Chris Apgar, CISSP 2016
OCR HIPAA AUDITS –
THEY’RE BACK!
OVERVIEW
OCR Audit Program OverviewWhat to Expect if OCR’s Auditors Show Up
Potential Penalties and Other OCR Actions
How to Prepare for an Audit
Resources
OCR AUDIT PROGRAM OVERVIEW
HITECH Act mandated the Office for CivilRights (OCR) conduct HIPAA compliance audits
OCR announced the kick off of Phase 2 audits in April, 2016
Contact validation and pre-audit surveys sent to covered entities (CE) beginning April 2016
Audit program meant to augment, not replace, current investigation and enforcement activity
3
OCR AUDIT PROGRAM OVERVIEW
OCR announced the number of contacts OCRhad with a CE would factor into the decision of who to audit
KPMG is currently training new and existing staff in preparation to launch the formal audit program
CEs should expect audits to commence within the next two months
OCR AUDIT PROGRAM OVERVIEW
Contact verification and pre-audit surveyswere emailed to CEs beginning in April 2016
When audits commence CEs selected for an audit will be required to provide OCR with a list of all current BAs
Entities to be audited will include a cross section of CEs and BAs across different geographic locations
5
OCR AUDIT PROGRAM OVERVIEW
BAs to be audited will be selected from BAsidentified as part of CE audits
CEs and BAs who receive a pre-audit survey may or may not be audited
Targeted desk audits and comprehensive onsite audits will be conducted as part of Phase 2 audits
It is unclear whether or not comprehensive and desk audits will be conducted
OCR AUDIT PROGRAM OVERVIEW
Random selection used when possible within types
Wide range of auditees (e.g., group health plans, physicians and group practices, behavioral
health, dental, hospitals, laboratories)
Per OCR approximately 200 CEs and BAs will be audited
OCR will not audit entities with open complaint investigation or currently undergoing compliance review
7
OCR AUDIT PROGRAM OVERVIEW
Phase 2 Audits:Round 1 – CE desk audits
Round 2 – BA desk audits
Round 3 – Comprehensive audits
Based on Round 1 experience, Phase 2 CE audits will target:
Security – risk analysis and risk management
Breach – Content and timeliness of notifications
OCR AUDIT PROGRAM OVERVIEW
Round 2 BA audits will target:Risk analysis and risk management standards
Breach reporting to covered entities
Round 3 CE and BA audits – complete audit protocol
9
WHAT TO EXPECT IF OCR’S
AUDITORS SHOW UP
OCR will notify CEs and BAs immediately preceding audits
The Phase 2 audit protocol includes documentation that will be requested
CEs and BAs must forward all documentation requested within 10 business days from
WHAT TO EXPECT IF OCR’S
AUDITORS SHOW UP
Audited entities submit documents on-line via secure audit portal on OCR’s website
Paper documentation will not be accepted
Auditors won’t be available to answer questions during the desk audits
11
WHAT TO EXPECT IF OCR’S
AUDITORS SHOW UP
Following the audit, CEs and BAs will receive draft audit report
CEs and BAs have 10 business days to provide management response
Auditors will forward final audit report to OCR 30 days from date of CE or BA response
Depending on findings, OCR may open a compliance investigation
WHAT TO EXPECT IF OCR’S
AUDITORS SHOW UP
Audit protocol covers privacy, security and breach notification
Expect to provide policies, procedures and evidence that policies and procedures are followed
Extensive documentation will be requested
If there is no documentation, CEs and BAs must provide written statement that no documentation exists and why
13
THE UNKNOWNS
Period to be audited is not clearQuestions in the pre-audit questionnaire suggest most recent fiscal year
Sample size unknown
Per pre-audit survey letter collected documentation may be subject to public disclosure under Freedom of Information Act (FOIA) – unclear if FOIA response to include PHI and employee PII
THE UNKNOWNS
Audit protocols designed to work with broad range of CEs and BAs but application may vary depending on size and complexity of the entity being audited
No information on how audits will vary and amount of documentation required
15
THE QUESTIONS
Privacy Rule protocol, 45CFR §164.524(c) Implementation specifications: Provision of access. If the CE provides an individual with access to PHI, the CE must comply with the requirements listed in the protocol
Auditors directed to “Obtain and review access requests which were granted (and documentation of fulfillment, if any) and access requests which were denied.”
Question: Is this intended to be a request for all access requests (regardless of disposition) during the audit period, or can the auditor request that the covered entity provide a sample?
THE QUESTIONS
Auditors not taking into account morestringent state law
Question: What if state law more stringent and state law compliance varies from HIPAA requirements?
17
POTENTIAL PENALTIES AND
OTHER OCR ACTIONS
If OCR elects to conduct a compliance
review, it could result in:
Technical assistance provided by OCR
Corrective action plan the CE must comply with (may include required third party compliance review for three to five years)
Civil penalties or monetary settlements
If finding of willful neglect, expect formal
enforcement
HOW TO PREPARE FOR AN AUDIT
Read audit protocol!Begin planning for audit now – likely can’t assemble all required documentation in 10 business days
If documentation not provided, don’t expect to provide additional documentation when
receive draft review for management response
19
HOW TO PREPARE FOR AN AUDIT
Centralized compliance documentation reallymatters
Develop a compliance plan
Prioritize high to low risk compliance gaps
Assign resources to eliminate privacy and security compliance gaps
HOW TO PREPARE FOR AN AUDIT
Track and document compliance projectstatus
Document mitigation activity
Store all centrally
Many CEs and BAs aren’t compliant with several high risk compliance requirements
This amounts to more than adopting required policies and procedures – evidence required
Need to demonstrate continued compliance activities (not a “one time” event)
21
HOW TO PREPARE FOR AN AUDIT
Key to surviving an audit unscathed – currentand accurate documentation that’s easily accessible
CEs and BAs bear burden of demonstrating compliance
RESOURCES
OCR audit website:http://www.hhs.gov/ocr/privacy/hipaa/enforc ement/audit/index.html
Apgar & Associates, LLC:
http://www.apgarandassoc.com 23