool drawn from from BA’s identified by CE’s (presumably audit targets) 

Document requests:

  • Due within 10 days-July 22nd 
  • Sent via email 
  • Two separate requests 
    • P&Ps and other related documentation 
    • List of all the CE’s BA’s 
  • Specifies the document elements to be provided 
  • Provision of Notice – Electronic Notice [§164.520(c)(3)] 
  • Breach Notification Rule Controls 
  • Timeliness of Notification [§164.404(b)] 
  • Security Rule BA’s must be submitted via email 
  • All other documents must be submitted via portal 

Response expectations:

  • Provide only the specified policy 
  • Extract from compendium if needed 
  • Auditees responsible to provide clear, complete and responsive docs 
  • Entities will not receive credit for a late submission 

Privacy rule controls:

  • Notice of Privacy Practices & Content Requirements [§164.520(a)(1) & (b)(1)] 
  • Provision of Notice – Electronic Notice [§164.520(c)(3)] 
  • Right to Access
[§164.524(a)(1), (b)(1), (b)(2), (c)(2), (c)(3), (c)(4), (d)(1), (d)(3)] 

Breach controls: 

  • Content of Notification [§164.404(c)(1)] 
  • Timeliness of Notification [§164.404(b)] 

Security controls: 

  • Security Management Process -- Risk Analysis [§164.308(a)(1)(ii)(A)] 
  • Security Management Process -- Risk Management [§164.308(a)(1)(ii)(B)] 

Reporting process: 

  • Draft findings 
  • Entity can respond to draft 
  • Final report will cover how conducted, findings, and entity response 
  • OCR could open a compliance review in the event of severe threats to privacy/security 

Have additional questions? Leave them in the comments section below and I’ll answer as soon as possible.

Questions or Comments?

Related posts