A letter from the Department of Health and Human Services’ Office of Civil Rights (“OCR”) announcing an audit of an organization and requesting documents or information is never a welcomed sight, but lately, more and more Covered Entities (healthcare providers and plans) have been receiving them. While an organization may ultimately withstand the close scrutiny of an auditor and emerge relatively unscathed by penalties, sanctions, legal fees and mandated correction plans, the best way to mitigate the risks of an OCR audit is to ensure that the organization’s policies, procedures, and documentation are consistently reviewed and updated to address a potential auditor’s current concerns.
OCR audits continue to focus heavily on policies and procedures and workforce training. Therefore, it is essential that an organization clearly document its policies and procedures, provide workforce training on the policies and procedures periodically to all employees and during the onboarding process for new employees, and that organizations document employee attendance at such trainings. OCR audits also address the breadth and frequency with which an organization performs a risk analysis. Specifically, the most recent audits have focused on the documentation of periodic risk analyses that include penetration tests and address an organization’s protection against common threats, malware and other highly publicized vulnerabilities like Heartbleed. Finally, while OCR audits may not, at present focus upon a Covered Entity’s choice of Business Associate (i.e., due diligence in examining the Business Associate’s security protocols before engaging the Business Associate), information safeguards and activities of Business Associates are still key components of an audit, especially if the audit is the result of a potential breach by a Covered Entity’s Business Associate. As such, organizations should review their Business Associate Agreements to ensure that the agreements comply with regulations and that the agreement adequately allocates risks and responsibilities between the Covered Entity and the Business Associate.
As has been made clear by OCR audits over the years, HIPAA is not a “set it and forget it” regulatory scheme. Audits are increasing in frequency, and will increase further as more healthcare data is exposed through cyber-attacks. Should you have questions about HIPAA policies and procedures or complying with an audit, please contact Kenneth N. Rashbaum.