OCR Audits: Don’t Fall Victim To Past Mistakes

The Office of Civil Rights is not out to get you. But it does expect you to make good-faith efforts at protecting patient data.

Mark Fulford, Partner at LBMC’s Security & Risk Services

November 21, 2014

5 Min Read
(Source: Lendingmemo.com)

It's been two years since the 2012 Office of Civil Rights (OCR) pilot program audits took place, with results pointing to an overall lack of clarity on how to comply with HIPAA regulations. Despite having more time to figure it out, the current prevalence of non-compliance across the healthcare industry suggests this lack of clarity persists.

The 2014 through 2015 OCR audit season is upon us, and many healthcare organizations still have not taken adequate measures to prepare.

The good news is the upcoming audits, originally slated to begin this fall, have been delayed. The OCR is taking additional time to finalize the web portal it will use to gather electronic compliance artifacts from entities the agency selects for audits. But this round of OCR audits will target a significantly larger number of covered entities than were audited in 2012. And when the audits do commence, business associates will be included as well. In other words, there is a much higher likelihood of being audited than there was in 2012.

[Is Twitter's new security scheme dangerous? Read Killing Passwords: Don't Get A-Twitter Over 'Digits.']

If you are an eligible organization, now is the time to learn from past mistakes and get ready for a possible visit, on site or electronically, from the OCR.

Exposing the gaps in healthcare compliance
The 2012 OCR audits revealed the healthcare industry at large had not yet begun to take compliance seriously. An astounding two-thirds of audited entities had not even performed a complete and accurate risk assessment, which is the first step in putting a security strategy in place.

Here are some other unsettling results of the 2012 OCR audits:

  • Minimal protection: A number of audited organizations had not installed basic security tools to protect their networks. Not only was patient data exposed, there was little or no initiative to identify areas of vulnerability and put better controls in place.

  • Clueless about data: Many covered entities were challenged to identify where they stored their protected health information (PHI). As expected, PHI resided in core clinical applications, in databases, on workstations, on external media, and on print copies. But most organizations were hard-pressed to know what data was stored where. Plus, employees used mobile devices to access data from a variety of public places, with little or no consideration for the confidential nature of each transaction.

  • Lack of oversight: Overall, the 2012 OCR audits revealed that a large number of audited organizations grossly neglected data monitoring, staff training, and breach reporting.

Since the enactment of HITECH in 2009, the Department of Health and Human Services (HHS) has cited more than 1,000 serious data breaches of 500-plus records -- compromising more than 33 million patient records  -- on its online wall of shame. Sadly, in the 2012 audits, only 13 entities (out of 115) had no findings or observations.

OCR is on your side -- take advantage
Although no one should overlook the penalties for non-compliance, it's important to recognize the OCR is not out to get you. There are a number of resources available from the OCR website as well as the Office of the National Coordinator (ONC) at HealthIT.gov. OCR audits are a vehicle to monitor the overall healthcare industry for compliance with HIPAA regulations. Aggregate findings inform policies and outreach that will improve the overall privacy and security of patient data.

But the OCR will expect to find a good-faith effort to comply if they audit you. The first step, if you have not done so already, is to conduct a risk assessment that identifies areas of vulnerability in your healthcare data security strategy. As part of that risk assessment, do an inventory of all your confidential patient data. Know where it resides and how it’s handled. Don't forget to include all business associates with whom you share PHI. And be sure you maintain an accurate listing of those organizations. Auditors will ask.

Beyond basic network security controls and cataloging data, HIPAA dictates that you take an active role in protecting PHI. It's not enough to simply install network security tools. Go one step further and assign someone to periodically review system logs and events. Check physical security of your data centers and office areas. Situate workstations strategically for maximum privacy. Review your business associate agreements and make sure that the third parties with whom you share data are compliant as well. (This due diligence can be done through your own audit or by using a third-party resource such as a SOC or HITRUST report.) HIPAA also requires that staff is trained on how to handle and store PHI, and that you schedule regular reminders. How prepared you are to recognize and respond to possible breaches also will be a focus of the upcoming audits, so be sure you have documented plans in place.

As you can see, HIPAA regulations affect multiple areas of your organization. But the directives aren't always as prescriptive as some might like. By design, HIPAA rules have built-in flexibility, leaving decisions about compliance up to each organization, based on size, budget, and risks that are unique to your operations. Clearly, a large regional hospital will have more resources to dedicate to healthcare data security than a small-to-midsize physician's office. OCR recognizes this, which is why how you meet standards is ultimately up to you. If you've implemented a compliant strategy to the best of your ability and have justified your decisions in writing, you will likely emerge from an audit relatively unscathed. If not, take these lessons to heart and prepare thoroughly for a potential audit.

The owners of electronic health records aren't necessarily the patients. How much control should they have? Get the new Who Owns Patient Data? issue of InformationWeek Healthcare today.

Read more about:


About the Author(s)

Mark Fulford

Partner at LBMC’s Security & Risk Services

Mark Fulford is a Partner in LBMC's Security & Risk Services practice group. He has over 20 years of experience in information systems management, IT auditing, and security. Marks focuses on risk assessments and information systems auditing engagements including SOC reporting in the healthcare sector. He is a Certified Information Systems Auditor (CISA) and Certified Information Systems Security Professional (CISSP). LBMC is a top 50 Accounting & Consulting firm based in Brentwood, Tennessee.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like

More Insights