Preparing Your Healthcare Enterprise for Phase 2 OCR Audits
Earlier this year, MRO published a white paper, A Proactive Approach to PHI Disclosure Management: Strategies to Prepare Your Healthcare Enterprise for Phase 2 Audits. In the white paper, we shared the most-up-to-date information about Phase 2 of Office of Civil Rights (OCR) HIPAA compliance audits and offered tips to prepare for them by implementing an enterprise-wide approach to disclosure management.
While OCR’s widely anticipated Phase 2 audits are still pending, there has been some activity since publication of the white paper. Here are some updates:
AHIMA’s June 4, 2015 E-Alert quoted from a FierceHealthIT article that pre-audit screening questionnaires had been sent to potential Covered Entity (CE) auditees. In preparation for an MRO presentation at the MSHIMA annual convention, we reached out to an OCR contact, who replied on June 12, 2015 via email: “The report is misleading. OCR has started verifying contact information of CEs. Pre-audit screening questionnaires have not been sent out.”
We also contacted attorney Adam Greene, a nationally recognized authority on HIPAA and the HITECH Act, who provided a link (look for the survey PDF titled “Survey 03 13 2015” under “Instrument File”) to the screening questionnaire. The web page suggests they are seeking 500 respondents.
OCR’s presentation at the HCCA Compliance Institute in April confirmed that “desk audits” will focus on privacy, security and breach notification. The speaker also emphasized that the OCR will conduct onsite audits, as funds permit, in addition to desk audits. Key focuses by audit type are expected to be:
- Privacy Rule audits: Notice of Privacy Practices and Patient’s Right to Access
- Breach Notification audits: Breach Notification Policy, Breach Notifications to Patients, instances where Breach Risk Assessment concluded no breach, and timeline from discovery to notification
- Security Rule audits: Security Risk Analysis and Risk Management Plan
It’s important to remember that complaints can trigger an investigation that may lead to full-scale audits. Thus, it’s important to be ready for an onsite audit by reviewing the protocol on OCR’s website. The website states: “Please be aware that the protocol has not yet been updated to reflect the Omnibus Final Rule.” OCR is reportedly working on the audit protocol update now. Another task they are tackling is a method for sharing penalty amounts with harmed individuals. We suspect that will encourage more people to file more complaints to the OCR due to possible payouts
What steps can you take now to prepare?
- Make sure all documentation is up-to-date
- Implement an enterprise-wide PHI disclosure management strategy
- Invest in security technologies
- Train your workforce (we can help)
The Ponemon Institute’s 2015 State of Endpoint Report: User-Centric Risk states that 78 percent of organizations cited employee negligence as the biggest security threat. Privacy and security compliance and breach prevention training are critical. It’s also key to make sure employees fully understand your policies and procedures for PHI disclosure. If an onsite auditor wants to evaluate your privacy and security culture, he’ll solicit information from non-management staff.
To learn more about OCR audits and tips for audit preparation, download our white paper today.