It's one thing to know which hot buttons can trigger a visit from OCR. But according to Mahmood Sher-Jan, vice president of product management at ID Experts, and Chris Apgar, president and CEO at Apgar & Associates, organizations should also know what to expect if they're chosen to undergo an audit -- and know how to prepare for one.
Apgar and Sher-Jan outline six things to know about an OCR/HIPAA audit.
1. If everything is in order, look at an audit or investigation as an opportunity. Apgar, who's recently been conducting training sessions, said an investigation could be looked upon as an opportunity to gain feedback on your privacy and security efforts – presuming you have everything in place. "If you're selected and you've completed your risk analysis, you have policies and procedures implemented, and you can show you're making a good-faith effort, look at it as an opportunity for someone to come in, externally, and help your compliance efforts." He said OCR still intends to "live up to the sport of the enforcement rule," which is informal enforcement, and unless you cross the line into willful neglect, OCR "still wants to work with organizations," said Apgar.
2. Understand the culture of compliance. "There are some specific areas [where] OCR has been wandering around the country and preaching the culture of compliance," said Apgar. This has been happening for the past year and a half and includes policy awareness, training programs, and discussions around incident response and risk analysis. "Those are the areas they're preaching, and the new head of the Office of Civil Rights even highlighted risk analysis in his testimony before Congress," he added.
[See also: HIPAA – An opportunity for continuum of care.]
3. Ignorance isn't bliss – it's willful neglect. In training sessions, Apgar said he highlights what exactly willful neglect entails. It's "knowing you're in violation," or that "you should have known," he said. "Ignorance is not bliss. I asked the question [in a training session], how many people in the room conducted a risk analysis in the last year, and less than a third of their hands went up." That number, Apgar said, was actually more than he's seen in the past, but, essentially, if you haven't conducted a risk analysis by now, you're in trouble. "[It's] been required since April 2005 and is the first requirement in the Administrative Safeguard section of the Rule," said Apgar. "You can't beg ignorance because you should have known, and therefore, you're guilty of willful neglect." Not to mention, he added, if you haven't conducted a risk analysis, there is a higher likelihood of finding yourself in trouble with OCR and not getting meaningful use dollars. "It's a two-edge sword type of problem," he said.
Continued on the next page.