Skip to content

AHLA 2014 Fraud & Compliance Forum Outlines Current HIPAA OCR Audit Risks

January 30, 2017

What’s on the horizon for health care entities from government HIPAA oversight?

That was the focus of several sessions at The American Health Lawyer’s Association (AHLA) forum I attended in Baltimore last week where presenters outlined what the latest Office of Civil Rights (OCR) plans are to enforce the HIPAA Privacy Rule.

Here are some key take-aways: 

  • Phase 2 of the OCR audits are on the way, but likely won’t start until 2015.
  • The OCR is using data from its pilot program to focus on risk areas.
  • The first audits will likely focus on evaluating Risk Assessment (RA) policies and programs, notice of privacy practices and patient access rights, and compliance with the breach notification rule.
  • Future rounds of audits likely kicking off in 2016 would target device and media controls, transmission security and training programs. 

Use the delay to get prepared 

Several of the AHLA presentations focused on bringing attendees up-to-date on OCR audit plans and what to focus on to prepare for the audits. Right now the OCR is building a new web portal to streamline how requested audit information is delivered. While the original plan was to focus heavily on desk audits, it appears that Phase 2 may end up including more comprehensive on-site audits than initially expected, including audits of business associates of health care entities.  

The OCR has plans to survey 800 covered entities and 400 business associates and from that pool select 350 covered entities and 50 business associates for audit.  This is almost a 400% increase in audit coverage from the pilot audit program. All covered entities will be asked for an inventory of their business associates and their contact information. The list of business associates and accurate contact information may take awhile to assemble so the delay should be used to get this data in order along with updating your RA. 

The web portal will help the OCR get more efficient and that means health care entities need to get more efficient at assembling, organizing, and updating key audit data. The turnaround time for submitting audit data is just ten days. Unlike the pilot program, there will not be an opportunity to update submissions so be very thorough in submitting your compliance evidence. 

Information from the pilot program shows significant audit issues 

Several  presentations  emphasized OCR’s high level summary findings from the pilot audit program:

  • Only 11% of the audited entities did not have a finding or observation
  • Covered entities struggled the most with Security Rule compliance
  • Health care providers had more findings and observations than health plans or health care clearinghouses
  • Small organizations, regardless of type of organization, had the most findings and observations 

Phase 2 to continue focusing on risk assessment policies and programs

RA can be a pitfall for many entities. It’s not enough to just check the box. The government wants documentation about every part of it.

  • Who did it and what are their qualifications?
  • Is it regularly updated on a timely and scheduled basis?
  • Is it being updated to reflect operational changes and new systems?
  • Is it supported by documented policies and workforce education?

Many entities were found to have no risk assessment, an out of date risk assessment or an inadequate risk assessment during the pilot audit program. This is a big risk. Many large settlements involving security breaches cited an inadequate risk assessment process as a contributing factor in the breach. Make sure you are looking beyond just identifying risks and focus on an ongoing risk management process to gradually close as many risk areas as you can. Security rule compliance has been a requirement for 8+ years now so there is an expectation that many “addressable” parts of the security rule should be implemented.

The OCR has released model notice of privacy practices documents, so make sure to visit their website and compare what you are using. You should have an easy to read and understandable document that you have posted and provide to new patients, and have copies available if requested.  If you have a website, the notice should be available there as well.

If you have had any breach incidents make sure you can prove compliance with the notification rule. Also make sure that any policies have been updated for the change from the “risk of harm” threshold to “low probability of compromise” threshold in assessing whether a breach has occurred. Pay special attention to media notice requirements and alternate notification requirements when mailed notices are returned undeliverable.

Be ready to prove compliance with these and other HIPAA requirements just in case you end up in the audit pool. While no fines or penalties have been announced as a direct result of the OCR audit program, entities with significant compliance gaps can be referred for a full blown investigation which could result in significant enforcement actions.

Taking action

Getting your HIPAA materials organized and your RA updated is the first priority. If you are compliant, but your evidence is scattered between departments, that could put you at risk during the audit process. With only 10 days to respond to an audit request, take steps now to ensure you have compliance evidence readily available. Make sure you have evidence of training and current policies and procedures gathered, and keep them fresh as updates are made. 

Finally, it’s not just HIPAA fines and penalties at stake if you do not have your RA in order. Other federal incentives such as meaningful use money a provider has received for Electronic Health Records (EHR) could be at risk too. Your reputation in the community could also suffer if a lack of security around Patient Health Information (PHI) is discovered in an audit, not to mention the effect on patients if their PHI is compromised.




NC Public Schools, need an thorough audit as well as all Counties DSS including CPS Departments in DC individually and collectively together.


From →

Leave a Comment

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: