OCR Audits 2017 Challenges: Risk Assessments and Business Associates

Updated on March 31, 2017

Manolito Jones HeadshotThe healthcare industry is under remarkable pressure right now: a patchwork of regulations to comply with, intense scrutiny from the Office for Civil Rights (OCR), and the constant threat of cyber attacks are growing concerns. Healthcare organizations also face sustained risks—tight profit margins, rapid advances in technology and medicine, an aging population, public health crises—and need a way to assess and manage it all systematically. By integrating compliance, security, and risk programs, healthcare organizations can address their most compelling challenges more efficiently and effectively.

Recent research based on records from the OCR and the Department of Health and Human Services (HHS) indicates the number of healthcare cyber security attacks increased 320 percent over the prior year. There was also a 181 percent increase in patient records exposed in provider-targeted attacks. According to OCR statistics, hacking incidents and unauthorized disclosure (insider breaches) were the two primary causes of healthcare breaches, and providers were by far the primary target (versus healthcare plans and business associates).

The time to act is now

While healthcare organizations may hesitate to invest in compliance programs in the midst of regulatory change, putting governance, risk management and compliance (GRC) activities on hold is a grave mistake. Cybercrime isn’t going anywhere, and the OCR continues to push forward with audit, investigation and enforcement activities. Regardless of legislation outcomes, the healthcare industry (and providers in particular) must work to optimize their risk management, data governance, and cyber security programs.

A good focus for these efforts is to identify where risk lies and how it can be mitigated. Healthcare organizations should perform enterprise-wide risk assessments in order to set strategic priorities for compliance and cyber security efforts. A comprehensive approach to optimizing policies, procedures, and defensive measures through integrated risk management and data governance is the surest way to build business resilience and protect patients.

Risk assessments must be current, complete and accurate

The OCR’s HIPAA audit program includes agency examinations (and follow-up reviews) that require providers and business associates (BAs) to demonstrate that they have comprehensively assessed risks to data security and privacy across the organization. These risk assessments should demonstrate that HIPAA-mandated physical, technical, and administrative safeguards are fully implemented and functioning as planned.The OCR examines assessments for completion, accuracy, and currency.

To help guide providers and BAs through the risk assessment process, the Office of the National Coordinator for Health Information Technology (ONC) has provided a Security Risk Assessment Tool. Healthcare organizations and BAs should also consider using comprehensive risk frameworks like NIST and the ISO-27000 series as best practices to bolster their security programs.

Covered entities are also obligated to assess risks related to their BAs and establish data governance agreements (BAAs) with them. Failure to do so risks OCR enforcement and penalties, which can be sizable. Risk assessment is not a one-and-done activity. When providers implement new technology, cloud services, or processes, they should update their risk profile. In the event of a breach, evidence that an organization neglected to conduct regular risk assessments or follow through on any findings could mean larger fines.

Beyond risk assessments, OCR audits focus heavily on the management of Protected Health Information (PHI). Providers, plans and BAs should prepare by cataloging where and how every bit of PHI is stored and transferred. Covered entities need to evaluate all inventoried databases, cloud storage and services, mobile devices and laptops for tight access management, strong passwords, and proper encryption protocols. Vulnerabilities should be identified and remediated. Incident response and recovery plans should be carefully planned and rehearsed.

Comprehensive GRC solutions can help

Putting these best practices into action can be easier said than done. Implementing processes, assessment routines, and security frameworks is burdensome. Providers may have hundreds of vendors, tools, and machines to manage.

Comprehensive GRC software platforms automate and systematize interconnected cyber security and internal audit efforts across the enterprise. These cloud-based solutions can centralize data and documentation, monitor workflow and remediation, and manage risk assessments. Automated monitoring and workflow engines reduce manual processes while increasing accountability and collaboration.

Because the OCR requires audited entities to respond quickly (often 10 business days), it is paramount to have documentation up-to-date and organized. GRC solutions track all communications (e.g., assignments, training, authorizations, and policy memos) from approval through distribution and sign-off, making it easy to produce dashboards and reports. The enhanced efficiency and visibility enabled by these platforms makes it easier to identify gaps in PHI protection and processes that need to be fixed.

The compliance team can also use the GRC system to map risks, policies and authoritative sources (laws, regulations and standards) to controls, strengthening the protective connections between cyber security, data governance, and risk management. The resulting optimization not only ensures compliance and audit-readiness, they also reinforce security measures and streamline routine operations.

Cyber attacks and data breaches are a constant threat to all types of businesses, but the stakes are especially high for the healthcare industry. The exposure of records containing PHI is dangerous to consumers, and highly valuable to black market criminals. Ransomware that disrupts hospital operations, remote hacking of connected medical devices, and sabotage of medical records are potentially life-threatening. Most healthcare providers have some catching up to do when it comes to cyber security and incident response. Risk assessments will identify the urgent issues and ensure that improvement efforts are prioritized and focused for maximum impact. Strong, integrated risk management and data security initiatives empower healthcare organizations to cultivate the resilience and agility necessary to stay compliant, sustain business, and serve patients effectively.

Manolito Jones is the Healthcare Solutions Team Leader for LockPath’s healthcare team. With 15 years in the healthcare and pharmaceutical industries, Jones’ focus is on helping healthcare organizations realize value through technology.