Government & Policy

Steps to prep for phase 2 OCR audits

By Rick Kam
July 21, 2014
08:03 AM

Summer vacation will have to wait: That’s because it’s audit season for the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR).

Last year, OCR completed its first round of audits under the HITECH Act, and most covered entities (CEs) failed dismally. Only 11 percent of the 115 organizations audited had no “findings” or “observations” (failures or weaknesses in meeting requirements), for instance, and OCR also determined that the most common cause of findings or observations was that the CE was entirely unaware of the requirement.

As OCR begins the next round of audits, beginning in Fall 2014, CEs and later, their business associates, need to prepare by not only understanding but meeting requirements in the areas of privacy, security, and breach notification, because pleading ignorance will not be a defense when OCR comes to call.

[Related: Is HIPAA lulling health orgs into a false sense of security?]

To start phase 2, between 550 and 800 organizations chosen for potential audits will be asked to complete an online pre-survey. By fall, OCR is expected to send audit notifications and extensive data requests to approximately 350 CEs, who will then have two weeks to respond with information about their operations and lists of their BAs. Audits of Business Associates will begin in 2015.

Different CEs will be audited on different aspects of compliance: privacy, breach notification, or security.
OCR used the phase 1 results to shape the phase 2 audits, so this year’s bunch will specifically target HITECH provisions that were high sources of compliance failures in the pilot program, according to Rebecca Williams, co-chair of Health Information at Davis Wright Tremaine.

Two tips for passing an audit
The best way to pass an OCR audit, according to Williams, is to set your house in order before you get a visit (virtual or otherwise) from the auditor. In other words:

  1. Make sure requirements are met before you’re targeted for an audit, and
  2. “Document, document, document!”

Williams points out that there’s no cramming for the OCR audit final exam: compliance policies and processes developed after the audit notice won’t count. She recommends these measures to ensure that your organization can show a history of compliance prior to the audit:

  • First and foremost, be informed. Know the HITECH requirements. Update your privacy policies and procedures to reflect the Omnibus Rules and make sure you have documentation to prove they are being followed; make sure you have a risk analysis and risk management measures in place (two thirds of the CEs audited in phase 1 didn’t, so this is sure to be an area of focus); and consider purchasing comprehensive tools to help you implement the required incident management process and to demonstrate compliance with your burden of proof under the breach notification rule.
  • Review the audit protocols. They are available at the OCR website, and consider conducting your own audit, using internal resources or outside consultants, or conduct an attorney-directed investigation to identify compliance gaps.
  • Be ready with a list of current business associates and their contact informationn. Work with your BAs ahead of time to be sure they are also aware of requirements and ready for a potential audit. “Your goal," Williams points out, "is to develop and maintain a culture of compliance throughout your business ecosystem.”

Williams’ second admonition, to document and over-document, is also critical, because with the desk audits, “there will be only one chance to get it right.” OCR auditors will only review requested data that is submitted on time, and all documentation must be current as of the date of the request.

Auditors will likely not ask for clarification, so make sure documentation is clear and complete. Williams suggests including a cover letter mapping out your documentation for an auditor, so that they know what they’re looking at. She also cautions against including extraneous information; auditors don’t want to wade through it, and the more information you give beyond what’s requested, the more chances an auditor has to find compliance gaps.

With audit protocols published on its website, OCR considers phase 2 to be an open-book test, and auditors are going to take a dim view of covered entities who are unaware of privacy, security, or breach requirements, or those who are not prepared for the audit.

If your organization is called, Rebecca Williams admonishes, “Respond! If you don’t respond correctly and on time, you’re leaving yourself open to a full compliance review instead of just an audit.”

And with that, you can definitely kiss that summer vacation goodbye.

Related articles: 

Healthcare social media policies: Why is NLRB looking at my employee handbook?

ONC and OCR release new HIPAA security tool 

Could Big Data become Big Brother?

Topics: 
Government & Policy

More regional news

HIMSSCast logo

HIMSSCast: Caregiver input needed for allocation of investment dollars

By
Bill Siwicki
November 15, 2024
HHS Building

Trump picks RFK Jr. to lead HHS

By
Susan Morse
November 15, 2024
Sign outside FDA office

Lawmakers ask CDRH to revisit its CDS guidance

By
Andrea Fox
November 15, 2024
Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.

Top Story

Former Georgia Rep. Doug Collins
Trump taps former Rep. Doug Collins to head VA

Most Read

The Light Collective amplifies its call for patient data rights
Clinical IT leaders on meeting CMS' mandate for patient data access
Epic and Oracle Health sign on to Veteran Interoperability Pledge
Texas AG settles with clinical genAI company
Interoperability in healthcare moving forward despite challenges
What Loper Bright and the end of Chevron deference mean for HHS

Research

White Papers

More Whitepapers

Patient Engagement
Patient Engagement
Financial/Revenue Cycle Management

Webinars

More Webinars

Imaging
Interoperability
Artificial Intelligence

Video

Lee Kim at HIMSS_Global Health Equity Week 2024
AI can be leveraged to improve cybersecurity and health equity
Dr. Keisuke Nakagawa at UC Davis Health_Global Health Equity Week 2024
How artificial intelligence is changing the equation for SDOH integration
Andrea Hsu at National Science and Technology Council_HIMSS24 APAC
Fostering health IT innovation through academic-industrial collaborations
Valerie Rogers at HIMSS_Global Health Equity Week 2024
Technology and policy have a role to play in improving maternal health

More Stories

Mike Relli at Knight Consulting_Global Health Equity Week 2024
New approaches to improving healthcare access for justice-impacted individuals
HIT professional reviews information on a laptop outside a server room
ASPR seeks feedback on public health orgs' cybersecurity needs
Gabriel Jones of Proprio on AI
Artificial intelligence is enabling big advances in surgery
Pharmacist sorting pills
Deploy RFID technologies to streamline controlled substance management
Healthcare workers in a meeting
Prioritizing cost management at U.S. healthcare systems: Keys to better margins
Jill Brewer at HIMSS_Healthcare Cybersecurity Forum 2024
What's the weakest link in organizational cybersecurity? Not what you might think
Richard Staynings at the University of Denver_Healthcare Cybersecurity Forum 2024
The challenges of safeguarding healthcare's 'data ocean'
Avihai Sodri of Antidote Health on telemedicine
How virtual-first can improve outcomes and make care more affordable