By Corliss Collins, RHIT, CCA CBCS
From Compliance Today, a publication for HCCA members
Hypothetically, it is Monday morning and you just arrived at your office. As the HIPAA Privacy officer, you start to shuffle through your inbox, and there is a letter addressed to you from the Department of Health and Human Services, Office of the Secretary. It is an automated communication, in most cases, sent to the primary contact responsible for the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security compliance within the selected organization. The Office for Civil Rights (OCR), is attempting to verify if you are the point of contact for HIPAA Privacy, Security, and Breach Notification Rule audits.
OCR needs to confirm your email address. You have 14 days to respond to the set of instructions outlined in the letter. Your cooperation will be greatly appreciated. Failure to respond will not prevent your organization from being selected. A prompt response to this request for information (RFI) would be in your company’s best interest. Who are the key compliance players (KCPs) and key compliance influencers (KCIs) within your organization?
Developing a winning strategy for successful HIPAA audit protocols requires an understanding of OCR audit and measurement standards. When was the last time a mock HIPAA audit was performed? Are you prepared to respond?
Why were we selected?
At this point, there are no clear indicators regarding why designated covered entities are selected for audits. More research is required to be able to answer this question with certainty. However, a broad spectrum of selection criteria and information has been published on the HHS.gov website (see sidebar). This data suggests healthcare providers, health plans, healthcare clearinghouses, and business associates seem to be selected randomly.
Some of the criteria used by the OCR includes, but is not limited to: (1) if the organization is public or private; (2) its geographic location; or (3) if any current enforcement activity is documented. The OCR very possibly may look into if there are records of a covered entity’s or any of its business associates’ health information privacy rights violations complaints or if any privacy right violation complaints were filed with the OCR. Have there been any information security breach activities reported? They are trying to identify and minimize compliance risks and vulnerabilities.
What could lead to your organization being on the OCR Phase II HIPAA Audit selection radar? In June 2016, a covered entity’s business associate’s failure to safeguard protected health information (PHI) led to a $650,000 HIPAA settlement for Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS), after the theft of a CHCS mobile device compromised the PHI of 421 nursing home residents.
In March, 2016, another covered entity a agreed to a $1.55 million dollar settlement to settle charges that it potentially violated the HIPAA Privacy and Security Rule in two incidents: (1) failing to implement a business associate agreement with a major contractor, and (2) failing to institute an organization-wide risk analysis to address patient information risks and vulnerabilities. These are just a couple of possible reasons why your organization was selected.
So, what now?
You have received the letter—your organization was selected for a HIPAA Compliance Audit. The HIPAA Privacy, Security, and Breach Notification Rules require email verification of the compliance officer or compliance professional for your organization, and you have 14 days to complete the forms and return them to the OCR. The HIPAA Audit pre-screening process is underway. All four sections of the questionnaire, comprised of 30 questions have to be answered by the HIPAA compliance officer or designated HIPAA representative. The questionnaire requires data to be completed for:
- Basic organization
- Healthcare providers
- Health plans
- Healthcare clearinghouses
Strategic enforcement of HIPAA mock audits within your covered entity positions your organization to develop a winning strategy, and demonstrate competency when it comes to passing OCR audit protocols. In one year (2015), more than 780 data breaches were reported. Approximately 170 million identities were compromised, creating significant complications for each of the organizations impacted and the victims. Statistics show greater than 50 % of data breaches can be traced to some type of human component. Almost all (93%) of all hacker events involving compromised information systems occur in minutes, or possibly seconds. More than half (63%) of the data breaches investigated involve password vulnerabilities.
The year of 2016 is already being looked at as a possible epic year for OCR HIPAA enforcement audits identifying significant HIPAA compliance gaps for covered entities and assessing record financial penalties. An approved budget of $43 million dollars has been allocated for the OCR in 2017.
What is the winning strategy?
A winning strategy for OCR Audit Success requires implementation of Privacy Rule and Security Rule best practices; the following steps will help you be better prepared, if and when you receive an Audit Notification letter:
- Start by conducting random HIPAA Privacy and Security Rule mock audits.
- Perform internal audit protocol assessments for your covered entities’ Breach Reporting Rule and review past performance.
- Go to http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/ to review and practice filling out the OCRs pre-screening questionnaire.
- Revisit all HIPAA compliance policies, procedures, and standards, and bring them up to date where applicable.
- Verify and be sure to have evidence of an up-to-date HIPAA Security Rule risk analysis.
- Create a list of all of your business associates (BAs); review and validate that each BA has a HIPAA compliance agreement on file.
In summary, to develop a winning strategy for your OCR audit process will include a combination of desk and onsite examinations. There are 89 HIPAA Privacy, 72 Security and 19 Breach Reporting audit protocol requirements. OCR assessment protocols require HIPAA Privacy, Security, and Breach Notification policies, procedures, and standards to be implemented. Audit standards and measurement best practices must be executed. Covered entities and business associates should be prepared to respond to OCR information verification requests and onsite visits. Minimizing OCR audit failure rates should be the primary focus. Using the strategic approach outlined above will put your covered entity way ahead of the game tactically when it comes to meeting OCRs HIPAA Audit and Measurement Standards.A Winning Strategy for Successful OCR HIPAA Audit OutcomesClick To Tweet
Sidebar: Important Resources
ONC Privacy and Security Guide:
Fast Facts for Covered Entities:
For Business Associates:
HITECH Breach Notification Interim Final Rule:
 U.S. Department of Health and Human Services: “Business Associates Failure to Safeguard Nursing Home Residents’ PHI Leads to $650,000 HIPAA Settlement” hhs.gov Health Information Privacy. June 29, 2016. Available at http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/catholic-health-care-services/
 DHHS press release: “$1.55 million settlement underscores the importance of executing HIPAA business associate agreements” March 16, 2016. Available at http://www.hhs.gov/about/news/2016/03/16/155-million-settlement-underscores-importance-executing-hipaa-business-associate-agreements.html