With the publishing of the audit protocol by the OCR, HHS is providing healthcare providers and business associates great insight into the questions they may face if selected for an audit. 

What is the OCR HIPAA Audit Program?

The OCR HIPAA Audit program is designed to analyze processes, controls, and policies of selected covered entities and business associates. The OCR has established a comprehensive audit protocol that contains the requirements to be assessed through these performance audits. The entire audit protocol is organized around modules, representing separate elements of privacy, security, and breach notification.

What Does Protocol Coverage Include?

According to the OCR, the combination of multiple requirements may vary based on the type of covered entity or business associate selected for review. Protocol coverage includes:

  • Privacy Rule requirements for (1) notice of privacy practices for PHI, (2) rights to request privacy protection for PHI, (3) access of individuals to PHI, (4) administrative requirements, (5) uses and disclosures of PHI, (6) amendment of PHI, and (7) accounting of disclosures.
  • Security Rule requirements for administrative, physical, and technical safeguards.
  • Requirements for the Breach Notification Rule.

It is still expected that the upcoming round(s) of audits will be based a combined approach of “desk audits” that will be performed remotely and more comprehensive on-site audits for a more limited selection of entities. The new protocol is somewhat broader in its coverage with a total of 180 areas as opposed to 165 in the version used for the Pilot Audit program.

With this new guidance from the OCR, this is a perfect time for organizations with compliance obligations under HIPAA to reexamine their adherence to the regulatory standards as well as their readiness for a possible audit. Scrambling at the last hour to respond to an audit request is not a recipe for success.

How Do We Prepare for an OCR Audit?

The time to prepare for an audit is before you have been selected. But, if you’ve already been selected we can still get you ready.

Now is the time to prepare, knowing that you might be called on at some point to show evidence of compliance. Keep in mind, audits are NOT enforcement actions.

What’s the goal of an OCR audit?

The stated goal of the OCR audit program is to gauge overall HIPAA compliance across a wide variety of covered entities and business associates. The data will be used by HHS to assess the overall health of information security in the industry and to identify where additional outreach or education might be necessary. If you are notified that your organization has been chosen for an OCR audit, the following provides guidelines as to what you will want to do.

If You Are Chosen for an OCR Audit, Mobilize!

Assemble your team. The team should include your privacy and security officials and your organization’s compliance officer (if you have one). It’s also a good idea to notify your internal and/or external legal counsel so they can be kept apprised of all requests from the OCR and responses provided by you to the OCR. Keep your counsel on standby to provide you with guidance if necessary.

Respond completely and in a timely fashion. If you are notified that you have been selected for an audit, you will also get instructions on how and when to reply. There is documented evidence that being unresponsive will only make things worse for you if the OCR uncovers significant findings of non-compliance. Make sure you keep thorough records of all transactions during the audit process, and it’s a good idea to appoint one person to be in charge of all audit-related correspondence.

A few additional guidance points from the OCR include:

  • Only requested data submitted on time will be assessed.
  • All documentation must be current as of the date of the request.
  • If yours is a desk audit, auditors will not have the opportunity to contact you for clarification or to request additional information, so it is critical that your documents adequately reflect the program.
  • Do not submit extraneous information as it will increase the difficulty for the auditor to assess required items.
  • Failure to submit responses to requests may lead to referral for regional compliance review.

Craft responses carefully and don’t be bashful about questioning findings that you believe to be inaccurate. Historically, the OCR has allowed organizations to respond to identified issues. Be prepared to justify your position with facts and to explain your rationale for decisions you have made about your compliance and security strategy. There are many areas where HIPAA’s lack of specific direction works in your favor, assuming you can demonstrate a thoughtful and reasonable approach to complying with all of the standards. Hopefully, your OCR audit will go smoothly. If you have done a good job addressing compliance standards and building out your security program, the report will require little or no follow up. If not, you may be subject to voluntary compliance activities or to a more in-depth compliance review. Compliance reviews that identify significant issues may require additional corrective action or may lead to resolution agreements. In these cases, it’s advisable to engage attorneys and consultants who are well-versed in working with the OCR.

If your OCR audit is part of the ongoing OCR audit program, be aware that the purpose of the random audits is to gauge the compliance of the larger population. Not just you. The OCR has been charged with educating and equipping organizations with compliance strategies, and part of that mission necessarily includes a certain number of audits to find out how organizations are performing.

An OCR Audit Preparation Checklist

Here’s what your business will want to have prepared if you are selected for an OCR audit:

  1. Risk analysis
  2. Evidence of a risk management plan (e.g. list of known risks and how you are dealing with them)
  3. Policies and procedures and descriptions as to how they were implemented
  4. Inventories of business associates and the relevant contracts and BAAs
  5. An accounting of where ePHI is stored (internally, printouts, mobile devices and media, third parties)
  6. How you monitor mobile devices and mobile media (thumb drives, CDs, backup tapes)
  7. Documentation on breach reporting policies and how you have responded to breaches
  8. A record of security training that has taken place
  9. Evidence of encryption capabilities

The OCR will be expecting organizations to assess their own procedures and the commensurate safety of ePHI with a high degree of objectivity. If you are introducing new business strategies, installing new information systems or targeting new markets, you will be expected to analyze your risk for each initiative. In their pilot program, the OCR found that two-thirds of the organizations they audited did not have a complete and accurate risk analysis.

This time around, we would encourage you not to be one of those.

How Healthcare Organizations Should Prepare for an OCR Audit

How can your healthcare organization demonstrate compliance efficiently and effectively? Let’s take a look at the essential steps to prepare for an OCR audit.

Clearing Up the HIPAA Myths

First, with so many myths floating around about HIPAA compliance and enforcement, it’s important to clarify what the audits are, and what they aren’t.

OCR audits aren’t the same as enforcement actions. Instead, they’re part of a broad effort to measure HIPAA compliance among covered entities across the industry, and ultimately determine common areas of need for better protection of healthcare data.

So if you receive a notification that you’ve been selected for an audit, don’t panic. You may be under the microscope, yes, but it’s not because you’ve done something wrong. The key is effective preparation.

How and When to Respond to OCR

One of your top-level concerns should be assembling the information that auditors will seek. This will help streamline the process and help you gauge your own readiness. If you are selected for an audit, OCR will supply you with instructions on exactly how to reply.

These instructions will also tell you when to respond, and that’s an equally important point. Only the information that you’ve submitted according to schedule will be evaluated, but that does not give you an advantage; we’ve seen evidence that being slow-to-respond can compound your difficulties if you are ultimately found to be out of compliance in a significant way.

With this in mind, take care to conduct all correspondence with OCR in a timely manner, adhering to the schedule that they set. Often it is appropriate to assign one individual to be responsible for these communications. Make sure your information is current as of the time of request, and don’t send data that OCR hasn’t asked for. As the audit process proceeds, be sure to make comprehensive records of all your correspondence.

Building the Right OCR Audit Response Team

In order to respond effectively to an audit, you’ll need the right team. That means security and privacy officials within your organization, relevant senior decision-makers, as well as your compliance officer, if you’ve designated one.

Your legal counsel, whether in-house or external, is another essential part of your OCR audit response team. Keep them up-to-date throughout the entire process, giving them access to all communications between your organization and OCR.

Within your organization, transparency and coordination between the relevant officials is absolutely key.

Speak up When You Have Concerns

It’s important to be timely and helpful during your audit, but that doesn’t mean you should be shy or overly deferential. If OCR delivers a finding that you perceive to be inaccurate, you should speak up – OCR generally gives organizations the opportunity to respond to the issues they raise.

Of course, if you challenge OCR’s findings, you should be ready to back up your assertions with facts. Use documented evidence when possible and be able to justify your security and compliance strategy.

One crucial thing to remember about HIPAA is that you have some flexibility to meet many of its requirements in various ways, but you must be able to provide the rationale for your decisions. Recently, we discussed how organizations might employ various approaches to session timeouts to meet the HIPAA implementation specification for Automatic Logoff on devices with access to ePHI.

The Next Steps

When you communicate with OCR, be clear and deliberate. Craft your messages carefully, and provide the requested information in transparent detail – but avoid supplying arbitrary or superfluous data. Be timely in all of your responses, and ensure that you have a qualified and responsive team in place to handle the audit process.

What if your report identifies problems?

In this case, you may be asked to undergo voluntary compliance activities, or possibly a more detailed review. For very serious issues, your organization may be required to take actions to correct your issues; in some cases, you may have to go through resolution agreements. In such situations, we recommend working with consultants and attorneys who have experience dealing with the OCR.

An audit is a nerve-wracking experience for many, but you can take steps to minimize both your risk and the disruption. If you’ve prepared properly and put strong compliance measures in place alongside a robust security program, you should have minimal or even no required follow-up activity after your report. With the right actions, you can get through the audit smoothly and focus your attention on helping patients.