!! 2016 OCR AUDIT E-BOOK About BlueOrange Compliance: We specialize in healthcare information privacy and security solutions. We understand that each organization is busy running its business and that human capital is limited. Our hitech, low-touch, and cost-effective approach provides continuous maximum information and guidance, and requires minimal staff time and engagement.
Contents About OCR 2 OCR Audit Objective 2 Audit Candidates 2 Audit Protocol 2 Privacy Rule 3 Security Rule 4 Breach Reporting Rule 5 Audit Standards and Measurements 6 Audit Timing 6 Audit Selection Process 6 Step 1 - OCR Information Verification 6 Step 2 - OCR Questionnaire. 6 Step 3 - Creation of the Audit Pool 7 Step 4 - Audit Selection 7 Some Words of Caution 7 If You Received the OCR Questionnaire 7 If You Did Not Receive the OCR Questionnaire 7 Audit Notification Process 8 Desk Audits 8 Onsite Audits 8 Audit Process 8 Desk Audits 8 Onsite Audits 8 Anticipated Audit Failure Rate 9 Anticipated Audit Failing Points 9 If You Fail 9 If You Pass 9 Best Legal and Ethical Strategy 9 Best Practices for Audit Readiness 10 Privacy Rule Best Practices 10 Security Rule Best Practices 10 Breach Reporting Rule Best Practices 11 1
About OCR The Office for Civil Rights (OCR) is an organization within the U.S. Department of Health & Human Services that oversees the privacy and security of protected health information (PHI). The OCR investigates HIPAA complaints as well as privacy and security breaches, and can impose sizeable fines on Covered Entities if protected health information is incorrectly accessed, lost or stolen. OCR has recently announced a new audit program targeting selected Covered Entities and Business Associates, designed to assess compliance with HIPAA mandated processes, controls, and policies. OCR Audit Objective The primary audit objective is to assess compliance of the HIPAA regulated industry, with a focus on selected specifications of HIPAA Privacy, Security, and Breach Notification Rules. OCR also hopes to discover industrycommon vulnerabilities that remain undetected during routine OCR complaint investigations and compliance reviews, and use these findings to develop new breach prevention strategies. Finally, OCR will be testing a desk audit protocol to determine its effectiveness in gauging overall compliance. OCR will ultimately use all audit findings to determine where to focus ongoing enforcement initiatives. Audit Candidates Every Covered Entity and Business Associate is eligible for an audit. Covered Entities and Business Associates selected for the audit will likely represent a blend of organizational types, sizes and geographic locations. In other words, ANY Covered Entity or Business Associate could be selected. Audit Protocol OCR will conduct remote desk audits that will focus on a limited set of requirements, and then proceed with more comprehensive, onsite audits. The initial audit phase will include desk audits of Covered Entities, followed by desk audits of Business Associates. A third phase will include onsite audits of both Covered Entities and Business Associates. OCR s audit protocol encompasses requirements and implementation specifications from HIPAA Privacy, Security and Breach Notification Rules. Included in the protocol are 89 Privacy requirements, 72 Security requirements and 19 Breach Reporting requirements. Based on the type of Covered Entity or Business Associate selected for audit, OCR will identify a subset of topics to be audited from among these 180 audit items. Breakdown of Audit Terms by Type Security (72) Breach (19) Privacy (89) A full listing of the 180 audit items included in the audit protocol can be found on http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/protocol-current/index.html. 2
Privacy Rule Items included in the 2016 OCR Audit Protocol for Privacy Rule Requirements: PHI uses and disclosures; Rights to request privacy protection for PHI; Personal representatives; Access of individuals to PHI; Confidential communication and Business PHI administrative requirements; Associate contracts; Amendment of PHI. Notice of Privacy Practices for PHI; 25 # Audit # Items Audit Items Per Privacy Regulation Regulation 20 15 # Items 10 5 0 Regulation The top 3 privacy regulations by number of items include: 1. CFR 164.512 - Uses and disclosures for which an 2. CFR 164.530 - Administrative Requirements authorization or opportunity to agree or object is 3. CFR 164.514 - Other requirements relating not required to uses and disclosures of protected health information 3
Security Rule Items included in the 2016 OCR Audit Protocol for Security Privacy Rule Requirements: Risk analysis; Business associate controls and agreements; Risk management; Facility access controls; Workforce authorization; Workstation security; Information access management; Device control and disposal; Security awareness training; Access control; Contingency planning; EPHI protection. 30 # Audit # Audit Items Items Per Per Security Regulation 25 20 # Items 15 10 5 0 164.308 164.310 164.312 164.314 164.316 164.306 Regulation The top 3 security regulations by number of items include: 1. CFR 164.308 - Administrative Safeguards 2. CFR 164.310 Physical Safeguards 3. CFR 164.312 Technical Safeguards 4
Breach Reporting Rule Items included in the 2016 OCR Audit Protocol for Breach Notification Rule Requirements: Breach administrative requirements; Breach Definitions; Training; Notification to individuals; Complaints; Timeliness, content and method of notifications; Sanctions; Burden of Proof. Retaliatory Acts; Waiver of Rights; Policies, procedures & documentation; 7 # Audit # of Audit Items Items Per Per Breach Regulation 6 5 # Items 4 3 2 1 0 164.530 164.404 164.402 164.414 164.408 164.410 164.412 164.406 Regulation The top 3 breach regulations by number of items include: 1. CFR 164.530 - Administrative Requirements. 2. CFR 164.404 Notification to individuals 3. CFR 164.402 - Definitions 5
Audit Standards and Measurements OCR will use the following standards and measurements when assessing an Entity s compliance with each item selected for audit: Verify that Policies and Procedures exist for the Rule; Verify that the Entity performs the necessary requirements of the Rule; Obtain and review Rule Policies and Procedures to ensure all required elements are included; Obtain and review documentation demonstrating the Rule is executed in accordance with Policies and Procedures; For Security items, if the item is Addressable vs. Required, AND the entity has chosen an alternative measure: Obtain documentation as to why the alternative was chosen; Evaluate documentation and assess whether the alternative is equivalent to the implementation specification. Audit Timing The 2016 Audits are currently in process, and are expected to conclude by December 31, 2016. Audit Selection Process Step 1- OCR Information Verification The process begins with an email from OSOCRAudit@hhs.gov that requests verification of Entity contact information: This is an automated communication from the Office for Civil Rights (OCR). According to our records, you are the primary contact OCR should use to reach Entity Name regarding its potential inclusion in the HIPAA Privacy, Security, and Breach Notification Rules Audit Program. We are attempting to verify this email address. Please respond within fourteen (14) days as instructed below to either confirm your identity and email address or instead provide updated primary and secondary contact information. If you ARE the primary contact for this organization, please select the following link YES. Once the link is selected, a browser window will open and your response will be recorded. If you ARE NOT the primary contact for this organization, please select the following link NO. Once the link is selected, a browser window will open and your response will be recorded. Thank you for your cooperation. If we do not receive a response from you we will use this email address for future communications with this Entity. Failure to respond will not shield your organization from selection. Step 2- OCR Questionnaire Once contact information is obtained, OCR will send a Questionnaire to Covered Entities and Business Associates for the purpose of gathering demographic data. The Questionnaire will solicit general information, such as organizational type, annual revenue, use of electronic medical records and number of locations, patient visits, patient beds and clinicians. It is still unknown exactly how many organizations will receive this Questionnaire, however OCR initially indicated in 2014 that up to 800 organizations could be included. 6
Step 3- Creation of the Audit Pool The demographic data collected from the Questionnaire will be complied to create a pool of audit candidates. Because OCR is using the information collected to create a diverse sample of Covered Entities and Business Associates, the candidate pool will likely represent a wide range of organizational sizes, types and geographic locations. Step 4- Audit Selection Audit candidates will be randomly selected from the audit pool. Some Words of Caution It is important to note that your system may incorrectly classify emails from OCR as spam. This is true for both the Information Verification email and the Questionnaire email. It is therefore highly recommended that you closely monitor your junk or spam folders. Additionally, ignoring the Information Verification email or the Questionnaire (or not locating this OCR communication in your spam folders) will not keep your organization from being entered into the audit pool. OCR will use public information about Entities that do not respond when creating the audit pool, and therefore a nonresponding entity may still be selected for audit or be subject to a compliance review. If You Received the OCR Questionnaire If your organization received the OCR Questionnaire, it has been included in the Audit pool and is subject to a potential audit. Start preparing immediately: Gather and organize your Privacy, Security and Breach documentation to ensure your ability to respond in a timely manner if ultimately selected for an audit. An organization selected for audit will be expected to provide the requested audit information within 10 business days of Audit notice. Evaluate the agreements, requirements and practices you have in place with 3rd party IT service providers and other Business Associates. If you haven t done so already, make sure your list of Business Associates is updated and complete. Conduct a mock audit to identify missing or incomplete documentation, focusing on documentation related to notice of privacy practices, right of access, risk analysis, risk management, and breach notification rules. If You Did Not Receive the OCR Questionnaire Covered Entities and Business Associates that have not received the OCR Verification email or Questionnaire (after having verified this through spam folders) are likely not in the initial audit pool. However, this does not mean the organization is safe from audit, because OCR will use these very audit findings to determine where to focus ongoing enforcement initiatives. Additionally, it is just makes sense to achieve and maintain HIPAA compliance, as all Covered Entities are subject to random HIPAA audits, as well as audits resulting from a complaint or security breach. 7
Audit Notification Process Covered Entities and Business Associates that are selected for an audit will receive an email from OCR notifying them of selection, and advising of the requirement to provide documents and other information in response to a document request letter. Desk Audits For desk audits, the notification email will introduce the audit team, explain the audit process, outline expectations, and include preliminary requests for documentation. For Covered Entities, it will also delineate the information needed from its Business Associates. The audited organization will be expected to provide the requested information within 10 business days, using OCR s secure portal. Onsite Audits For onsite audits, the notification email will schedule an initial meeting and outline audit expectations. Audit Process The audits will focus on particular compliance aspects of Privacy, Security, and Breach Notification Rules. The audit topic focus may vary based on the type of Covered Entity selected for audit. Audit candidates will be advised of specific audit topics in a document request letter. Desk Audits Organizations selected for a desk audit will be required to provide the requested information via an OCR website audit portal. OCR auditors will review the information submitted and create a draft report which will outline a summary of audit protocol and provide an overview of audit discoveries and conclusions. The draft report will be provided to the audited organization, who will then have 10 business days to review and return the draft with written comments. The final report will be completed within 30 days of OCR s receipt of the organization s response, and will include the organization s written responses to the draft findings. Audited organizations will be provided with a copy of the final report. Please note that while in-person visits during a desk audit are expected to be minimal, audited organizations should still be prepared for an onsite visit should OCR deem it necessary to do so. Onsite Audits Onsite audits will be conducted over a pre-scheduled 3-5 day period, and will cover a more comprehensive scope of Privacy, Security, and Breach Notification Rules. Similar to the desk audits, the audited organization will have 10 business days to review the draft report and submit written comments to the OCR auditor. The final report will be completed within 30 days of OCR s receipt of the organization s response and will include the organization s written responses to the draft findings. Audited organizations will be provided with a copy of the final report. 8
Anticipated Audit Failure Rate Because this OCR initiative is still in the early stages, meaningful statistics have not yet been generated. However, based on the broad scope of potential audit topics, (requirements and implementation specifications from 180 HIPAA Privacy, Security and Breach Notification audit items) and OCR s stanch audit objectives outlined earlier in this document, indications point to substantial failure rates. Anticipated Audit Failing Points Again, because this OCR initiative is still in the early stages, meaningful statistics have not yet been generated. However, based on typical Gap Analysis and Risk Assessment findings from BlueOrange Compliance, some anticipated audit failing points are: Failure to execute Business Associate Agreements; Improper disclosure of PHI; Failure to conduct Risk Assessments; Insufficient evidence of an active risk management plan; Lack of documentation for, or inconsistently enforced, HIPAA required policies and procedures; Inadequate security awareness training for required personnel; Failure to document and employ Breach detection, assessment, mitigation and reporting processes. If You Fail OCR may initiate a compliance review to investigate any serious compliance issues identified in the audit report. If You Pass Passing the OCR audit demonstrates that your organization operates within a basic compliance framework, but it does not necessarily mean you are HIPAA compliant. OCR audit protocol assesses compliance at a very high level, and therefore passing this audit does not necessarily ensure you would pass a HIPAA audit. Moreover, passing the OCR audit does not make you immune to cyber threat, security breaches, risky end user practices, or assure that your security controls are in front of emerging threats. Best Legal and Ethical Strategy Healthcare providers are legally and ethically obligated to ensure patient privacy, and the complexity of HIPAA Security, Privacy and Breach Rules should not be under-estimated. Complex, ever-changing regulations, increased vulnerabilities, implementation of new technologies and changes in business processes can make it difficult to achieve and maintain compliance. It can be very challenging to test, analyze and remediate your own security and privacy vulnerabilities without interrupting your day to day business operations. Consider hiring a compliance partner that specializes in HIPAA Security, Privacy and Breach Rules. A good compliance partner will help you navigate the process, and design a customized approach based on your organization and tailored to meet your specific regulatory requirements and state statutes. 9
Best Practices for Audit Readiness Privacy Rule Best Practices Conduct a Thorough Gap Analysis. Review policies, procedures and processes to make sure they are updated, consistently enforced and that documentation is available. HIPAA Privacy compliance calls for covered entities using or disclosing PHI to provide a Notice of Privacy Practices to patients, create and enforce internal privacy policies and procedures, implement employee training on those procedures, and maintain various logs, forms, and reports to provide proof they are ensuring compliance as ensure and required appears multiple times in the regulations. Appoint a Privacy Officer. The HIPAA Privacy Rule requires covered entities to designate an individual to oversee privacy compliance and respond to privacy-related complaints as well as establish and ensure privacy requirements with contracted Business Associates. Security Rule Best Practices Conduct regular HIPAA Security Risk Assessments. Thorough and accurate security assessments will address all applicable areas of your organization within scope of the 60+ HIPAA Security Rule components, and a thorough review or gap analysis of Privacy and Breach requirements will identify areas which need to be addressed. Implement an Active Security Plan. A good security plan is a product of a good risk assessment. The plan should clearly state gaps identified in the risk assessment along with assigned resources and projected completion dates. Aside from thorough content, each organization must actively manage the plan and demonstrate that reasonable remediation progress is being made. Note that open remediation items are still potential violations and can produce negative consequences in the event of a HIPAA audit, so move as quickly as possible. Evaluate Third Party Agreements. Evaluate the agreements, requirements and practices you have in place with 3rd party IT service providers and other Business Associates. It is critical to confirm that Business Associate agreements are in place, are HIPAA compliant, and are being consistently reviewed. Encrypt your EPHI. Encryption prevents sensitive information from being compromised in transit or at rest. It should be noted that in a potential breach event (compromise of privacy or security of PHI), the burden of proof is placed on the organization to systematically prove a low probability that the information was compromised. Simply said, Guilty unless proven innocent. Conduct Frequent Vulnerability and Penetration Testing. Penetration testing can identify and exploit vulnerabilities in an effort to determine the likelihood of real-world threats against an organization s IT assets and physical security. Successful testing will simulate the practices and methods of external or internal agents attempting unauthorized data access. Immediately address and correct all security gaps identified in the testing. Invest in Employee Security Awareness Training. Employee carelessness, forgetfulness and/or lack of knowledge can create a huge gap in an otherwise secure setting. Make sure your employees understand the mechanics of spam, phishing and malware. Test the success of your training by initiating your own internal phishing expeditions to attempt to solicit information from your employees. Hackers often masquerading as a trustworthy entity, such as an organization s CEO, to prey on unsuspecting or unknowing employees who they hope are too busy to pay attention to the details. 10
Breach Reporting Rule Best Practices Enforce Breach Administrative Requirements. Ensure your organization closely adheres to Breach requirements for training, complaint management, sanctions, prohibition of retaliatory acts and waiver of rights. Maintain Breach Policies and Procedures. Ensure all items have documentation and are fully operational. This includes policies, procedures and documentation for Breach definitions, notification to individuals, and timeliness, content and method of notifications. Best practice for HIPAA Breach compliance includes assessment, detection and mitigation of the disclosure of protected health information on an as needed and continuously available basis. Maintain Burden of Proof Documentation. Ensure updated and available documentation demonstrating Breach detection, assessment, mitigation and reporting processes. Breach notification is required if protected health information is disclosed in a manner not permitted under the Privacy Rule. All such occurrences are presumed to be a breach by default, and the burden of proof is on the Covered Entity to prove a low probability and/or non-actionable likelihood of protected health information having been compromised. BlueOrange Compliance has been providing privacy and security assessments, remediation, training and guidance since the inception of HITECH. Our team is comprised of former healthcare IT executives and top security, privacy and technology analysts. Our national client base consists of hospitals, physician provider practices, Nursing Facilities, LTC Pharmacies, LPCs, CCRCs, homecare, hospice and business associates. If you want to learn how BlueOrange Compliance can help you turn HIPAA complexity into HIPAA compliance, visit us at blueorangecompliance.com. 11