The HHS Office for Civil Rights plans to begin a random audit program this year to assess compliance with the HIPAA privacy, security and breach notification rules. David Holtzman, a former senior advisor at OCR and now vp of compliance services at security firm CynergisTek, offers the following outline of what providers selected for an audit can expect and how to prepare.
In a 2012 pilot audit program, security rule problems were seen twice as often as anticipated, so expect security issues addressed under a permanent audit program to be bumped up. OCR found through the pilot audits that many organizations had not conducted a security risk analysis or never updated an initial analysis-which signals that an organization is not taking HIPAA seriously. Other areas with significant deficiencies included access management, security incident procedures, contingency planning, audit controls, and movement and destruction of protected health information.
OCR plans to send notification letters to 1,200 healthcare organizations to confirm their address, HIPAA officers, sizes and functions. This is not an audit notice, but the information will be used to build a list of those that will be audited. Organizations selected for audit by OCR will not receive email notification-they will receive a formal audit notification letter-so beware of scammers.
About 200 covered entities and 300-400 business associates will receive notification of a "desk audit," which will include a request for submission of specific content and other documentation that demonstrates the scope and timeliness of an organization's efforts to comply with HIPAA rules. Focus areas for covered entities likely will include risk analysis and risk management, content and timeliness of breach notifications and notice of privacy practices updated to reflect changes in the HIPAA Omnibus rule implemented in 2013. The likely focus for breach audits will be risk analysis and risk management, and appropriate breach reporting to covered entities.
Under a desk audit, only documentation delivered on time will be reviewed. Send only the information required. Auditors likely will be looking for updated privacy practice notices, the ability of patients to get a copy of their health record and to access them electronically if desired, and how organizations treat requests to restrict access to sensitive treatment paid out-of-pocket. Desk audits, Holtzman says, are not an opportunity for a conversation or give-and-take. Auditors will not contact an organization again for clarifications or additional information; they will work only with what they get. Failure to respond to a desk audit notification likely will lead to a more formal compliance review. (Audit findings will not become a matter of public record.)
OCR this year and likely into 2016 will conduct on-site audits of an unspecified number of covered entities and business associates. This is more comprehensive than a desk audit, with a greater focus on privacy. Expect OCR in these on-site audits to look at security rule compliance in such areas as device and media controls, secure transmissions, encryption of data (including documented justification if you're not using encryption), facility access controls, administrative and physical safeguards, and workforce training. And expect an emphasis on training, as many organizations haven't trained since first required in 2003. "That really rubs [auditors] the wrong way," Holtzman says.
If your risk-analysis and risk-management plans are more than 2 years old, update now, Holtzman suggests. Select 10 focus areas covering both the privacy and security rules, and if vulnerabilities have not been addressed, address them. "The best process to prepare for an audit is to be prepared the day the letter arrives," Holtzman says. "Be honest with yourself. Don't paint a happy picture because you think you know what management wants to hear."