The Office for Civil Rights is currently auditing Covered Entities and Business Associates to assess compliance with HIPAA mandated processes, controls, and policies. Nursing facilities, LTC pharmacies, senior living organizations, homecare, hospice and business associates are all part of the audit pool. Organizations selected for an audit will have 10 business days to provide the requested audit information. Could your facility respond in 10 days?
Once an audit target has been selected, OCR will identify a subset of audit topics from among the 180 potential audit items. Since a healthcare facility has no way of knowing which of the 180 topics OCR will select, it is best to be prepared to demonstrate compliance with all 180 topics, and be prepared to do so with 10 days’ notice!
This OCR initiative is too new to have generated any meaningful statistics on how well healthcare facilities are likely to fare during an audit. However, based on the broad scope of potential audit topics, and OCR’s stanch audit objectives, indications point to substantial failure rates.
Using our typical Gap Assessment and Risk Analysis findings, some anticipated audit failing points are:
Failure to execute Business Associate Agreements;
Improper disclosure of PHI;
Failure to conduct Risk Analyses;
Insufficient evidence of an active risk management plan;
Lack of documentation for, or inconsistently enforced, HIPAA required policies and procedures;
Inadequate security awareness training for required personnel;
Failure to document and employ Breach detection, assessment, mitigation and reporting processes.
Here is the bottom line: If your facility is not currently compliant with the requirements and implementation specifications of HIPAA Privacy, Security and Breach Notification Rules, 10 days will not be enough time to make any significant improvements.
The complexity of HIPAA Rules should not be underestimated. Complex, ever-changing regulations, increased vulnerabilities, implementation of new technologies and changes in business processes can make it difficult to achieve and maintain compliance.
Moreover, it can be very challenging to test, analyze and remediate your own security and privacy vulnerabilities without interrupting your day to day business operations. Going forward, consider hiring a compliance partner that specializes in HIPAA Security, Privacy and Breach Rules.
For more information on OCR audit protocol, or to learn about the actual audit process, anticipated failing points and best practices for audit readiness, download our OCR Audit eBook.
John DiMaggio is the CEO at Blue Orange Compliance.