valueoutcome July Preparing for Phase 2: The next generation of HIPAA audits Organizations will face enhanced privacy and security scrutiny

Transcription

1 valueoutcome July 2014 Preparing for Phase 2: The next generation of HIPAA audits Organizations will face enhanced privacy and security scrutiny Highlights 1. In preparation for Phase 2 audits, covered entities should pay extra attention to areas the OCR has indicated represent heightened risk. These include: Risk assessment Individuals right to access their PHI Authorizations Minimum necessary use and disclosure Notice of privacy practices Breach notification and incident response Access controls Encryption Logging 2. Pre-audit surveys of covered entities are expected in summer The OCR will send document requests to organizations selected for audits in fall Phase 2 audits are expected to run from October 2014 through June Business associate audits are scheduled to begin in The OCR s pre-audit survey will ask each covered entity to identify its business associates and supply their contact information. In preparation, organizations should collect and validate this information as soon as possible. In an attempt to verify compliance with HIPAA s Security Rule, Privacy Rule, and Breach Notification Rule (collectively, the HIPAA Rules ), the Office for Civil Rights (OCR) began in 2012 to pilot privacy and security audits of payers, providers, and healthcare clearinghouses (i.e., covered entities ). In March 2014, the OCR announced the implementation of a Phase 2 audit program to begin in fall 2014 based on the findings of the pilot audits. In Phase 2, the OCR will conduct audits of HIPAA-covered entities, with audits for business associates anticipated to begin in The Phase 2 audit program will have a different look and feel from the pilot program. Phase 2 audits will be conducted as desk audits (although the OCR has also reserved the right to conduct on-site audits as its resources allow). The new audits will be guided by findings from the pilot program that indicates areas of heightened risk or vulnerability to privacy or security breaches. In Phase 2 of its HIPAA compliance audit program, the OCR will distribute surveys to approximately organizations, from which 350 will be randomly selected for audit. 1 Information in this paper is sourced from The US Department of Health and Humans Services Office for Civil Rights Report, OCR Audits of HIPAA Privacy, Security, and Breach Notification, Phase 2, Linda Sanches, MPH, Senior Advisor, Health Information Privacy, March 31, nt2.pdf

2 Background Phase 2 audits incorporate new processes, standards The OCR s pilot program audited 115 entities, including 61 providers, 47 health plans, and seven clearinghouses. The OCR assessed compliance with 169 requirements corresponding to the provisions of the HIPAA Rules. The agency contracted a third-party auditor to conduct audits on site. Each audit ranged from hours, requiring three to four weeks of active audit work, depending on an organization s size and structure. Goals of the pilot audit included not only measuring compliance with regulatory requirements, but also developing a replicable audit program that is comprehensive, flexible, and applicable across the diverse range of covered entities and business associates. Audits will be guided by pilot findings The majority of providers audited in the pilot had at least one security finding or observation. Deficiencies in compliance with the HIPAA security provisions accounted for 60% of the audit findings and observations in the pilot program most notably the lack of complete and accurate risk assessment in two-thirds of the entities audited. 2 Entities that did well and had no security findings or observations generally met the standard by fully implementing the addressable specifications. From a privacy perspective, the most commonly cited findings included meeting the requirements for access to protected health information, notice of privacy practices, and the timing and content of breach notices. 2 Pilot audit results found no complete and accurate risk assessment in two-thirds of the entities audited, including 47 of 59 providers, 20 of 35 health plans, and two of seven clearinghouses. For every finding and observation cited in the audit report, the OCR identified a cause. The most common cause of noncompliance across all entities was lack of awareness about the requirement. Other noted causes included the lack of sufficient resources, incomplete implementation, and, in a few instances, according to the OCR, complete disregard for the requirement. Whereas the pilot audits used contracted staff to perform on-site assessments, the new audit program is expected to be conducted by OCR staff. The desk audit approach means organizations will have no opportunity to seek clarification or ask questions of the auditors. Similarly, the auditors will not be able to contact the covered entity for clarification or additional information. To help stratify the list of potential organizations for audit, the OCR plans to issue a pre-audit survey in summer The survey will help verify and collect data on covered entities data that is not currently available to the OCR. This data will help the OCR classify organizations during the audit selection process. The OCR will distribute the survey online to approximately organizations, from which 350 will be randomly selected for audit. The OCR has made it clear that the failure of an entity selected for a desk audit to submit a response may lead to a referral for a regional compliance review. The OCR will send notifications to the organizations selected for audits in fall Organizations are expected to have two weeks from the receipt of the notification letter to respond to the document request list. While the OCR did allow for policies and requested documentation to be edited or created up until the time of submission during the pilot audits (and presumably will do so in the Phase 2 audits as well), organizations that lack the requested documentation will have difficulty creating and implementing it within a couple of weeks. The OCR s audit program is expected to begin fall 2014, when the agency will conduct audits of covered entities. In 2015, the OCR is expected to begin auditing business associates. The OCR has been clear in its expectations of covered entities for the Phase 2 audit program. Organizations selected for an audit can expect the following: The OCR will assess only documentation submitted on time. All documentation must be current as of the date of the request. There is no opportunity to seek clarification or ask questions of the auditors. Auditors are not able to contact the organization for clarification or additional information. Submitting extraneous information may make it difficult for auditors to locate and assess required items, which may have an adverse effect on an organization s audit results. The OCR will review all items submitted whether requested or not. Any issue the OCR finds with the extraneous documentation will be duly noted and acted upon. Preparing for Phase 2: The next generation of HIPAA audits 2

3 Analysis Setting the stage for a successful audit For a well-prepared and governanceoriented organization, the OCR s desk audit approach will likely be less burdensome than the pilot. On the other hand, the new approach could be problematic for organizations that lack structure and comprehensive documentation regarding their privacy and security policies and processes. Regardless, covered entities and business associates should use this lead time to address gaps in their policies and procedures and consider how best to demonstrate their compliance with HIPAA requirements. To gauge its readiness for an audit, organizations should complete a HIPAA Security Rule risk assessment that is thorough, on point, and easy to understand. In the OCR s pilot audit program, two-thirds of the organizations audited had no complete and accurate risk assessment, making it likely that this will be an area subject to particular inspection in the Phase 2 audits. Organizations should consider implementing remediation activities and conducting an inventory of their systems that handle electronic personal health information. Sending a disorganized or disproportionate response will detract from the organization s story, frustrate the examiner, and could negatively impact audit findings. Generally speaking, an organization s documentation of its HIPAA program should be clear, comprehensive yet concise, current, and easy to follow for the reviewer. To prepare for an audit, organizations should assume the role of the auditor and evaluate their documentation from the auditor s perspective. How does the organization portray its compliance? An organization s established privacy and security policies and procedures will be its primary vehicle for telling its story. Accordingly, covered entities should conduct a thorough review and gap analysis of those policies and procedures. Organizations should ensure that their practices include changes from the Omnibus Rule and are not a wholesale reiteration of implementation specifications. Policies and procedures should demonstrate a thoughtful and effective HIPAA program and accurately reflect an organization s privacy and security practices. Organizations should also compile a list of business associates and their contact information and review the list for completeness and accuracy. (Business associates should likewise undertake this exercise for subcontractors.) Finally, organizations should be responsive to the OCR s documentation request; sending a disorganized or disproportionate response will detract from the organization s story, frustrate the examiner, and could negatively impact audit findings. Sending no response or ignoring the request could lead to a compliance review or other subsequent enforcement attention. Preparing for Phase 2: The next generation of HIPAA audits 3

4 Q&A Organizations can start planning now Q. What are the differences between the pilot audit and the Phase 2 audit program? A. The differences are significant. Most noticeably, the OCR will conduct desk audits rather than on-site audits, meaning that covered entities (and, in 2015, business associates) should ensure that their documentation in response to data requests is clear, upto-date, and concisely addresses the organization s adherence to regulatory requirements under HIPAA. Desk audits also mean that covered entities and business associates will not have the opportunity to clarify the intent of their policies and procedures through interviews with the auditors. Phase 2 audits are also expected to focus on the areas that were the source of a high number of compliance failures during the pilot program, such as the lack of a complete and accurate risk assessment, inappropriate access to protected health information, problems with authorizations for the disclosure of protected health information, unclear notice of privacy practices, and poor timing and content of breach notification. In an effort to increase the number of covered entities and business associates to be audited in Phase 2, the OCR is expected to narrow the scope of the criteria it used in the pilot program. Auditors will assess covered entities and business associates compliance with the HIPAA regulatory requirements using an updated audit protocol that, among other things, addresses the changes implemented by the final Omnibus Rule. Business associates which were not part of the pilot audit will be included in the Phase 2 program beginning in Q. How will the OCR select organizations to audit? A. The OCR will select a pool of covered entities eligible for audit using resources developed through an independent third party. Healthcare providers will be selected through the non-public information (NPI) database. Clearinghouses and health plans will be chosen from external databases (e.g., America s Health Insurance Plans (AHIP)). Random selection will be used when possible for all types of organizations, including group health plans, physicians and group practices, behavioral health organizations, dental offices, hospitals, and laboratories. In summer 2014, the OCR will conduct a pre-audit survey of up to 800 covered entities to help categorize them. Questions in the survey will address size, location, services provided, and best contact information. In addition, the survey is expected to query the covered entities on their business associates, including names, addresses, and contact information. The OCR will use the results of the survey to select a projected 350 covered entities to audit. Survey results will also be used to select business associates for audits in Q. What can my organization do to prepare? A. There are several steps organizations should take in preparation for a possible audit: Conduct a mock audit. Perform a detailed risk assessment that is conducted at least annually. Ensure that addressable security specifications are either fully implemented or adequately documented with mitigation controls. Ensure policies are current for regulatory requirements and drafted in accordance with operations. Policies should be easily accessible by employees. Identify business associates and ensure contact information is verified and valid. Educate and train employees about their role in HIPAA privacy and security compliance. Encourage employees to report known or suspected risks and/or suspected data breaches, and investigate each report to conclusion. Each activity should be clearly documented along with any remediation or corrective action plans and next steps. Covered entities and business associates will not have the opportunity to clarify the intent of their policies and procedures through interviews with the auditors. Preparing for Phase 2: The next generation of HIPAA audits 4

5 Contact information To have a deeper discussion about our point of view on the OCR's HIPAA Privacy, Security, and Breach Notification audit program, please contact: Joseph Greene (612) joe.greene@us.pwc.com T.R. Kane (440) t.kane@us.pwc.com Peter Harries (602) peter.harries@us.pwc.com David C. Sites Managing Director (410) David.C.Sites@us.pwc.com Laurie Smaldon Director (203) laurie.a.smaldon@us.pwc.com Brent Hoard Manager (941) brent.t.hoard@us.pwc.com For more information: HIPAA Audit Webpage PricewaterhouseCoopers LLP, a Delaware limited liability partnership. All rights reserved. PwC refers to the United States member firm, and may sometimes refer to the PwC network. Each member firm is a separate legal entity. Please see for further details. This content is for general information purposes only, and should not be used as a substitute for consultation with professional advisors.