OCR Audits Playbook for Covered Entities






Full text




Special Training on the Breach Notification Final Rule

OCR Audits Playbook

for Covered Entities

Play 1

Build Your Team

Play 2

Gather the Facts

Play 3

Conduct a Risk Assessment

Play 4

Plan Your Breach Response

Play 5

Provide Notification

Play 6

Prep for the Audit

Play 7


On-the-Fly Protection Won’t

Fly with OCR

“Healthcare providers shouldn’t be just

taking steps to safeguard information

just because OCR is going to pick up its

audit program. Frankly, safeguarding

health information—the most

important asset of any healthcare

practice—is just a sound business



– David Holtzman, Former Office for Civil Rights (OCR) Senior Privacy and Security advisor

In the healthcare compliance game, the United States Department of Health

and Human Services (HHS) Office for Civil Rights (OCR) is both governing body

and referee.

The OCR’s most recent efforts at monitoring — the HITECH Act’s HIPAA Privacy, Security, and Breach Notification Audit Program — dealt a devastating blow to participating healthcare organizations. Only 11 percent of the 115 organizations in the first round of audits had no “findings” or “observations” (failures or weaknesses in meeting requirements), and 58 of 59 healthcare providers had at least one finding or observation in the area of security.1 Even worse, OCR found that the most

common cause of findings or observations was that the covered entity (CE) was entirely unaware of the requirement. With the next round of audits starting soon, CEs need to get their game on by not only understanding but by meeting requirements in the areas of privacy, security, and breach notification. Pleading ignorance will not be a defense when OCR comes to call. Approximately 350 CEs — including health plans of all types, clearinghouses, and individual and organizational providers — and their business associates will participate in the phase 2 audits. Different CEs will be audited on different aspects of compliance: privacy, breach notification, or security.

Following the same format as our popular HIPAA Final Omnibus Rule Playbook, this OCR audit playbook from the coaching staff at RADAR focuses on the unique requirements of the Breach Notification Final Rule. It outlines a typical incident response, and provides tips and actionable items for every step — all the plays you need to protect your team against OCR fines and penalties, and win the compliance championship.

This playbook covers the following plays:

Game on!

Play 1

Build Your Team

Play 2

Gather the Facts

Play 3

Conduct a Risk Assessment

Play 4

Plan Your Breach Response

Play 5

Provide Notification

Play 6

Prep for the Audit

Play 7

Evaluate Your Response

1 www.mwe.com/OCR-to-Begin-Phase-2-of-HIPAA-Audit-Program-07-29-2014

2 www.healthcareinfosecurity.com/interviews/hipaa-audits-3-key-topics-i-2226


Overview of the HIPAA Final Rule

Published in the Federal Register on January 25, 2013, by the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR), the HIPAA Final Rule reflects landmark legislation that affects nearly every aspect of patient privacy and data security. It encompasses a number of changes, including:

1. Modification of the HIPAA Privacy, Security, and Enforcement Rules to include HITECH requirements; 2. Modification of the Breach Notification Rule;

3. Modification of the HIPAA Privacy Rule regarding the Genetic Information Discrimination Act of 2008; 4. Additional modifications to the HIPAA Rules.

Under the Breach Notification Final Rule. CEs must perform a risk assessment for every privacy or security incident involving unsecured PHI based on a new compromise standard, meet their burden of proof, and notify within certain timelines. Not only that, the methodology used to do risk assessments must be consistent from incident to incident. Whether or not CEs are

audited, they can be certain that OCR is scrutinizing incident response efforts—and must plan each play accordingly.

Play 1: Build Your Team

The best teams work together. One player carries the ball, then hands it off to a teammate — the player who had possession of the ball now supports his teammate. Similarly, each member of the incident response team backs his or her co-worker up when that person has the primary responsibility. For instance, if it is a security incident, the CISO is tasked with gathering the facts of an incident, supported by the privacy officer and other technical resources. The CISO hands the proverbial ball to the privacy offer to assess whether these facts represent a data breach under the Breach Notification Rule, and the CISO (and legal), in turn, supports the privacy officer. If the incident is a reportable breach, the privacy officer often drives the notification process, again with support from CISO, legal, as well as compliance and risk. Marketing/PR notifies the media, while the CFO evaluates financial costs.

The goal, of course, is managing incident response to comply with the Breach Notification Final Rule and protect affected individuals from potential harms—financial, reputational, and health risks.

The table below breaks down the plays into individual steps, so you can assign each task to the appropriate individual in your organization. Roles and responsibilities are best defined before an incident ever happens.

Don’t Forget State Breach

Notification Laws!

Forty-seven states have their own version

of a breach notification law—and their own

definition of when an incident is a reportable


Thus, each jurisdiction requires a separate

incident risk assessment. In addition, each

state has its own notification requirements.

These laws change and even conflict with

another—making incident response a real

headache if your incident spans multiple


With RADAR®, one incident assessment

covers all state and federal laws, making

compliance simple.


State AGs Are Not Shy about

HIPAA Enforcement

“We’re not at all reluctant to bring an

enforcement action: (1) to serve as an

example to other companies, and (2) to

have a relatively equal playing field.”


– William Sorrell, Vermont Attorney General

Play 2: Gather the Facts

When a privacy or security incident that involves PHI is discovered, the incident response team will conduct an investigation to determine root cause, perform remediation, and document the facts of the incident, such as:

• The source of the incident; • The level and risk of exposure;

• The nature of the personal data potentially exposed, and whether any protections (such as encryption) were in place; • The number of potentially impacted patients (or employees);

• Remediation steps taken to contain the incident and limit exposure risks; • Is the event ongoing or static;

• Malicious/non-malicious.

Accurate documentation of incident details is critical, because this is the information that will be assessed against the four compromise factors, as outlined in the Breach Notification Rule.

“Each incident’s risk assessment will

be fact-specific, but the manner in

which you analyze the four factors

must be the same.”

– Sophia Collaros, Chief Privacy Officer, University of New Mexico Health Sciences Center

Task (Typical Role) Person Responsible

Play 1: Build your team (person responsible for assembling the team)

Play 2: Gather the facts (CISO/Infosec for security incidents, privacy/compliance for privacy incidents)

Play 3: Perform incident risk assessment (privacy)*:

• Assess facts against four factors • Decide if incident is a breach • Document reasoning

Play 4: Plan your breach response Play 5: Provide notification

• Individuals (legal/privacy) • Media (marketing/PR) • HHS (privacy/legal) Individuals: Media: HHS: Play 6: Prepare documentation for regulatory inquiry/OCR auditors (legal)

Play 7: Evaluate performance (Top management/board)

* It should be noted that we are referring to incident risk assessments as a privacy-related task or function; however, any role with the proper knowledge or qualifications — including individuals who work in infosec, legal, compliance, etc. — may conduct an incident risk assessment. 3 www.bna.com/state-attorneys-general-n17179877665


Play 3: Conduct an Incident Risk Assessment

With this information in hand, your privacy officer or similar individual can conduct a risk assessment to determine if the incident is a reportable breach. Under the HIPAA Final Rule, this incident risk assessment determines the probability that PHI has been compromised—the compromise standard— and must include a minimum of these four factors:

1. The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;

2. The unauthorized person who used the protected health information or to whom the disclosure was made; 3. Whether the protected health information was actually acquired or viewed;

4. The extent to which the risk to the protected health information has been mitigated.

If the risk assessment concludes there was a very low probability that PHI was compromised, you may decide the incident does not meet the legal requirements for a breach that requires notification. However, the Final Rule requires that your organization maintain a burden of proof, if your conclusions are called into question — or demonstrate that one of the existing exceptions to the definition of breach applies. Everything about the incident must be documented to meet your burden of proof — investigation, assessment, conclusions, etc. (See Play 5: Prepare for OCR Auditors or Regulators.)

Under the Final Rule, covered entities must develop a consistent, repeatable process for incident risk assessment. Healthcare organizations use a variety of tools to achieve consistency, from spreadsheets to purpose-built software.

Play 4: Plan Your Breach Response

If you decide, based on the incident risk assessment, that you have a notifiable breach, then it’s time to call in the incident response team you assembled in Play 1. Together, you plan a response addresses that not only meets the needs of your organization, but of the affected individuals whose data was breached. Too often, identity monitoring and protection solutions are one-size-fits-all, but that is as helpful as treating a broken leg with insulin. We recommend a more tailored approach. Consider, for example:

• Protection against medical identity theft and fraud if social security numbers or insurance information is exposed. • Self-monitoring where PHI was exposed, but the risk of harm is low.

• Credit card monitoring if financial information was compromised. • Identity recovery services for actual victims of identity theft.

Former OCR’s Advisor’s

Advice on Incident Response

“[Healthcare providers must]

implement an incident response

program…. What OCR looks for is that

you follow your procedure, and that

you implement it, and that you do the

four-step evaluation to determine

if there is a low probability of

compromise of health information. Not

every unauthorized use or disclosure

rises to the level of a breach. But you

should carefully document the process

and the analysis you’ve gone through

to identify the data that’s gone

missing or been used inappropriately.”


– David Holtzman, Former Office for Civil Rights (OCR) Senior Privacy and Security advisor

4 www.healthcareinfosecurity.com/interviews/hipaa-audits-3-key-topics-i-2226


Play 5: Provide Notification

A critical part of breach response is notification. OCR has specific requirements for notifying the affected population, the media, and the Secretary of Health and Human Services. In addition, states have their own notification requirements, such as to Attorneys General or state insurance commissioners. Getting the right message to the right audience takes careful planning — and careful legal review — and generally includes the following steps:

Step 1: Determine notification requirements by jurisdiction

— that is, the jurisdiction of the affected individuals. Besides federal law, 47 states plus territories have their own breach notification regulations. Notification letters typically contain details of the breach, recommendations for protective action, mitigation steps (credit monitoring, etc.), and contact information.

Step 2: Develop notification schedule for individuals.

At the federal level, this is no later than 60 days after the breach was discovered.

Step 3: Develop notification schedule for regulators, and possibly the media.

If the breach affected 500 or more individuals, the 60-day notification deadline applies to HHS. All breaches are reported via an online form. Be prepared to have all documentation ready; HHS wants to know the details of the breach, including dates, type of data exposed, mitigation, and notification.

State laws vary. in California, for example, you would have to submit a sample copy of the notification letter to the state AG, if you were required to notify more than 500 California residents as the result of a single breach.

Play 6: Prepare for OCR Auditors or Regulators

According to OCR: “Covered entities…have the burden of demonstrating that all required notifications have been provided or that a use or disclosure of unsecured protected health information did not constitute a breach.”5 Meeting this burden of proof is a question of documentation: how well did you document every

step of the incident response process thus far, especially Plays 3 through 5? The checklist below from privacy attorneys Adam Greene and Rebecca Williams are possible “data requests” that OCR may make:6

Document / Artifact Do you have this?

Policies and procedures on breach notification*




A copy of recent breach notifications




Breach Notification Letters:

Simple is Best

“You need to write a letter that your

grandmother, brother and neighbor

down the street are all going to

understand. You need to be cordial,

accept responsibility and write the

letter as if it was intended for your

grandmother. Yes, I’m referring back

to your grandmother again. Someone

who has no idea what a data breach


– Heather Noonan, Senior Project Manager, ID Experts

5 www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule 6 www.dwt.com/Future-OCR-Audits-Have-Little-in-Common-With-Previous-RoundHeres-How-to-Prepare-04-10-2014

* The Breach Notification Final Rule also requires CEs to train employees on these policies and procedures, and must sanction employees who violate these policies and procedures.


Play 7: Evaluate Your Response

Congratulations! You won the championship — that is, you passed the audit (or regulatory inquiry) with flying colors. But success is more than compliance; it’s protecting the patients you serve from potential harm, including health, financial, and reputational risks due to identity theft. Thus, measuring customer (patient) satisfaction and identifying incident causes to prevent future ones is as important as satisfying regulators.

Customer satisfaction metrics include the number of:

• Affected individuals

• Individuals enrolled in credit monitoring (if offered) • Identity theft victims (percentage of breached population) • Calls or emails from concerned individuals

By examining incident trends, you can identify recurring weaknesses or vulnerabilities, and thus allocate training, security measures, or other risk management resources to where they will do the most good. Relevant metrics would include:

• The number of incidents that are malicious, and how many are due to human error • How many incidents become breaches

• Where did the incident start, e.g., department, site, etc. • The number of incidents a month

Document / Artifact Do you have this?

A copy of any incident risk assessments where notifications were not made. This includes:

• Low probability that PHI was compromised • Any exceptions to the definition of a breach




Documentation of the timelines from the discovery of a breach until the notifications of the breach were made




Documentation of investigations relating to breaches




Documentation: Forget the

Kitchen Sink

“Because OCR has indicated they are

not looking to receive extraneous

information, submitting that could hurt

someone’s chances in the audit. OCR

wants to see what it’s requesting —

nothing more, nothing less. If they get

everything, including the kitchen sink,

it makes it harder for them to conduct

their audit assessment. So make

sure you’re only providing what was



– Adam Greene, Partner & Privacy Attorney, Davis Wright Tremaine LLP 7 www.healthcareinfosecurity.com/preparing-for-hipaa-audits-timely-tips-a-6925/op-1


© Copyright 2016 RADAR, a Business Unit of ID Experts. All Rights Reserved. 0316

Victory – A Team Effort

In the face of OCR audits and ongoing scrutiny, covered entities may find compliance a daunting task—especially with the Breach Notification Final Rule. But it doesn’t have to be. This playbook helps, of course, and don’t forget the coaching staff at

RADAR. We’ll be on the sidelines, guiding you to victory, every step of the way.

About this document

Please realize that the HIPAA Final Omnibus

Rule is very lengthy and detailed, and that

the actual content of the HIPAA OCR audit

is unknown. This document is intended to

provide you with general, high-impact best

practices to help you become compliant

and face the audit or regulatory inquiry with

confidence. However, it is not intended to be

exhaustive regarding your breach notification

obligations under the Final Rule, or for

completing the audit. This information is not

intended to be or replace legal advice. Please

seek out your legal counsel for such advice.

Helpful Resources & Information

Blogs & Websites

HHS site on HIPAA Breach Notification Rule www.hhs.gov/ocr/privacy/hipaa/administrative/ breachnotificationrule

HHS “Wall of Shame”

www.hhs.gov/ocr/privacy/hipaa/administrative/ breachnotificationrule/breachtool.html

List of State Security Breach Notification Laws


Research & Resources

Webinar: Get Your Ducks in a Row: The OCR Audit Season Is about to Begin, June 2014

www.idexpertscorp.com/resources/single/get-your-ducks-in-a-row-the-ocr-audit-season-is-about-to-begin/r-general HIPAA Final Omnibus Rule Playbook for Covered Entities www.idexpertscorp.com/resources/single/hipaa-final-omnibus-rule-playbook-covered-entity-edition/r-general

HIPAA Final Omnibus Rule Playbook for Business Associates www.idexpertscorp.com/resources/single/hipaa-final-omnibus-rule-playbook-business-associate-edition/r-general Survey: Ponemon Institute’s Fourth Annual Benchmark Study on Patient Privacy and Data Security, Ponemon Institute, March 2014


Whitepaper: HIPAA Final Omnibus Rule


Talk to an expert

855-733-9888 | info@radarfirst.com

About RADAR®

In today’s world of increasingly complex and changing privacy regulations, cyber attacks, and data breaches, leading organizations trust RADAR®, a patented SaaS-based incident response management platform that simplifies and streamlines compliance with federal and state data breach laws. The RADAR Breach Guidance Engine™ leads users through an intuitive workflow that profiles and scores data privacy and security incidents and generates incident-specific notification guidelines to help ensure compliance with federal and state laws. Fortune 100 companies and other organizations from heavily regulated industries in finance, healthcare, insurance, and beyond rely on RADAR for an efficient and consistent process for incident response. RADAR is a business unit of ID Experts. Learn more at radarfirst.com.





Related subjects :