OCR HIPAA AUDITS THEY RE BACK!

Transcription

1 OCR HIPAA AUDITS THEY RE BACK! Chris Apgar, CISSP 2016 OVERVIEW OCR Audit Program Overview What to Expect if OCR s Auditors Show Up Potential Penalties and Other OCR Actions How to Prepare for an Audit Resources Summary and Q&A 2 1

2 HITECH Act mandated the Office for Civil Rights (OCR) conduct HIPAA compliance audits OCR announced the kick off of Phase 2 audits in April, 2016 Contact validation and pre-audit surveys sent to covered entities (CE) beginning April 2016 Audit program meant to augment, not replace, current investigation and enforcement activity 3 OCR announced the number of contacts OCR had with a CE would factor into the decision of who to audit KPMG is currently training new and existing staff in preparation to launch the formal audit program CEs should expect audits to commence within the next two months BAs will be audited later in

3 Contact verification and pre-audit surveys were ed to CEs beginning in April 2016 When audits commence CEs selected for an audit will be required to provide OCR with a list of all current BAs Entities to be audited will include a cross section of CEs and BAs across different geographic locations 5 BAs to be audited will be selected from BAs identified as part of CE audits CEs and BAs who receive a pre-audit survey may or may not be audited Targeted desk audits and comprehensive onsite audits will be conducted as part of Phase 2 audits It is unclear whether or not comprehensive and desk audits will be conducted sequentially 6 3

4 Random selection used when possible within types Wide range of auditees (e.g., group health plans, physicians and group practices, behavioral health, dental, hospitals, laboratories) Per OCR approximately 200 CEs and BAs will be audited OCR will not audit entities with open complaint investigation or currently undergoing compliance review 7 Phase 2 Audits: Round 1 CE desk audits Round 2 BA desk audits Round 3 Comprehensive audits Based on Round 1 experience, Phase 2 CE audits will target: Security risk analysis and risk management Breach Content and timeliness of notifications Privacy Notice and access 8 4

5 Round 2 BA audits will target: Risk analysis and risk management standards Breach reporting to covered entities Round 3 CE and BA audits complete audit protocol 9 WHAT TO EXPECT IF OCR S AUDITORS SHOW UP OCR will notify CEs and BAs immediately preceding audits The Phase 2 audit protocol includes documentation that will be requested CEs and BAs must forward all documentation requested within 10 business days from notification 10 5

6 WHAT TO EXPECT IF OCR S AUDITORS SHOW UP Audited entities submit documents on-line via secure audit portal on OCR s website Paper documentation will not be accepted Auditors won t be available to answer questions during the desk audits 11 WHAT TO EXPECT IF OCR S AUDITORS SHOW UP Following the audit, CEs and BAs will receive draft audit report CEs and BAs have 10 business days to provide management response Auditors will forward final audit report to OCR 30 days from date of CE or BA response Depending on findings, OCR may open a compliance investigation Per OCR audits are not meant to be punitive 12 6

7 WHAT TO EXPECT IF OCR S AUDITORS SHOW UP Audit protocol covers privacy, security and breach notification Expect to provide policies, procedures and evidence that policies and procedures are followed Extensive documentation will be requested If there is no documentation, CEs and BAs must provide written statement that no documentation exists and why 13 THE UNKNOWNS Period to be audited is not clear Questions in the pre-audit questionnaire suggest most recent fiscal year Sample size unknown Per pre-audit survey letter collected documentation may be subject to public disclosure under Freedom of Information Act (FOIA) unclear if FOIA response to include PHI and employee PII 14 7

8 THE UNKNOWNS Audit protocols designed to work with broad range of CEs and BAs but application may vary depending on size and complexity of the entity being audited No information on how audits will vary and amount of documentation required 15 THE QUESTIONS Privacy Rule protocol, 45CFR (c) Implementation specifications: Provision of access. If the CE provides an individual with access to PHI, the CE must comply with the requirements listed in the protocol Auditors directed to Obtain and review access requests which were granted (and documentation of fulfillment, if any) and access requests which were denied. Question: Is this intended to be a request for all access requests (regardless of disposition) during the audit period, or can the auditor request that the covered entity provide a sample? 16 8

9 THE QUESTIONS Auditors not taking into account more stringent state law Question: What if state law more stringent and state law compliance varies from HIPAA requirements? 17 POTENTIAL PENALTIES AND OTHER OCR ACTIONS If OCR elects to conduct a compliance review, it could result in: Technical assistance provided by OCR Corrective action plan the CE must comply with (may include required third party compliance review for three to five years) Civil penalties or monetary settlements If finding of willful neglect, expect formal enforcement 18 9

10 HOW TO PREPARE FOR AN AUDIT Read audit protocol! Begin planning for audit now likely can t assemble all required documentation in 10 business days If documentation not provided, don t expect to provide additional documentation when receive draft review for management response 19 HOW TO PREPARE FOR AN AUDIT Centralized compliance documentation really matters Develop a compliance plan Prioritize high to low risk compliance gaps Assign resources to eliminate privacy and security compliance gaps 20 10

11 HOW TO PREPARE FOR AN AUDIT Track and document compliance project status Document mitigation activity Store all centrally Many CEs and BAs aren t compliant with several high risk compliance requirements This amounts to more than adopting required policies and procedures evidence required Need to demonstrate continued compliance activities (not a one time event) 21 HOW TO PREPARE FOR AN AUDIT Key to surviving an audit unscathed current and accurate documentation that s easily accessible CEs and BAs bear burden of demonstrating compliance The time is now to address compliance gaps 22 11

12 RESOURCES OCR audit website: ement/audit/index.html Apgar & Associates, LLC: 23 Q&A Chris Apgar, CISSP CEO & President