Eight Best Practices to Prepare for an OCR HIPAA Audit

By Shane Whitlatch, Executive Vice President,  FairWarning, Inc.
Twitter: @FairWarningLLC

It can be helpful to think of good compliance practices as preventive maintenance. It’s easier to have prepared all along than have to scramble to prove compliance when an audit comes up. Because the requirements for various regulations are widely available, you can start preparing for an Office of Civil Rights (OCR) HIPAA audit long before the notification letter hits your mailbox. And even if you aren’t chosen for a random HIPAA audit, you can still face penalties for noncompliance if you experience a patient complaint or a breach.

Taking the opportunity to proactively strengthen your privacy and compliance program will help you maintain control of your patient data and avoid compliance headaches that are costly and time-consuming.

Changes in Compliance
As is often the case when discussing government regulations, it’s time for a bit of alphabet soup. The Department of Health and Human Services (HHS) oversees the OCR, which uses the HIPAA audit program to assess the compliance of covered entities. As stated by the HHS, “The audits present an opportunity to examine mechanisms for compliance, identify best practices, discover risks and vulnerabilities that may not have come to light through OCR’s ongoing complaint investigations and compliance reviews, and enable us to get out in front of problems before they result in breaches.”

In 2016, the HHS launched its Phase 2 HIPAA Audit Program, and the department released the results of more than 166 audits the following year. This program was notable in that both business associates and covered entities had to meet selected standards and implementation specifications under HIPAA’s Privacy, Security, and Breach Notification Rules. The HHS’s Official Audit Protocol was updated in July 2018.

Compliance standards will keep rising as the healthcare industry grows and changes. Instead of viewing OCR audits as a burden, however, care providers can approach them as an opportunity to lay a foundation of compliance – a foundation upon which they can grow when adopting new tools, technologies, personnel and workflows. If not proactively prepared for an audit, the penalties for noncompliance are burdensome.

Violations Aplenty
Common HIPAA violations entail the acquisition, access, use or disclosure of unsecured PHI in a manner not permitted by HIPAA; the activity must pose a significant risk of harm to the affected individual, whether it’s financial, reputational or other damages. Under the HIPAA Breach Notification Rule, covered entities and business associates are required to notify affected individuals in the event that unsecured PHI is breached.

Some violations result in significant fines. These are the top 10:

  1. Database breaches
  2. Third-party disclosure of PHI
  3. Improper disposal of PHI
  4. Mishandling medical records
  5. Employees disclosing information
  6. Not performing an organization-wide risk analysis
  7. Employees legally accessing patient files
  8. Lost or stolen devices
  9. Lack of training
  10. Not encrypting PHI on portable devices

There are many other ways to violate HIPAA. A large variety of advanced threats can result in a HIPAA violation or breach, and therefore fines and settlements – including drug diversion, cybersecurity attacks, insider threats, fraud and identity theft.

The Usual Suspects
The OCR is diligent about ensuring patient data privacy. Since 2003, the OCR has discovered 55 Privacy Rule violations and handed out close to $80 million in fines. And as of 2018, the OCR has received more than 184,000 HIPAA complaints and initiated more than 902 compliance reviews.

The most common compliance issues the OCR has investigated are, in order of frequency:

  • Lack of PHI safeguards
  • Lack of PHI patient access
  • Impermissible uses and disclosures of PHI
  • Lack of administrative safeguards of ePHI
  • Use or disclosure of more than the minimum necessary PHI

The covered entities that usually create the most violations are pharmacies, health plans, general hospitals, private practices and physicians, and outpatient facilities. More than 37,670 complaints were investigated by the HHS as of July 2018, 69 percent of which have received corrective action.

Proactive Preparation
Once the OCR had made up its mind to audit you, there is no time for dawdling. You will have just 10 days to respond. This means that you should have controls in place now so that you can confidently respond. Below are eight best practices to prepare for an OCR audit.

1: Prove You’ve Set HIPAA Policy and Procedure Boundaries
Under HIPAA 164.316, organizations are required to implement “reasonable and appropriate policies, procedures and standards.” Furthermore, organizations are required to document those policies and procedures to prove they’ve set boundaries and made expectations and standards transparent. Unless there are proper policies and procedures in place, employees and insider threats may do things to put PHI in jeopardy.

2: Focus on PHI
HIPAA spells out specific requirements for ePHI. HIPAA 164.312 states that electronic systems holding ePHI must allow access to those who have been granted access rights. Under HIPAA 164. 306, covered entities and business associates must ensure the confidentiality, integrity and availability of all electronic PHI (ePHI).

A best practice for covered entities is to monitor all systems holding ePHI, including EHRs, cloud applications and mobile devices. By monitoring with a full lifecycle platform, they can detect, investigate, mitigate and remediate inappropriate activity to address incidents. This can also help organizations identify employees who need training, sanctioning or retraining — and foster a culture of privacy and compliance that prevents future incidents from occurring.

3: Conduct Risk Assessments
Covered entities must conduct risk assessments to determine the probability of compromised health information, according to the terms of the Breach Notification Rule. The main goal is to determine whether you need to report a PHI breach under law. The Office of the National Coordinator for Health Technology (ONC) and the OCR recently updated their Security Risk Assessment Tool to guide organizations through the compliance process.

4: Develop an Incident Response Plan
A comprehensive incident response plan (IRP) will enable your organization to contain security incidents that would otherwise become breaches requiring regulatory involvement. The HIPAA Security Rule requires covered entities to have IRPs. The HHS provides a free Incident Response Plan template to help organizations handle incidents with more agility. Once created, an IRP requires frequent evaluation and changes as the organization naturally evolves.

5: Know Your Users
In a survey of 1 million users of EHRs and cloud applications, FairWarning found that 26 percent were poorly known or unknown to the care provider. This means that these users are unable to be monitored and audited, making it difficult to train or sanction them in the event of a HIPAA violation. To help, organizations can improve compliance by implementing identity correlation technology in their EHRs and cloud applications.

6: Identify High-Risk Assets
The final Breach Notification Rule must not be ignored. Organizations must develop the policies and procedures required to implement a privacy and compliance program that adheres to the Rule. To do so, identify your high-risk assets and ensure that your risk analysis of these assets is current. These should include both technical and non-technical assets that are business-critical.

7: Don’t Skimp on Business Associate Agreements
For any vendors handling PHI, a business associate agreement (BAA) is essential. This helps ensure that both parties are held accountable for creating, receiving or transmitting PHI in a secure and intended manner. If either party violates the BAA, they may face penalties from the HHS. Most importantly, find a vendor who takes the BAA very seriously. Any organization can sign one, but do they have the proper protocols in place to responsibly handle PHI? Ask questions and investigate to assess how secure their processes really are.

8: Implement Ongoing Training
Though the headline would lead us to believe otherwise, 58 percent of healthcare breaches involve insiders. To make sure employees are fully absorbing the policies and regulations of their day-to-day work, training should be treated as an ongoing process, not a one-time event. Once you identify employees who need training through your monitoring program, you should clearly communicate expectations about your organization’s policies and procedures and train accordingly through a learning management system (LMS) program.

Planning Ahead
To encourage compliance, the OCR has put audits—and fines—in place. Of course, you want to avoid paying those fines and enduring bad publicity, but the real motivation is the desire to keep patient data safe and earn the trust of those you serve. The best practices outlined above will help you position your organization for a strong compliance program that also lays the groundwork for both future technology adoption and future regulations.