It's one thing to know which hot buttons can trigger a visit from OCR. But according to Mahmood Sher-Jan, vice president of product management at ID Experts, and Chris Apgar, president and CEO at Apgar & Associates, organizations should also know what to expect if they're chosen to undergo an audit -- and know how to prepare for one.
Apgar and Sher-Jan outline six things to know about an OCR/HIPAA audit.
1. If everything is in order, look at an audit or investigation as an opportunity. Apgar, who's recently been conducting training sessions, said an investigation could be looked upon as an opportunity to gain feedback on your privacy and security efforts – presuming you have everything in place. "If you're selected and you've completed your risk analysis, you have policies and procedures implemented, and you can show you're making a good-faith effort, look at it as an opportunity for someone to come in, externally, and help your compliance efforts." He said OCR still intends to "live up to the sport of the enforcement rule," which is informal enforcement, and unless you cross the line into willful neglect, OCR "still wants to work with organizations," said Apgar.
2. Understand the culture of compliance. "There are some specific areas [where] OCR has been wandering around the country and preaching the culture of compliance," said Apgar. This has been happening for the past year and a half and includes policy awareness, training programs, and discussions around incident response and risk analysis. "Those are the areas they're preaching, and the new head of the Office of Civil Rights even highlighted risk analysis in his testimony before Congress," he added.
[See also: HIPAA – An opportunity for continuum of care.]
3. Ignorance isn't bliss – it's willful neglect. In training sessions, Apgar said he highlights what exactly willful neglect entails. It's "knowing you're in violation," or that "you should have known," he said. "Ignorance is not bliss. I asked the question [in a training session], how many people in the room conducted a risk analysis in the last year, and less than a third of their hands went up." That number, Apgar said, was actually more than he's seen in the past, but, essentially, if you haven't conducted a risk analysis by now, you're in trouble. "[It's] been required since April 2005 and is the first requirement in the Administrative Safeguard section of the Rule," said Apgar. "You can't beg ignorance because you should have known, and therefore, you're guilty of willful neglect." Not to mention, he added, if you haven't conducted a risk analysis, there is a higher likelihood of finding yourself in trouble with OCR and not getting meaningful use dollars. "It's a two-edge sword type of problem," he said.
Continued on the next page.
4. There's overlap between undergoing an investigation and undergoing an audit. Sher-Jan referenced an incident at the UCLA Health System and a recent incident at Phoenix Cardiac Surgery to help prove his point. "One of the big things that got UCLA in trouble is they couldn't provide proof of training around privacy and security," he said. "Just to point out, there is a lot of overlap whether you're audited or investigated." Looking at the PCS resolution agreement, he said, the organization was called out on a number of different things and were "in complete ignorance of the privacy and compliance rules," he said. "And that's something to point out [about] UCLA as well," he said. "They didn't have a security official identified, they didn't have a risk analysis, so I'd imagine there were a number of these safeguards that weren't in place." Whether you're being investigated or audited, he continued, there's significant overlap in terms of where OCR looks, "and the more they see you're not in compliance, the more they will dig and the more they will find," he said.
[See also: HIPAA 5010 deadline stays with bit of leniency.]
5. It's all about clean, clear documentation. "One of the things about auditors that makes them happy is good, complete documentation upfront," said Apgar. Having good documentation, he said, will also make them less likely to want to "look under the rug … If you don't have that, they'll get suspicious and turn a little nastier." From a bottom line perspective, said Apgar, organizations should expect a letter from OCR, requesting information within 10 business days. "And that's 10 days since the letter was sent, not 10 days since you receive it," he said. "If you're the CEO, it takes a while for the letter to percolate down, so now you're way behind the 8 ball." Therefore, it's key to have documentation prepared ahead of time, paying attention to programs, policies, procedures, incident response plans and risk analysis. "That all needs to be centralized, so you can quickly grab it and make it available to the auditors," said Apgar.
6. Know auditors can look at anything and everything. The last thing that's important to know, said Apgar, is whether the auditor can look or review patient information. "And the answer is yes, they can because they're working on behalf of the OCR and are in contract with them," he said. "Under the HIPAA regulation, if the secretary, meaning OCR, is investigating or auditing, then they have the right to see anything and everything." In the end, said Apgar, if you're information is up-to-date and in-line with HIPAA rules, you're good to go. "It needs to be current, accurate, complete and not only implemented, but enforceable," he said.
Follow Michelle McNickle on Twitter, @Michelle_writes