Kusserow’s Corner: OCR Audit Update and Compliance Tips

The good news is that the HHS Office of Civil Rights (OCR) has delayed the start of the Phase 2 audits that were to begin in October 2014 until it implements new technology that will improve its pre-audit survey-screening tool. Linda Sanches, head of enforcement, policy, and outreach for OCR, made this announcement at the HIMSS Privacy and Security forum in Boston. The not-so-good news is that as HIPAA breach reports continue to mount, there is increasing pressure on OCR to proactively conduct more in-depth field audits and not the more limited desk audits. As a result, Sanches reported that the new audits will build off what was learned from the Phase 1 audits. The Phase 1 audits found virtually all of the audited entities having at least one Security Rule violation and four out of 10 entities having lack of awareness of the HIPAA Standards. Under the new plan, OCR will provide a questionnaire to a random geographic distribution sample of hospitals, physician practices, and dental offices. The survey objective is to learn more about the organizations that may be selected for an audit. Those receiving the questionnaire will have two weeks to respond to OCR’s audit request. The request will specify the content, organization size measures, location, services, contact information, file names, and other documentation requirements. Failure to respond to a request could lead to a referral to the applicable OCR Regional Office for a compliance review. As OCR moves forward, it will expect entities to enter data online through their “portal” that will save OCR time and permit more audits.

Originally, Phase 2 was to conduct 400 desk audits of both covered entities and business associates, but that has been cut in half as result of additional funding for on-site, comprehensive audits. OCR reported that in deciding whether or not to audit a provider or investigate a reported breach, it will look for patterns of any prior reported breaches that suggest the absence of proper policies, procedures, and risk reviews. Those who fail to evidence developing and implementing these policies will likely be targeted not only for investigations, but for significant fines ranging from around $200,000 to millions of dollars.

In response to the announced revised plan by OCR, Betta Sherman, who specializes in HIPAA consulting, states that “Phase 2 audits are likely to be more hard-hitting with what OCR learned from Phase 1; and as result so many reported PHI breaches.” Camella Boateng, a consultant specializing in physician practice compliance believes “there are very few physician practices today that are prepared to pass an OCR audit.” Dr. Cornelia Dorfschmid, a leading consultant on the subject said that “the message from OCR is clear that providers and BAs better be prepared for an OCR audit, if they want to reduce the likelihood of problems.” She added “the best advice I can give is for Covered Entities and BAs to ensure an independent risk reviews are conducted at least annually.” The following are some of the important issues that should be addressed in any compliance review.

Evidence of HIPAA Compliance

  1. Recently completed comprehensive security risk and vulnerability assessment.
  2. Breach assessment procedures are up to date.
  3. BAs are identified with up to date contact information and services they supply
  4. Privacy and Security policies and procedures are up to date and being followed.
  5. Sanction process, policies and procedures are in place and being followed.
  6. Any individuals sanctioned followed the published sanctions policy.
  7. Laptops, mobile devices (including cell phones and flash drives) are registered.
  8. Laptops and mobile devices have been evaluated for appropriate security controls.
  9. Laptops and mobile devices are all encrypted.
  10. Policies and processes are in place to deal with any breach of PHI information.
  11. Security Rule encryption and decryption requirements are being met.
  12. Facility access control processes are in place.
  13. BAs have been trained on breach reporting to covered entities.
  14. Action items identified in Risk Assessment are timely completed.
  15. Policies/procedures are in place addressing uses and disclosures of PHI.
  16. Reasonable and appropriate safeguards are in place for paper and verbal PHI.
  17. Workforce has received training on HIPAA Rules related to job duties.
  18. An inventory of information system assets, including mobile devices, exists.
  19. All systems and software that transmit electronic PHI employ encryption technology.
  20. All facilities that stores or otherwise has access to PHI have security plans in place.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow’s Corner Newsletter

Copyright © 2014 Strategic Management Services, LLC. Published with permission.