OCR: Be prepared for HIPAA audits

'The onus is on you to prove you had the proper systems in place.'
By Tom Sullivan
04:03 PM
It pays to be ready when it comes to HIPAA compliance audits.

When the Office for Civil Rights knocks on your door, asking about HIPAA compliance, it pays to be ready. And OCR is looking to audit providers ranging from large to small, and across a wide geographical distribution.

That’s according to OCR’s senior advisor for health information privacy Linda Sanches. Speaking at the HIMSS Media and Healthcare IT News Privacy and Security Forum in Boston on Tuesday, Sanches told attendees her best piece of advice about preparing for audits is to actually be in compliance and to conduct comprehensive risk analysis.

“If you don’t do a periodic risk analysis,” Sanches explained, “you won’t know where you" stand.

[See also: HIPAA data breaches climb 138 percent.]

While that advice may seem patently obvious, it’s something myriad healthcare organizations are still wondering about and one attendee, in fact, asked Sanches if they really need to conduct a risk analysis before an audit, or if it makes more sense to wait.

Who to audit or investigate how much to fine
Sanches acknowledged that it requires heavy-lifting to perform such an analysis but that it’s better to have one in hand than scramble and pull it together come audit time.

What’s more, Sanches added that when deciding whether or not to audit a provider or investigate a reported breach, OCR looks for patterns. So if the office receives information about a given provider having several similar breaches and it appears they are not doing anything about them, that manner of evidence suggesting the provider is not in compliance or does not have proper procedures set up would weigh heavily into OCR’s decision.

“The onus is on you to prove you had the proper systems in place,” Sanches explained. “If you did a comprehensive risk analysis and took the necessary steps, that’s what you need to show us.”

[See also: Breach alert: Hackers swipe data of 4.5M.]

Organizations that fail to do so are ripe not only for investigations but also settlement fines, which range from, say $215,000 on the low-end right up into the millions of dollars. Many industry observers are curious as to how the recent Community Health Systems breach, involving some 4.5 million patient records, will play out in terms of a fine.

The factors in determining the size of a fine are laid out in OCR’s rule, Sanches said, including how much harm was done and how many provisions were violated.

“The sky is not the limit,” Sanches said of fine totals. “It’s basic math. How many people were affected?”

When do the audits start?
Sanches’ advice comes at a time when many in the industry are eagerly awaiting answers to a pair of basic questions: How many covered entities and business associates does OCR intend to audit — and when will it all begin?

OCR originally planned to conduct 400 desk audits and “a large number of on-site audits,” Sanches said. Now they’re looking at “fewer than 200 desk audits” and she didn't confirm a specific number of on-site audits for covered entities, but another wave of Business Associate audits will follow those.

As for when OCR will kick-off the audits? Sanches said she had hoped to announce that date here on Tuesday but OCR just isn’t ready yet.

“Stay tuned,” she said.

Gus Venditto, HIMSS Media vice president of content, contributed to this report.