By the time you have the flu, it’s too late to get the vaccine. The idea behind vaccines, of course, is a pre-emptive strike against illness. In the same vein, proactive preparation for an audit is a much better plan than scrambling for documentation once you’ve received notice of an impending audit.
The good news is that you don’t have to guess what an audit entails. Requirements for various regulations are widely available, so you can make sure you’re compliant in advance. For instance, in the case of an Office of Civil Rights (OCR) HIPAA audit, you can start preparing long before the notification letter hits your mailbox.
You may not be selected for a random HIPAA audit, but that doesn’t mean you can ignore compliance, of course. You can still face penalties for noncompliance if you experience a patient complaint or a breach. Taking the opportunity to proactively strengthen your privacy and compliance program will help you maintain control of your patient data and avoid compliance headaches that are costly and time-consuming.
The Compliance Assessment Process
The OCR uses the HIPAA audit program to assess the compliance of covered entities. As stated by the Department of Health and Human Services (HHS), which oversees the OCR, “The audits present an opportunity to examine mechanisms for compliance, identify best practices, discover risks and vulnerabilities that may not have come to light through OCR’s ongoing complaint investigations and compliance reviews, and enable us to get out in front of problems before they result in breaches.”
The HIPAA Audit Program is being rolled out in several phases. The HHS’s Phase 2 HIPAA Audit Program launched in 2016, and the results of more than 166 audits were released the following year. This program was notable in that both business associates and covered entities had to meet selected standards and implementation specifications under HIPAA’s Privacy, Security, and Breach Notification Rules. The HHS’s Official Audit Protocol was updated in July 2018.
Instead of viewing OCR audits as a burden, care providers can approach them as an opportunity to lay a foundation of compliance – a foundation upon which they can grow when adopting new tools, technologies, personnel and workflows. If not proactively prepared for an audit, the penalties for noncompliance can be burdensome.
What Constitutes a Violation?
According to the HIPAA regulation, a breach involves the acquisition, access, use or disclosure of unsecured PHI in a manner not permitted by HIPAA; the activity must pose a significant risk of harm to the affected individual, whether it’s financial, reputational or other damages. Under the HIPAA Breach Notification Rule, covered entities and business associates are required to notify affected individuals in the event that unsecured PHI is breached.
Common violations that result in large fines include:
- Improper disposal of PHI
- Lost or stolen devices
- Mishandling of medical records
- Employees disclosing information
- Database breaches
- Third-party disclosure of PHI
- Failure to perform an organization-wide risk analysis
- Employees legally accessing patient files
- Lack of training
- Failure to encrypt PHI on portable devices
Many other violations are possible, including drug diversion, cybersecurity attacks, insider threats, fraud and identity theft.
Who and What Gets Investigated
Since HIPAA became law in 2003, the OCR has handed down close to $80 million in fines and discovered 55 Privacy Rule violations. And as of 2018, the OCR has received more than 184,000 HIPAA complaints and initiated more than 902 compliance reviews.
The most commonly investigated compliance issues are, in order of frequency:
- Impermissible uses and disclosures of PHI
- Lack of PHI safeguards
- Lack of PHI patient access
- Lack of administrative safeguards of ePHI
- Use or disclosure of more than the minimum necessary PHI
The covered entities that are the most frequent offenders include pharmacies, health plans, general hospitals, private practices and physicians, and outpatient facilities. More than 37,670 complaints were investigated by the HHS as of July 2018, 69 percent of which have received corrective action.
Proactive Preparation for an OCR Audit
The OCR gives you just 10 days to respond to an audit notice – or they just show up for a random audit. This means that you should have controls in place now so that you can confidently respond. Below are eight action items to prepare for an OCR audit.
1: Monitor and Secure ePHI
Covered entities and business associates must ensure the confidentiality, integrity and availability of all electronic PHI (ePHI). In addition, electronic systems holding ePHI must allow access to those persons who have been granted access rights.
A good rule of thumb is for covered entities to monitor all systems holding ePHI, including EHRs, cloud applications and mobile devices. By monitoring with a full lifecycle platform, they can detect, investigate, mitigate and remediate inappropriate activity to address incidents. This can also help organizations identify employees who need training, sanctioning or retraining — and foster a culture of privacy and compliance that prevents future incidents from occurring.
2: Assess Your Security Risk
Covered entities are required to conduct risk assessments to determine the probability of compromised health information. The main goal is to determine whether you need to report a PHI breach under law. The Office of the National Coordinator for Health Technology (ONC) and the OCR recently updated their Security Risk Assessment Tool to guide organizations through the compliance process.
3: Document Your Efforts
Patient data is a primary asset for healthcare providers. Without proper policies and procedures in place, employees and insider threats may do things to put PHI in jeopardy. Under HIPAA 164.316, organizations are required to implement “reasonable and appropriate policies, procedures and standards.” Furthermore, organizations are required to document those policies and procedures to prove they’ve set boundaries and made expectations and standards transparent.
4: Guard Against Internal Threats
Though the focus of cybersecurity is usually on keeping external threats out, threats from within are a greater danger. In fact, 58 percent of healthcare breaches involve insiders. To make sure employees are fully absorbing the policies and regulations of their day-to-day work, training should be treated as an ongoing process, not a one-time event. Once you identify employees who need training through your monitoring program, you should clearly communicate expectations about your organization’s policies and procedures and train accordingly through an LMS program.
5: Create Policies and Assess Risk
To align with the final Breach Notification Rule, you need to develop the policies and procedures required to implement your privacy and compliance program. To do so, identify your high-risk assets and ensure that your risk analysis of these assets is current. These should include both technical and non-technical assets that are business-critical.
6: Make and Keep Track of Business Associate Agreements
For any of your vendors that deal with PHI, it is crucial to put business associate agreements (BAAs) in place. This helps ensure that both parties are held accountable for creating, receiving or transmitting PHI in a secure and intended manner. If either party violates the BAA, they may face penalties from the HHS. Most importantly, find a vendor who takes the BAA very seriously. Any organization can sign one, but do they have the proper protocols in place to responsibly handle PHI? Ask questions and investigate to assess how secure their processes really are.
7: Make an IRP
To contain security incidents that would otherwise become breaches requiring regulatory involvement, create a well-thought-out incident response plan (IRP. The HIPAA Security Rule requires covered entities to have IRPs. The HHS provides a free Incident Response Plan template to help organizations handle incidents with more agility. Once created, an IRP requires frequent evaluation and changes as the organization naturally evolves.
8: Find Out Who Your Users Are
Out of 1 million EHRs and cloud application users that FairWarning sampled, 26 percent were poorly known or unknown to the care provider. This means that these users are unable to be monitored and audited, making it difficult to train or sanction them in the event of a HIPAA violation. To help, organizations can improve compliance by implementing identity correlation technology in their EHRs and cloud applications.
A Strong Compliance Foundation
The healthcare industry continues to change to meet new consumer demands, technology and regulations. With several massive industry date breaches looming in the collective conscious, providers want to do everything possible to maintain consumer trust and stay out of the headlines. The action items noted above will help you ensure you have a proactive compliance program in place that will save your organization from fines and embarrassment but also lay the groundwork for a future of strong compliance as new technologies emerge.
Shane Whitlatch, Executive Vice President for FairWarning works with FairWarning’s largest and most sophisticated customers in order to ensure these customers get the greatest value possible from their solutions. Shane also plays a major role in alliance development.