Beyond the Basics: What Covered Entities and Business Associates Need to Know About OCR Security Audits

Posted on November 20, 2014 I Written By

The following is a guest blog post by Mark Fulford, Partner in LBMC’s Security & Risk Services practice group.
Mark_Fulford_Headshot
The next round of Office for Civil Rights (OCR) audits are barreling down upon us, and many healthcare providers, clearing houses and business associates—even ones that think they’re prepared—could be in for an unpleasant surprise. If the 2012 round of OCR audits is any indication, the upcoming audits will most likely reveal that the healthcare industry at large is still struggling to figure out how to implement a compliant security strategy.

Granted, HIPAA regulations are not always as prescriptive as some might like. By design, HIPAA incorporates a degree of flexibility, leaving covered entities and business associates to make decisions about their own approach to compliance based on size, budget, and the risks that are unique to their operations.

But the first round of OCR audits indicated that many healthcare organizations had not even taken the first step in initiating a security compliance strategy—two-thirds of the covered entities had not performed a complete and accurate risk assessment to determine areas of vulnerability and exposure. Apparently, these entities were not necessarily unclear on HIPAA regulations; they simply had not yet made a serious effort to comply.

Out of the 115 entities audited, only 13 had no findings or observations (11%). This time around, the expectation will be that covered entities and business associates will have taken note of the 2012 audit findings, and that the effort to comply will be much improved.

All covered entities and business associates may be subject to an OCR audit. If you have not yet conducted an organizational risk assessment, now would be the time to do so. The OCR provides guidelines, and you can also reference the Office of the National Coordinator for Health Information Technology (ONC) and standards organizations like the National Institute of Standards and Technology (NIST). Additionally, the OCR has released an Audit Program Protocol to help you better prepare.

Five Key Areas to Address for OCR Audit Preparation

Based on our experience in the healthcare industry and consistent with the 2012 OCR Audit findings and observations, here’s how you can prepare for the upcoming OCR audits:

  • Know where your data resides. Many organizations fail to account for protected health information (PHI) in both paper and electronic forms. Between legacy systems (where data might be not well-indexed), printed copies (data could be abandoned in a desk) and mobile device use (data could be anywhere), large volumes of at-risk data is often floating around in places it shouldn’t be. In the first round of OCR audits, issues with security accounted for 60% of the findings and observations. To avoid falling into that trap, do a thorough inventory of your PHI and make decisions on how to handle and store it going forward.
  • Review business associate agreements. Business associates were not included in the 2012 OCR audits, but they will be this time around. If any of your business associates are found to be non-compliant, you will most likely be included in the subsequent investigation. Ask your accounting and IT departments to prepare a list of all third parties with whom you share PHI. Make sure your agreements are up-to-date and that your vendors are making good faith efforts to be in compliance. Due diligence can be accomplished through the use of questionnaires, your own audit, or a third-party assurance (e.g., a Service Organization Control (SOC) or a HITRUST report). And if you are a business associate, be aware that you, too, could be selected for an audit.
  • Establish a monitoring program. Your system, firewall and antivirus/antimalware software all regularly log system events. But beyond logging data, HIPAA dictates that you actively review the data to identify suspicious activity. If you haven’t already, assign an individual the task of reviewing your data for anomalies. Also, plan on conducting regular sweeps of the office to make sure that all printed documents are being stored and disposed of properly.
  • Identify breach reporting procedures. The Omnibus HIPAA rule has since updated the breach reporting requirements that were first outlined in HITECH. Make sure your breach reporting procedures are compliant with the most recent standards. While the 2012 OCR audits reported only 10% of their findings associated with the Breach Rule (as opposed to 30% and 60% associated with the Privacy and Security Rules respectively), failure to have a compliant breach reporting process could be a major problem if you are audited.
  • Schedule Staff Training. Most breaches are the result of human error. HIPAA requires that regular security training and security reminders be an integral part of your healthcare compliance strategy. Twenty-six percent of the Administrative Requirements findings and observations in the 2012 OCR audits involved training issues. Don’t assume that your employees know how to handle sensitive data. (Even if they do, it’s easy to forget.) Constant reminders create a culture of accountability that holds each individual responsible for protecting patients’ confidential health information.

While OCR audits give the OCR an opportunity to step up enforcement of HIPAA rules, anyone can register a complaint against you at any time. Thorough preparation for the upcoming OCR audits not only ensures that you will pass one if you are selected, it also protects you from breach, patient complaints, and general loss of public trust and good will.

About Mark Fulford
Mark Fulford is a Partner in LBMC’s Security & Risk Services practice group.  He has over 20 years of experience in information systems management, IT auditing, and security.  Marks focuses on risk assessments and information systems auditing engagements including SOC reporting in the healthcare sector.  He is a Certified Information Systems Auditor (CISA) and Certified Information Systems Security Professional (CISSP).   LBMC is a top 50 Accounting & Consulting firm based in Brentwood, Tennessee.