The U.S. Department of Health and Human Services, Office for Civil Rights (OCR) released preliminary results from Phase 2 of the HIPAA Audit Program. The data was drawn from limited scope desk audits of 166 covered entities (CE) in July 2016. OCR rated their compliance with the HIPAA Privacy, Security and Breach Notification standards as largely “inadequate,” with over 94% of the covered entities failing to demonstrate appropriate risk management plans.
OCR reported that 90% of the organizations selected were healthcare providers, while the remainder was health plans and a single healthcare clearinghouse. CEs were required to submit documentation through an online web portal demonstrating that they had policies and processes in place that addressed the requirements as specified in the review.
During the desk audits, 103 CEs were tested on their Privacy and Breach Notification Rule compliance. Specifically, OCR reviewed how healthcare providers were meeting requirements for notices of privacy practices. They also reviewed how providers were handling patients’ requests for their right to access Protected Health Information (PHI) and to receive an electronic copy of it. Additionally, OCR audited how an organization notified individuals affected by a reportable breach of PHI.
At the same time, 63 CEs received audit protocols testing Security Rule compliance. OCR requested documentation of policies and procedures for risk analysis of the effectiveness of safeguards protecting information systems that handle e-PHI, including copies of enterprise-wide risk analysis performed. They also requested the organization’s risk management plan to address gaps identified during the assessment.
After the audits were completed, the responses were assessed through the subjective analysis of OCR’s reviewers. The analysis was then scored using its, “Compliance Effort Rating of 1 to 5.” A response that earned a compliance effort rating of “1” or “2” demonstrated full compliance with the requirements of the standard or implementation specification. OCR described a compliance effort rating score of 3 as, “…implementation that was inadequate…or a misunderstanding of the requirements.” A response with a score of “4” or “5,” could best be described as failure, or epic failure, respectively.
While the lasting impact of the Phase 2 HIPAA Audit program is open to debate, the comprehensive audit protocol is being widely used by OCR investigators to conduct compliance reviews and investigations. The hallmarks of the audit protocol are their breadth, addressing each and every standard and implementation specification of the Privacy, Security, and Breach Notification Rules. The tool also provides criteria on how to measure if an organization’s actions demonstrate their meeting the requirements of the HIPAA standards. Healthcare organizations, as well as contractors and vendors handling PHI, should use the 2016 Audit Protocol as the yardstick against which their compliance will be measured.
More than 25 OCR resolution agreements and corrective action plans cite the failure of a covered entity to perform an adequate information security risk analysis. OCR’s finding that 83% of their audits found serious problems with the organization’s risk analysis points out the health care industry has a lot of work to do in taking those first steps to safeguarding the information systems that handle PHI. It is just as alarming that 94% audited could not demonstrate they have an effective information security risk management plan.
How to Prepare
Healthcare provider practices, health plan administrators, and business associates should prepare now so they are ready if selected for a compliance review or complaint investigation. Some best practices to prepare now include:
- Review OCR’s audit protocol as well as the HIPAA and HITECH regulations
- Make sure you have the latest guidelines, policies, and procedures in place
- Ensure you have access to all required audit documentation and clearly understand the submission process
- Consider having your staff conduct a mock audit or use a third-party specialist to make sure you are prepared for the real.