HIPAA Audits: Getting ReadyWhy Thorough Documentation Is Critical in Next Round
For the next round of HIPAA compliance audits that begins this the fall, organizations need to prepare documentation that can speak for itself, because unlike the pilot program, there will be no onsite visits, says privacy attorney Adam Greene.
OCR plans to conduct HIPAA compliance audits for about 350 covered entities in the next phase of audits. Additionally, 50 business associates will be audited beginning in 2015.
Unlike the comprehensive HIPAA compliance audits that were conducted in person by consulting firm KPMG during the pilot program in 2012, the next round of much narrower "desk audits" primarily will be performed remotely by staff of the Department of Health and Human Services' Office for Civil Rights, Greene explains in an interview with Information Security Media Group (transcript below). And that means OCR will be basing its audits primarily on a review of documentation, he notes (see: HIPAA Audits: Round 2 Details Revealed).
OCR's audits of covered entities will focus on specific areas of HIPAA compliance. That includes 100 audits focused on the HIPAA privacy rule, especially privacy notices and compliance with individuals' right to access their protected health information; 100 audits on compliance with the HIPAA Omnibus breach notification rule; and 150 focused on the security rule, especially risk analysis, Greene points out. The business associates audits will focus on compliance with the risk analysis and breach notification requirements, he adds.
When submitting documentation to OCR, Greene stresses the importance of carefully following instructions.
"Because OCR has indicated they are not looking to receive extraneous information, submitting that could hurt someone's chances in the audit," he says. "OCR wants to see what it's requesting - nothing more, nothing less. If they get everything, including the kitchen sink, it makes it harder for them to conduct their audit assessment. So make sure you're only providing what was requested."
In the interview, Greene also discusses:
- How OCR will select approximately 350 covered entities and 50 business associates for audits;
- The different types of healthcare organizations and vendors that will be chosen; and whether reporting a HIPAA breach raises the chances an organization will be picked.
- His assessment of whether OCR's revised approach in next phase of audits will spark improved compliance by healthcare entities and their business associates.
As a partner at Davis Wright Tremaine LLP in Washington, Greene specializes in HIPAA and HITECH Act issues. He formerly was senior health information technology and privacy specialist at the HHS Office for Civil Rights, where he played a significant role in administering and enforcing the HIPAA privacy, security and breach notification rules.
HIPAA Audits: Getting Ready
MARIANNE KOBALSUK MCGEE: How will OCR be selecting the 50 covered entities and how will covered entities and BAs find out if they're being targeted for an audit?
ADAM GREENE: OCR has changed the selection process a bit from phase one, but they'll start off on the covered entity side using the list they contracted Booz Allen Hamilton to create for them. They'll select about 550 to 800 covered entities from this list, which will look toward things like NPIs [National Provider IDs] and other identifiers that were used to collect information. They're going to then send out a survey to those covered entities seeking some basic demographic information. OCR will then proceed with what I'd call "stratified random sample." They're going to be selecting the covered entities, 350 of them, randomly, but they're going to try to stratify things a bit based on geography, size, and other factors. [Then], using the survey results, [they'll] judge which covered entities are larger sizes, which are smaller. And then they will have collected and confirmed email addresses for those covered entities. They'll contact those covered entities via email to confirm that [they] have been selected.
Business associates will be handled somewhat differently. At some point, whether it's the initial 550 to 800 covered entities that are surveyed, or the 350 covered entities that are selected for audit, OCR will ask [them] for a list of business associates. Once OCR gets a list of business associates from each of those covered entities, it will have put together one big listing. It will then go ahead and select 50 business associates from that universe, of which 35 will be IT related business associates, while about 15 will be non-IT related. It's going to be mostly a random selection process, but they are trying to really ensure that they get a representative cross sample of both covered entities and business associates.
Next Round of Audits
MCGEE: How do you expect the next round of audits will differ most from the 115 audits of covered entities that were performed in 2012 during the pilot program?
GREENE: The audits for phase two are really night and day from the audits in phase one. Perhaps the biggest difference is that OCR is going to be doing these audits in-house. So you are no longer going to be dealing with contractors, but rather with OCR regional investigators. The second biggest difference is probably the scope of the audits. The first audits in phase one really looked at privacy, security, and breach notification compliance top to bottom. It was a fairly comprehensive review of policies, procedures, practices and documentation. This next one is going to be far more focused. So of the 350 covered entities, they're going to have 100 that are audited on privacy; that's going to be limited to issues surrounding nurse privacy practices and patient's right of access to their own information, which were two issues that were highlighted as problems in the first round of audits. Another 100 covered entities will be audited strictly on breach notification, and that's going to look at content and timing of breach notification. Then, 150 covered entities will be audited strictly on security, but limited to risk analysis and risk management based on initial OCR reports, also issues that were raised as big issues in phase one.
Instead of having to provide information about your entire privacy, security, and breach notification program, covered entities are going to have something far more discrete. Similarly, the 50 business associates, OCR has indicated that they will be initially audited under its risk analysis, risk management, and also breach notification to covered entities. It's going to be much more focused. Some other issues include that they are not going to be doing onsite audits; they are going to be doing a desk review for the time being.
MCGEE: Will organizations that have had a breach be more of a target for an audit?
GREENE: From what OCR has indicated, no. They really seem to be looking at it from a random perspective. In Linda Sanches', [Senior Advisor, Health Information Privacy at DHHS], presentation at the Healthcare Compliance Association Compliance Institute, she talked about [how] they are not targeting entities under the audit program based on complaints or breach notifications. They are really just trying to pull a fairly random but representative sample. So the fact that you've had and reported some breaches to HHS should not impact your chances of being audited. Now, obviously, it does directly correlate to your chances of being investigated with respect to that breach, and so you should expect for larger breaches, that you will have an investigation, but it shouldn't impact your audit chances.
Preparing for Audit
MCGEE: What's the first thing that these organizations should be doing to prepare if they're notified about being audited?
GREENE: The focus will certainly be on getting your documentation together, which should be a far simpler exercise than with respect to the phase one, where it was a huge amount of data that was requested. You'll have about two weeks to put together the documentation. Especially since OCR has called attention to what they are looking at, I'd recommend that organizations start putting that documentation together now. It's something that should hopefully be readily available, but it may be worth just confirming that you have an up-to-date risk analysis. What sometimes gets lost is a risk management plan that corresponds to that risk analysis to show that you are bringing risks down to reasonable and appropriate levels. So ideally, you have this information ready to go before you're ever selected for audit.
Another thing that you can think about is who's going to be involved, who's going to be chosen as the official contact with OCR throughout this process. Make sure everything is being funneled through that individual. You want to make sure that the documentation is responsive to what OCR has requested. OCR has indicated that they are not looking to receive extraneous information and that could actually hurt someone's chances in the audit because OCR wants to see what they are requesting, nothing more, nothing less. If they get everything including the kitchen sink, it makes it harder for them to conduct their audit assessment. You do want to make sure that you are only providing what is requested, and it's not worth having a signing party of your policies and procedures after you get the request.
For example, OCR does look for dates; if the date [on a document requested, such as risk analysis] is after the date of the request, they are not going to give it credit. They've indicated that pretty clearly. Before you ever get that audit request, you want to make sure, especially if you get an initial survey indicating that they want some demographic information and that you may get selected for audit, that all your policies and procedures are approved, signed, dated. Then, especially if you're in that initial 550 to 800 which means there's a good chance that you will be selected for the 350 afterwards, have something dated prior to the date of the audit. Ideally, it's dated before you ever got contacted by OCR, but worst case you're dating it after you get that initial survey request.
The other thing to think about is that OCR has indicated this phase of audits may be more tied to formal enforcement. OCR made a big point in their initial audits back in 2011 and 2012, of indicating that this was really for technical assistance, for improving their compliance program; it was not geared towards formal settlements. OCR has indicated that, at least under the current leadership, there's an interest in tying this more directly to formal enforcements. Meaning that, for example, if you don't have a risk analysis, that may lead to a compliance review and a request for a financial settlement. If you are not able to respond well to the requested information, you may want to think about bringing in outside counsel with appropriate expertise; this could lead towards a settlement action years down the line, and you don't want to have made unnecessary admissions during the audit process that can come back to haunt you years later.
MCGEE: Are desk audits easier for these organizations? And how does that differ from onsite audits?
GREENE: If you're a well-organized organization, I think these desk audits will make things significantly easier. It's going to be a more streamlined process of providing the information that's been requested, and even getting a draft audit report some time later that you'll have an opportunity to comment on, and then a final audit report. So no onsite visits and all of the challenges and pressure that go along with that.
On the other hand, if you're not a well-organized organization, this could be a bit tough on you because your documents really need to speak for themselves. OCR indicated that they are not going to be doing follow-up questions; there's really not going to be much more than just the document request and making the assessment. So you want your policies and procedures to tell a good story of your compliance, and you're not going to have the same opportunities as in phase one to necessarily explain things to the auditors. When you are looking at your privacy policies and procedures, and your security policies and procedures, think about whether they tell a story. Are they properly dated? Do they have a title that makes clear what they are? Risk analysis, for example; is it clear that this is a risk analysis from this particular date, that when you submit this documentation in response to an audit request it's pretty clear. [Then], they understand you're in compliance and hopefully that's the end of the audit. You get a draft report that says you passed.
Sparking HIPAA Compliance
MCGEE: Will the approach by OCR in the next round of audits be effective in sparking better HIPAA compliance by covered entities and business associates?
GREENE: I think that it will. I think the first round of audits was definitely one of the more effective enforcement tools that OCR has employed so far in getting people's attention and getting people to revisit their programs. And so I think continuing with the audit program is very important on that front. I think people are going to teach to the test a bit; where OCR has identified certain areas for initial audit, I certainly think people will focus on those as commonsense would dictate. I think you're going to see improvements in compliance in these areas, like risk analysis [and] management, breach notification policies, content and timing. And certainly on the privacy area on notice of privacy practices and patient's right of access, which sometimes does fall by the wayside. You will see this [be] effective in that area. It won't be effective necessarily in overall compliance, but I'm sure OCR has a list they've already indicated they hope to address in round two. As they go down that list and publicize what they're focusing their audits on, compliance will improve in each identified area.
Not Being Audited
MCGEE: If you are in an organization that has not been contacted by OCR in this next round, what does that mean?
GREENE: What I think is interesting is, OCR seems to have been selecting an audit program now that, in varying significantly from phase one, is going to be more of a permanent audit program. So phase one, there are HITECH Act appropriations available that are no longer available, and OCR has been frank that the lack of onsite visits in phase two [are] because of budget restraints. But using internal staff [and] more focused audits, this is something that OCR is going to be able to do on a more regular basis. The fact that you weren't in those first 350 covered entities for phase two, or 50 business associates, there's a very large number of covered entities and even larger number of business associates. It's likely you're not going to be included in that first round. But the audits are going to continue. You may not be included in this round, but it may be another round in the future. I would still say the chances of audit are relatively low.
My bigger concern tends to be breaches; because if you have a breach, you will be investigated if it's a large breach, and you certainly have a significant possibility of investigation if it's a small breach. I would not focus on the audit program to the exclusion of making sure that everything's encrypted, for example, and your chances of breach are minimal. Then there's always patient complaints that continue to be a source of tens of thousands of investigations. Audit is just one part of the program. The fact that you don't get audited in this round, I wouldn't take as much of a reprieve, because there will be future rounds and plenty of other ways to come in front of OCR's attention.
MCGEE: What's the most important thing covered entities and BAs should keep in mind with as the next round begins?
GREENE: OCR has given the gift of identifying what their areas of focus are. So immediately take a look at those areas; make sure your policies and everything is up to date, and perform a bit of a mock audit. Can you provide comprehensive information in each of those areas within two weeks? If you come out of that looking pretty good, then I wouldn't be too worried about if you actually selected for audit.