OCR HIPAA AUDITS THEY RE BACK!

Chris Apgar, CISSP 2016

OCR HIPAA AUDITS –

THEY’RE BACK!

OVERVIEW

What to Expect if OCR’s Auditors Show Up

Potential Penalties and Other OCR Actions

How to Prepare for an Audit

Resources

OCR AUDIT PROGRAM OVERVIEW

Rights (OCR) conduct HIPAA compliance audits

OCR announced the kick off of Phase 2 audits in April, 2016

Contact validation and pre-audit surveys sent to covered entities (CE) beginning April 2016

Audit program meant to augment, not replace, current investigation and enforcement activity

3

OCR AUDIT PROGRAM OVERVIEW

had with a CE would factor into the decision of who to audit

KPMG is currently training new and existing staff in preparation to launch the formal audit program

CEs should expect audits to commence within the next two months

OCR AUDIT PROGRAM OVERVIEW

were emailed to CEs beginning in April 2016

When audits commence CEs selected for an audit will be required to provide OCR with a list of all current BAs

Entities to be audited will include a cross section of CEs and BAs across different geographic locations

5

OCR AUDIT PROGRAM OVERVIEW

identified as part of CE audits

CEs and BAs who receive a pre-audit survey may or may not be audited

Targeted desk audits and comprehensive onsite audits will be conducted as part of Phase 2 audits

It is unclear whether or not comprehensive and desk audits will be conducted

OCR AUDIT PROGRAM OVERVIEW

Random selection used when possible within types

Wide range of auditees (e.g., group health plans, physicians and group practices, behavioral

health, dental, hospitals, laboratories)

Per OCR approximately 200 CEs and BAs will be audited

OCR will not audit entities with open complaint investigation or currently undergoing compliance review

7

OCR AUDIT PROGRAM OVERVIEW

Round 1 – CE desk audits

Round 2 – BA desk audits

Round 3 – Comprehensive audits

Based on Round 1 experience, Phase 2 CE audits will target:

Security – risk analysis and risk management

Breach – Content and timeliness of notifications

OCR AUDIT PROGRAM OVERVIEW

Risk analysis and risk management standards

Breach reporting to covered entities

Round 3 CE and BA audits – complete audit protocol

9

WHAT TO EXPECT IF OCR’S

AUDITORS SHOW UP

OCR will notify CEs and BAs immediately preceding audits

The Phase 2 audit protocol includes documentation that will be requested

CEs and BAs must forward all documentation requested within 10 business days from

WHAT TO EXPECT IF OCR’S

AUDITORS SHOW UP

Audited entities submit documents on-line via secure audit portal on OCR’s website

Paper documentation will not be accepted

Auditors won’t be available to answer questions during the desk audits

11

WHAT TO EXPECT IF OCR’S

AUDITORS SHOW UP

Following the audit, CEs and BAs will receive draft audit report

CEs and BAs have 10 business days to provide management response

Auditors will forward final audit report to OCR 30 days from date of CE or BA response

Depending on findings, OCR may open a compliance investigation

WHAT TO EXPECT IF OCR’S

AUDITORS SHOW UP

Audit protocol covers privacy, security and breach notification

Expect to provide policies, procedures and evidence that policies and procedures are followed

Extensive documentation will be requested

If there is no documentation, CEs and BAs must provide written statement that no documentation exists and why

13

THE UNKNOWNS

Questions in the pre-audit questionnaire suggest most recent fiscal year

Sample size unknown

Per pre-audit survey letter collected documentation may be subject to public disclosure under Freedom of Information Act (FOIA) – unclear if FOIA response to include PHI and employee PII

THE UNKNOWNS

Audit protocols designed to work with broad range of CEs and BAs but application may vary depending on size and complexity of the entity being audited

No information on how audits will vary and amount of documentation required

15

THE QUESTIONS

Privacy Rule protocol, 45CFR §164.524(c) Implementation specifications: Provision of access. If the CE provides an individual with access to PHI, the CE must comply with the requirements listed in the protocol

Auditors directed to “Obtain and review access requests which were granted (and documentation of fulfillment, if any) and access requests which were denied.”

Question: Is this intended to be a request for all access requests (regardless of disposition) during the audit period, or can the auditor request that the covered entity provide a sample?

THE QUESTIONS

stringent state law

Question: What if state law more stringent and state law compliance varies from HIPAA requirements?

17

POTENTIAL PENALTIES AND

OTHER OCR ACTIONS



If OCR elects to conduct a compliance

review, it could result in:

Technical assistance provided by OCR

Corrective action plan the CE must comply with (may include required third party compliance review for three to five years)

Civil penalties or monetary settlements

If finding of willful neglect, expect formal

enforcement

HOW TO PREPARE FOR AN AUDIT

Begin planning for audit now – likely can’t assemble all required documentation in 10 business days

If documentation not provided, don’t expect to provide additional documentation when

receive draft review for management response

19

HOW TO PREPARE FOR AN AUDIT

matters

Develop a compliance plan

Prioritize high to low risk compliance gaps

Assign resources to eliminate privacy and security compliance gaps

HOW TO PREPARE FOR AN AUDIT

status

Document mitigation activity

Store all centrally

Many CEs and BAs aren’t compliant with several high risk compliance requirements

This amounts to more than adopting required policies and procedures – evidence required

Need to demonstrate continued compliance activities (not a “one time” event)

21

HOW TO PREPARE FOR AN AUDIT

and accurate documentation that’s easily accessible

CEs and BAs bear burden of demonstrating compliance

RESOURCES

http://www.hhs.gov/ocr/privacy/hipaa/enforc ement/audit/index.html

Apgar & Associates, LLC:

http://www.apgarandassoc.com 23

Q&A