Steps to prep for phase 2 OCR audits
Summer vacation will have to wait: That’s because it’s audit season for the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR).
Last year, OCR completed its first round of audits under the HITECH Act, and most covered entities (CEs) failed dismally. Only 11 percent of the 115 organizations audited had no “findings” or “observations” (failures or weaknesses in meeting requirements), for instance, and OCR also determined that the most common cause of findings or observations was that the CE was entirely unaware of the requirement.
As OCR begins the next round of audits, beginning in Fall 2014, CEs and later, their business associates, need to prepare by not only understanding but meeting requirements in the areas of privacy, security, and breach notification, because pleading ignorance will not be a defense when OCR comes to call.
To start phase 2, between 550 and 800 organizations chosen for potential audits will be asked to complete an online pre-survey. By fall, OCR is expected to send audit notifications and extensive data requests to approximately 350 CEs, who will then have two weeks to respond with information about their operations and lists of their BAs. Audits of Business Associates will begin in 2015.
Different CEs will be audited on different aspects of compliance: privacy, breach notification, or security.
OCR used the phase 1 results to shape the phase 2 audits, so this year’s bunch will specifically target HITECH provisions that were high sources of compliance failures in the pilot program, according to Rebecca Williams, co-chair of Health Information at Davis Wright Tremaine.
Two tips for passing an audit
The best way to pass an OCR audit, according to Williams, is to set your house in order before you get a visit (virtual or otherwise) from the auditor. In other words:
- Make sure requirements are met before you’re targeted for an audit, and
- “Document, document, document!”
Williams points out that there’s no cramming for the OCR audit final exam: compliance policies and processes developed after the audit notice won’t count. She recommends these measures to ensure that your organization can show a history of compliance prior to the audit:
- First and foremost, be informed. Know the HITECH requirements. Update your privacy policies and procedures to reflect the Omnibus Rules and make sure you have documentation to prove they are being followed; make sure you have a risk analysis and risk management measures in place (two thirds of the CEs audited in phase 1 didn’t, so this is sure to be an area of focus); and consider purchasing comprehensive tools to help you implement the required incident management process and to demonstrate compliance with your burden of proof under the breach notification rule.
- Review the audit protocols. They are available at the OCR website, and consider conducting your own audit, using internal resources or outside consultants, or conduct an attorney-directed investigation to identify compliance gaps.
- Be ready with a list of current business associates and their contact informationn. Work with your BAs ahead of time to be sure they are also aware of requirements and ready for a potential audit. “Your goal," Williams points out, "is to develop and maintain a culture of compliance throughout your business ecosystem.”
Williams’ second admonition, to document and over-document, is also critical, because with the desk audits, “there will be only one chance to get it right.” OCR auditors will only review requested data that is submitted on time, and all documentation must be current as of the date of the request.
Auditors will likely not ask for clarification, so make sure documentation is clear and complete. Williams suggests including a cover letter mapping out your documentation for an auditor, so that they know what they’re looking at. She also cautions against including extraneous information; auditors don’t want to wade through it, and the more information you give beyond what’s requested, the more chances an auditor has to find compliance gaps.
With audit protocols published on its website, OCR considers phase 2 to be an open-book test, and auditors are going to take a dim view of covered entities who are unaware of privacy, security, or breach requirements, or those who are not prepared for the audit.
If your organization is called, Rebecca Williams admonishes, “Respond! If you don’t respond correctly and on time, you’re leaving yourself open to a full compliance review instead of just an audit.”
And with that, you can definitely kiss that summer vacation goodbye.