Iliana Peters, OCR’s Senior Advisor for HIPAA Compliance and Enforcement, was the featured speaker in the September 19 HealthcareITSecurity.com webinar sponsored by Iatric Systems. Her topic: "What Covered Entities Need to Know about OCR HIPAA Audits." As national lead for OCR enforcement of the HIPAA Rules, she’s uniquely qualified to give us an update on HIPAA audits.
In case you missed the webinar, Iliana provided lots of valuable information and insights about the HIPAA audit program which we’ll summarize below and in the next few posts. (Standard disclaimer: Iliana emphasized that these are her views and not necessarily those of HHS.)
Purpose of the OCR Audit Program
Iliana began by providing background information about the audit program and by putting the program in context. She explained that OCR is involved in a number of initiatives to safeguard protected health information (PHI), partnering with the healthcare industry and other government agencies. One of their main roles is to receive complaints and breach reports from patients, family members, news media, and other agencies — all of which they need to investigate and determine what, if any, corrective action is needed.
The goal of the audit program is to reduce the issues that lead to complaints and breaches by supporting improved compliance with the rules. Specifics include:
- Uncovering risks and vulnerabilities
- Identifying areas where technical assistance is needed
- Identifying areas where OCR needs to provide additional tools and guidance to help entities in compliance self-evaluation and in preventing breaches
- Encouraging consistent attention to compliance
- Providing feedback to covered entities and business associates on their compliance efforts
Iliana added that the audit program is not intended to be punitive — but obviously, as a regulator, they can’t turn a blind eye to egregious behavior or when an entity fails to respond.
Audit Program History
The HITECH act requires OCR to audit covered entities and business associates for compliance with HIPAA privacy, security, and breach notification rules. Phase 1, established in 2011, was a pilot program, where outside contractors measured the compliance efforts of 115 covered entities. OCR evaluated the effectiveness of the pilot program, drawing upon the experience and results to implement Phase 2. This phase, which is intended to “take the pulse of the industry”, is performed by in-house OCR staff and is currently underway.
Audit Types and Statuses
Phase 2 of the audit program includes two types of audits: desk audits and onsite audits.
OCR contacts a covered entry or business associate by email requesting specific types of information, which OCR then uses to determine the level of compliance at the time the request took place. (Iliana likens it to a “snapshot of compliance.”) Desk audits are currently underway, involving 168 covered entities (mostly complete) and 43 business associates (still ongoing) drawn from a pool of more than 20,000 BAs identified by audited CEs.
On-site audits of covered entities and business associates will be performed after completion of the desk audits. The on-site audits will be more comprehensive than desk audits and cover a wider range of requirements from the HIPAA rules. These audits will be extremely resource-intensive and OCR is still working out the details about how they’re going to conduct these audits and how many to perform.
Note: If you’ve been subject to a desk audit, you may still be subject to an on-site audit. (OCR hasn’t decided.)
After these documents are received, OCR reviews the information submitted and provides the auditee with draft findings. The covered entity or business associate then has 10 business days to review and return written comments, if any, to the auditor. Entities often use this opportunity to inform OCR what steps they have taken or will take to correct any compliance issues uncovered in the audit. Iliana notes that while those efforts are appreciated, audit findings are based on the snapshot — the compliance status at the time OCR made the audit request.
OCR will then prepare a final audit report which they will share with the audited entity. The report includes:
- A description of how the audit was performed
- The audited party’s responses to findings from the draft
- Findings revealed by the audit. If an audit report indicates a serious compliance issue, OCR may initiate a compliance review to investigate further.
OCR is currently conducting an initial analysis of completed audits and reports pursuant to those audits. After the analysis is complete, findings will be posted on the OCR website.
Audit Guidance and Resources
Iliana strongly encouraged use of the resources and guidance available on the HHS HIPAA website, including information about the Privacy Rule, Security Rule, and Breach Notification Rule that covered entities and business associates need to comply with. She also mentioned three sites in particular, all accessible from the main page:
Information about HIPAA audits, what CEs and BAs need to do to comply, rules governing enforcement decisions, audit tools and guidance, sample document requests, comprehensive Q&As, and lots more.
- Checklist and infographic explaining the steps to take in response to a cyber-related security incident
- How NIST’s framework for improving critical infrastructure cybersecurity maps to the HIPAA Security Rule
- Ransomware guidance
- Cyber awareness newsletters
Lots of useful information to help CEs and BAs take advantage of cloud computing while meeting their HIPAA obligations.
If you are interested in reading how one hospital met its HIPAA requirements, read this West Virginia University Hospitals’ success story.