CynergisTek’s Mac McMillan recently wrote, “Lessons Learned: OCR Random Audits Uncover Compliance Trends” for Becker’s Hospital Review
In this article, McMillan addresses the lessons learned from the audits performed by the Office for Civil Rights (OCR) during the 2012 pilot program. First, he writes that, “Healthcare has made significant strides in privacy and security in the last decade.” Many agree with this point, but McMillan compares this to how much further as an industry we have to go based on some of the findings and observations during the OCR audits. He points out that the results were poor, 90% of audited organizations had more than one issue and smaller entities struggled the most.
McMillan continues that findings under the Privacy Rule did not identify as many trends as the Security Rule. Most organizations have policies and procedures in place but there were some findings of “misapplication of the rules around authorization for disclosure and minimal necessary.” The Security Rule on the other hand, is where most of the observations were made and where lessons can be learned from the pilot program. Some of OCRs most common findings during the audits include:
- Ineffective use of audit and monitor system
- Not utilizing the audit/monitor program’s capabilities (lack of resources often the reason)
- Addressable specifications: “as it related to selecting reasonable alternatives and documenting those decisions”
- Most organizations could not produce a complete and/or accurate Risk Assessment
- Lack of accountability regarding access management
McMillan concludes that the findings are alarming, and it is concerning that the number one reason heard for non-compliance was “unaware of the requirement” despite that the rules have been in place for over ten years. He believes that more audits and lessons are to come, and points out that OCR is working on adding best practices learned from the audits to their website as a tool for organizations to prepare for future audits.
To learn more or read the entire article, click here to visit Becker’s Hospital Review’s website.