Preparing for HIPAA Compliance AuditsOCR's Verne Rinker on the Need for Risk Assessments
During the initial pilot program conducted by OCR last year, 115 entities were audited for HIPAA compliance. Of those, two-thirds of all covered entities had non-existent or inaccurate risk assessments, says Rinker, an OCR health information privacy specialist.
"For providers, 47 of 59 [audited] did not have a complete risk assessment," he says in an interview with Information Security Media Group [transcript below].
"The number-one suggestion [for covered entities] is risk analysis, and risk analysis needs to be comprehensive," he says. "It needs to look at all the systems because they're constantly changing as organizations change their IT infrastructure."
Risk assessments should be ongoing, Rinker says, in order to detect new systems that are coming online within organizations, as well as changes in existing systems.
"It needs to be a regular part of their business," he says. "It needs to be on their corporate radar and in their culture of compliance."
The permanent HIPAA audit program, which will begin sometime after the start of fiscal 2014 on Oct. 1, will be narrower in scope than last year's pilot project, says Rinker.
In the interview, Rinker discusses:
- Key audit findings regarding non-compliance with the HIPAA privacy and security rules;
- Plans for a new HIPAA audit protocol that takes into account the release of the HIPAA Omnibus Rule;
- How organizations can best prepare for a HIPAA audit.
Rinker, an attorney, joined OCR in 2005 after previously serving six years at the Centers for Medicare and Medicaid Services, including doing work related to Medicare and Medicaid HIPAA compliance issues.
HIPAA Audits: Key Findings
MARIANNE KOLBASUK MCGEE: OCR audited 115 covered entities last year. Based on the analysis of the pilot audit program, what are the key findings?
VERNE RINKER: There were no clear trends when it came to the privacy findings. However, a couple of trouble spots were represented with a high number of organizations. Approximately 44 percent had findings related to their uses and disclosures of PHI [protected health information], and about 20 percent had findings related to their notice of privacy practices. When it came to their failure to meet privacy administrative elements, almost half of the covered entities - about 47 percent - had findings related to policies and procedures, and another 26 percent had training deficiencies.
As for security, findings were across the board from risk analysis to contingency planning and backups. A total of 58 of 59 providers had at least one security finding or observation. Two-thirds of all the covered entities audited had no complete and accurate risk assessment, which is of particular concern. For providers, 47 of 59 did not have a complete risk assessment. Almost every covered entity that did not have any findings or observations met their security addressable implementation specifications by fully implementing the addressable specification; for example, using encryption.
Challenges with HIPAA Compliance
MCGEE: What are the biggest challenges that organizations are having with in terms of HIPAA compliance, and who's having the most trouble?
RINKER: We learned a lot from our pilots, and our findings have been all over the map in the privacy and security areas. The risk analysis and ongoing risk management certainly stands out as a significant challenge. We found that those auditees who were not doing that risk analysis, or were doing it poorly, showed a much broader pattern of noncompliance with the rules.
Resuming the Audit Program
MCGEE: When will the program resume?
RINKER: Our director, Leon Rodriguez, has expressed his hope that in fiscal year 2014, the fiscal year which begins in October of this year, sometime within that fiscal year we'll be back doing audits.
MCGEE: Will business associates be audited as well as covered entities in the next round?
RINKER: We certainly hope to look at business associates, as well as covered entities, in the next round.
Updating Audit Protocol
MCGEE:When might there be an update for the audit protocol, based on HIPAA Omnibus?
RINKER: We're working on that currently. The biggest driver for us was really having the omnibus out itself. Since that's out now, we're beginning the internal process of updating our audit protocol, but that's an important caution, that our current website only has our pre-HITECH audit protocol. To the extent that those provisions, the criteria, will change, then we're going to signify that on our website when we do finally publish the audit protocol that would be in compliance with the HITECH standards.
MCGEE: Would the program be expanded? For instance, will there be more than 115 organizations audited? What might happen next?
RINKER: For the 115 entities that we audited, it's important to understand that we looked at approximately 59 individual requirements. That's actually a substantial amount of the privacy, security and breach notification standards. It's unlikely that we would stand up a permanent program that would be so comprehensive in its scope.
In the future, rather than doing a much more comprehensive approach, it would be much more streamlined. We would look at a smaller set or a smaller scope of the criteria of the various rules, but be able to look at those in a broader range of entities, certainly again within the covered entities as well as the business associates. With that smaller scope of requirements that we would be looking at, we would be able to reach a much broader group of covered entities and business associates all together.
Preparing for an Audit
MCGEE: How should organizations best prepare for an audit?
RINKER: The top tip is to really have an active, integrated and fully functional HIPAA compliance program that's already in place. Certainly going and looking at the protocol that we have on our website would be one step for entities to assess how they measure up with what's in existence. There are additional resources that are coming online; for example, a toolkit sponsored by NIST, the National Institute of Standards and Technology, [with] their requirements to HIPAA requirements. I believe ONC, the Office of the National Coordinator, has also developed some guidance particularly applicable to the implementation of HIT with providers.
Advice on Improving HIPAA Compliance
MCGEE: What's your best advice for how organizations can improve their HIPAA compliance based on what you've found during these audits?
RINKER: Since we're at a security conference, the number-one suggestion is risk analysis, and risk analysis needs to be comprehensive. It needs to look at all the systems because these are constantly changing as organizations change their IT infrastructure. It needs to be ongoing, which also catches not only the new systems that are coming online, but also catches changes in the existing systems and the existing business lines of entities. And it needs to be a regular part of their business. It needs to be on their corporate radar and in their culture of compliance.