Organizations chosen for remote "desk audits" of their HIPAA compliance, which will begin this summer, need to be prepared to quickly provide supporting documentation, says Deven McGraw, deputy director of health information privacy at Department of Health and Human Services' Office for Civil Rights.
Those selected for an audit will be required to submit within 10 business days documents that, for example, offer evidence of an enterprisewide security risk assessment as well as processes for providing individuals access to their health information, McGraw explains in an in-depth audio interview with Information Security Media Group (see audio player below photo).
OCR is nearing completion of its process of confirming contact information to create a pool of covered entities that could be chosen for audits, she explains. A sampling of business associates will be audited later.
"We will definitely be selecting the covered entities and begin to audit them first because our current database of business associates is not robust enough," she says. "And so we will need to rely on covered entities who are selected for audit to provide us with information on their business associates so that we can go through the same process of verifying contact information and forming more robust business associate pools - and pick business associate auditees from there."
A total of between 200 and 250 organizations - including both covered entities and business associates - will be audited, she says. In addition to remote desk audits, OCR will conduct some more comprehensive onsite HIPAA audits (see HIPAA Audits: Progress Report).
Study the Audit Protocol
To prepare for a potential audit, McGraw suggests that organizations study up on the new "dense" HIPAA audit protocol that OCR released in April.
"We've done a lot of work to try to make it much more comprehensive," she says, comparing the new protocol to the original one used in a pilot HIPAA audit program in 2011 and 2012, which included 115 covered entities. "So entities will have a much better idea when they look through [the new protocol] about what they will likely be asked to produce in the likelihood that they are selected for an audit."
The upcoming desk audits will be relatively narrow in scope, while the onsite audits will be more comprehensive, McGraw has said (see Exclusive: OCR's McGraw on Timing of HIPAA Audits).
But even for organizations not chosen for an audit, the protocol provides a strong "self-assessment tool," McGraw says.
In the interview, McGraw also points to several lessons that organizations can learn from recent OCR resolution agreements and corrective action plans related to settlements after breach investigations.
"They're intended to be instructive to the industry for things they should be looking for," she says. "For example, time and again we see that entities are not doing a security risk assessment that are enterprisewide ... that take into account all the electronic protected health information that is in their environments."
Frequently, OCR finds healthcare providers conducting security risk assessments "that look only at their electronic health records systems, but not other information-collecting systems in their environments, and not connected devices," she notes. "These routinely get left out - and not surprisingly ... if they're left out of the risk analysis, they are also left out of the process of how do you manage that risk," such as through encryption or an alternative safeguard.
"Almost everything flows out of the risk analysis, so if you're leaving big pieces of your enterprise out of it, chance are you're going to be non-compliant in all sorts of other ways," she says.
In the interview, McGraw also discusses:
- Other risk management lessons emerging from recent OCR enforcement activities;
- Upcoming guidance planned by OCR, including instructional material on the requirements related to reporting breaches involving ransomware;
- Other recent breach trends, including hacker and phishing attacks that have been hitting the healthcare sector, and steps organizations can take to avoid falling victim.
Before joining OCR, which enforces HIPAA, last June, McGraw was a partner at the law firm Manatt, Phelps & Phillips LLP, where she co-chaired its privacy and data security practice. Earlier, she was director of the health privacy project at the Center for Democracy & Technology, a consumer advocacy group. For six years, McGraw served as an adviser to HHS on health data privacy and security issues. She served on the Health IT Policy Committee, which advises HHS' Office of the National Coordinator for Health IT, and co-led the committee's Privacy and Security Workgroup - previously called the Privacy and Security Tiger Team - as well as its Information Exchange Workgroup.