The OCR Auditors Are Coming—Are You Next? What to Expect and How to Prepare

On June 10, 2011, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) awarded KPMG a $9.2 million contract to develop a pilot HIPAA audit program mandated under the HITECH Act of 2009 to ensure compliance with the HIPAA Privacy and Security Rules and Breach Notification standards.

Between November 2011 and December 2012, the OCR will audit up to 150 covered entities.

WHAT IS MY RISK?

OCR has made clear that enforcement actions may follow audits revealing significant HIPAA Security compliance issues. In recent years, OCR has stepped up its enforcement activity:

• Massachusetts General Hospital. $1 million settlement and three-year Corrective Action Plan for loss of Protected Health Information (PHI) by employee. (February, 2011)

• Cignet Health. $4.3 million penalty for refusing patients access to their medical records. (February, 2011)

• UCLA Health System. $865,000 settlement and three-year Corrective Action Plan for allowing unauthorized access to patient medical records. (July, 2011)

WILL MY ORGANIZATION BE NEXT?

The initial HIPAA audit program is focused on HIPAA-covered entities (i.e. health care providers, health plans and health care clearinghouses). With 150 audits planned and an aggressive timeline, covered entities should not be surprised to receive an audit request.

WHAT WILL THE ON-SITE VISIT LOOK LIKE?

• Interviews with key organizational leaders;

• Scrutiny of physical operations controls (i.e. storage, maintenance and use of PHI);

• Assessment of how well organizational policies and procedures meant to protect PHI are implemented in practice by the organization;

• Identification of areas of concern with respect to general regulatory compliance.

WHAT WILL THE AUDITORS FOCUS ON?

OCR has not yet released a set of audit questions. In May 2011, however, the HHS Office of Inspector General (HHS-OIG) issued a report based on the agency’s audits of seven hospitals across the country. The report identified a number of vulnerabilities, which are likely to be high on OCR’s list of priorities. Areas of vulnerability included:

• Inadequate security of wireless networks;

• Lack of adequate updates to software and operating systems;

• Access log recordkeeping;

• Insufficient incident detection and response procedures;

• Inadequate user access controls and password management controls;

• Risk of theft or loss of mobile devices; and

• Information access management, including role-based access.

The HHS-OIG report also placed particular emphasis on so-called “high impact” vulnerabilities. The vast majority of high impact vulnerabilities related to lacking or insufficient technical safeguards (i.e. insufficient wireless access control, audit control, integrity control, and person or entity authentication and transmission security). We expect that OCR auditors will focus attention on these high impact vulnerabilities.

HOW SHOULD MY ORGANIZATION PREPARE?

The HHS-OIG report provides a good starting point for identifying vulnerabilities that may be the focus of the OCR audits. Developing a work plan and reviewing your operations in light of the vulnerabilities identified in the report may help reduce the risks of adverse findings in an audit. To help you in this effort, our Health Care Privacy and Data Security attorneys have developed the attached checklist.

Your preparation should also include:

• a review of your policies and procedures to ensure compliance with the HIPAA Security Rule;

• a review and update as necessary of your organization’s risk assessment plan;

• updates to your privacy and security safeguards and implementation of corrective actions when necessary; and

• updating of your training and workforce education materials as necessary.

IDENTIFYING POTENTIAL VULNERABILITIES

By December 2012, OCR plans to audit up to 150 covered entities. To help you and your organization prepare, our Health Care Privacy and Data Security attorneys have developed the following checklist.

If you answer “No” or “I Don’t Know” to one or more of these questions, we encourage you to contact counsel to help your organization conduct a thorough assessment.