Health Information Compliance Alert

Audits:

OCR Audits Delayed -- But Don't Let Your Guard Down

Brace yourself for more comprehensive audits instead of desk reviews.

The HHS Office for Civil Rights (OCR) has announced that it is yet again delaying Phase 2 of the HIPAA audits — with no definitive date set for the audits to actually begin. When the audits do start, however, they’ll be much more intense than previously planned. Here’s what you need to know to prepare your organization.

Why the Delay?

“Phase 2 of the HIPAA audits was initially slated to begin in the fall of 2014 and was subsequently moved to late 2014 or early 2015,” noted Charlotte, NC-based attorney Chara O’Neale in a Feb. 26 blog posting for the law firm Parker Poe. “Currently, no timeline has been provided as to when the next round of audits will officially begin.”

Earlier this year, OCR also said that it would conduct pre-audit surveys of 800 covered entities (CEs) and 400 business associates (BAs) to determine suitability for the audit program last summer, according to the law firm Alston & Bird LLP. OCR indicated that it would use the surveys to select 350 CEs and 50 BAs to audit in Phase 2. But now OCR has delayed the pre-audit surveys, as well as Phase 2 of the HIPAA audit program.

Why? “According to OCR, the audit portals and project management tools that are needed to facilitate the audit process are not yet ready for prime time,” explained partner Mark Burnette in a Feb. 4 blog posting for Tennessee-based LBMC Security & Risk Services. “Clearly, without a fully functioning infrastructure, the audits would be a nightmare for the OCR and every organization subject to one.”

Problem: “If the OCR keeps announcing that the audits are coming — and then continues to push them back — many healthcare organizations will continue to fall below compliance and not be particularly motivated to do anything about it,” Burnette lamented. “When resources are tight, non-revenue generating initiatives (like government-mandated data security controls) are too easily set aside, especially if no one is watching.”

Now is Not the Time to Relax

Mistake: Disregarding these audits is no longer an option, Jared Festner, HIPAA specialist for Irvine, CA-based Medical Information Technology Group (Medical ITG), said in a Jan. 27 statement. “If you think for one minute your practice won’t be under the microscope for everything from device encryption, to making sure that every policy and procedure is completely filled out and updated on a yearly basis, you’ll be kicking yourself once you receive fines of up to $1.5 million per offense.”

Strategy: And this delay in Phase 2 OCR audits doesn’t mean that you can relax your efforts to make sure you’re in compliance with all HIPAA regulations, O’Neale said. While the audit portals are still under development, this is a good time to:

  • Make sure your HIPAA policies and procedures are up-to-date and meet the latest privacy and security requirements;
  • Create a list of all business associates (BAs) that provide services to your organization; and
  • Conduct an internal risk assessment to identify potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI).

Last year, OCR stated that the Phase 2 audits would focus on specific HIPAA compliance issues, Alston & Bird noted. For CEs, these compliance areas include:

  • Risk analysis and risk management (Security Rule);
  • Notice of privacy practices (NPP) and access rights (Privacy Rule);
  • Content and timeliness of breach notification (Breach Notification Rule);
  • Device and media controls and transmission security (Security Rule); and
  • Safeguards and training on policies and procedures (Privacy Rule).

For BAs, audits will focus on risk analysis and risk management, as well as breach reporting to the CE, Alston & Bird said. “OCR had also indicated that the audits would be ‘desk audits’ — i.e., document-only audits, without follow-up.”

Look for New Web Portal

A major reason for the delay in the Phase 2 audits is that OCR hasn’t been able to implement a new web portal through which entities can submit information to OCR, according to Alston & Bird. “OCR is planning to use its new portal to conduct the pre-audit survey screening tool as well as to have entities enter data for the audits.”

The portal technology will collect, collate and analyze audit data, Alston & Bird explained. OCR says the new web portal will help it streamline the audit process, save time and allow it to conduct more audits.

Get Ready for More On-Site Audits, Fewer Desk Audits

And if you think that Phase 2 audits won’t be as intense as the last round of audits, think again, Medical ITG warned. 

In addition to the delay and the new portal, OCR also announced that it has changed its strategy for the Phase 2 audits. Instead of conducting mostly desk audits as previously announced, OCR now says that it will conduct more comprehensive audits than desk audits.

“Instead of conducting 400 desk audits, OCR — with the new web portal and some additional funding — is planning to do a larger number of on-site, comprehensive audits, including business associate audits,” Alston & Bird said. “And to conduct fewer than 200 targeted desk audits.” 

OCR is planning to send the pre-audit surveys to CEs first, and then to BAs, “in the near future.” OCR also plans to update its HIPAA audit protocols before the next round of audits begin.

Lesson learned: Use this extra time wisely and look at your organization’s state of digital security and compliance with the HIPAA Omnibus Rule changes, if you haven’t already, Medical ITG recommended. Also, keep an eye out for updates and new announcements about the audit program on the OCR website (www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/index.html).