Publication

Preparing Organizations for OCR Audits and HIPAA Compliance Reports

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) recently launched plans to assess covered entities’ compliance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. Pursuant to the Health Information Technology for Economic and Clinical Health Act, HHS is required to audit covered entities and business associates’ compliance with the HIPAA privacy, security and breach notification rules. Thus, in November 2011, HHS’ OCR initiated the HIPAA Privacy & Security Audit Program (Audit Program). Under this program, OCR will assess covered entities’ HIPAA compliance risks that were not identified through other mechanisms such as the OCR’s complaint system and formal compliance reviews. OCR will audit a range of covered entities including health care providers, health plans, and health care clearinghouses of various sizes and specialties.[1] The office further anticipates conducting 150 audits by December 2012. Accordingly, providers should understand the OCR’s Audit Program and prepare for potential HIPAA reviews in 2012.

This brief will provide guidance for covered entities to prepare for OCR audits. More specifically, this brief will review the findings of the HHS Office of Inspector General’s (OIG’s) HIPAA Compliance Report to help providers understand their vulnerabilities as they relate to the HIPAA Security Rule. This brief will also discuss OCR’s Audit Program and offer strategies to prepare for the program and facilitate compliance with the HIPAA Privacy and Security Rules.

OIG HIPAA Compliance Report and What it Means for Providers

The OIG published a report titled “Nationwide Rollup Review of the Centers for Medicare & Medicaid Services (CMS) Health Insurance Portability and Accountability Act of 1996 Oversight” (HIPAA Compliance Report) in May 2011. In this report, the OIG assessed OCR’s oversight and enforcement of the HIPAA Security Rule.[2] The OIG audited a sample of seven hospitals and evaluated the adequacy of their security safeguards.

Overall, the OIG identified 124 high-impact vulnerabilities in the hospitals’ security controls, placing electronic protected health information (ePHI) at a higher risk of unauthorized access.[3] The OIG categorized the vulnerabilities as an administrative, physical, or technical safeguard as defined in the HIPAA Security Rule. Covered entities are required to implement these safeguards for the security of ePHI. According to the OIG report, OCR failed to effectively monitor hospitals’ compliance with the HIPAA Security Rule. Further, OCR did not identify vulnerabilities before the organizations compromised the privacy and security of ePHI. As a result of the findings, the OIG advised OCR to move forward with compliance oversight activities and begin auditing covered entities’ compliance with the HIPAA rules.

Below are key findings from the OIG’s HIPAA Compliance Report that can assist providers in identifying their security risks prior to an OCR audit. The findings are organized into three risk areas that the OIG focused in its review: (1) Administrative Risks; (2) Physical Risks; and (3) Technical Risks.

Administrative Risks

Administrative risks refer to vulnerabilities in an organization’s policies and procedures that are established to protect the confidentiality and availability of ePHI. HIPAA requires providers to implement administrative safeguards such as procedures for internal risk assessments, policies to control employee access to ePHI, and contingency plans to secure ePHI during emergencies. During its audits, the OIG identified 11 high-impact vulnerabilities in the administrative safeguards of four hospitals. Specifically, these hospitals had inadequate security management processes to detect and correct their privacy and security risks. In addition, the hospitals did not have formalized procedures to maintain backup copies of ePHI or to restore lost ePHI after an emergency. The OIG also found that hospitals failed to adequately remove network access privileges from employees who were either terminated or transferred from those facilities.

As providers prepare for potential OCR audits, hospitals should identify any administrative risks that may compromise the security of ePHI. Hospitals should review and update their policies and procedures to ensure that there are sufficient controls to protect ePHI from unwarranted access by employees and data loss during emergencies. Providers are then encouraged to educate the appropriate staff on any new and revised policies and procedures.

Physical Risks

Physical risks relate to an organization’s efforts to restrict physical access to health information through information technology systems, filing systems, and storage areas. To meet HIPAA standards, providers must use physical safeguards such as equipping data centers with adequate locks and monitoring the use and location of electronic hospital equipment containing patient information. During its review, the OIG found seven high-impact vulnerabilities in the physical safeguards of three hospitals. Notably, the OIG discovered that one hospital failed to properly secure its data center and radiology backup room where ePHI was stored. The data center and radiology backup room had unlocked doors and windows, increasing the susceptibility and likelihood of security breaches. In addition, several hospitals failed to maintain inventory of hospital computers with ePHI and determine whether any computers had been lost or stolen. Further, the OIG found that some hospitals did not establish procedures to securely dispose hardware with ePHI such as computer tapes and hard drives. These findings demonstrate the need for providers to examine their physical security measures. Providers are encouraged to review their physical safeguards such as locks, computer inventories, policies and procedures related to ePHI.

Technical Risks

The technical risks discovered by the OIG relate to vulnerabilities in the security of wireless communication and information systems. Providers are required under HIPAA to limit access to ePHI only to persons who require the information to fulfill their employment obligations. Upon reviewing the hospitals’ technical safeguards, the OIG discovered 106 high-impact vulnerabilities within the seven hospitals. Among the identified technical vulnerabilities were outdated Wireless Encryption Protocols, lack of firewalls between wired and wireless networks, and inadequate monitoring of wireless users. These risks increased hospitals vulnerability of wireless data breaches and unauthorized access to ePHI.

The OIG also identified basic security measures that the hospitals failed to employ. Specifically, these measures encompassed improving the integrity of user passwords to domain controllers and servers with ePHI and activating automatic log-off settings on computers containing ePHI. In addition, a majority of the hospitals had not installed anti-virus software on their computers. This poses a risk of unwanted access to ePHI and potential data loss from computer viruses.

Given that the OIG identified a number of technical security risks in their review, the OCR audits will likely focus on entities’ technical safeguards for ePHI. As such, providers should closely review their security controls to ensure wireless connections and information systems are adequately protecting ePHI. Providers should also conduct a thorough examination of their firewalls, internet security controls, and wireless networks, among other safeguards, to identify any weakness in their technical security measures.

OCR Audit Objectives and What Providers Can Expect

OCR launched the Audit Program as a pilot study to assess covered entities’ compliance with HIPAA requirements. Based on these assessments, OCR will determine organizations’ key risk areas related to HIPAA and develop tools to minimize compliance risks. The timeline for the OCR audits is outlined below in Table 1.

Table 1: Audit Program Timeline.

Estimated Program Dates[4]OCR’s Objectives
September 2011 – December 2011OCR will:Select 150 covered entities to undergo audit.Notify selected covered entities and request for documentation.
December 2011 – April 2012OCR will:Conduct an initial round of audits to test the audit protocol.[5]Modify the audit protocol as necessary to improve effectiveness.
May 2012 – December 2012OCR will:Finalize the audit protocol.Continue audits with the remaining covered entities.

According to the OCR, providers can expect auditors to perform site visits and conduct interviews with key personnel about the organization’s HIPAA policies and procedures. Auditors will also assess the organizations’ processes and operations to further evaluate HIPAA compliance. Subsequent to conducting the audit, auditors will provide a report to the organization outlining the audit process and key findings. The organization will be given an opportunity to raise concerns regarding the findings and present their corrective action plans to remediate identified risks. The final OCR report will note the corrective actions and list the entity’s best practices, if applicable. If OCR discovers significant HIPAA violations during the audits, the organization may face additional compliance reviews, subjecting organizations to civil monetary penalties, program exclusions, or possible imprisonment.

Ultimately, OCR’s goal is to create a standard audit protocol to improve the implementation and enforcement of the HIPAA Privacy and Security Rules. Once the audits are complete, OCR will review the results to develop tools and best practices which entities may use to enhance their privacy and security measures. OCR also expects entities to address any risks overlooked by the OCR audits and continue their own risk assessments for ongoing HIPAA compliance.

How Providers Can Prepare for OCR Audits

OCR is considering all covered entities for the Audit Program. Thus, all providers are encouraged to take three steps to prepare for an OCR audit: (1) review the HIPAA Privacy and Security Rules; (2) understand the focus for the Audit Program; and (3) apply knowledge to policies and procedures. By employing these actions, providers can improve the privacy and security of their ePHI and minimize their risk for further government investigation.

Step 1: Review the Privacy and Security Rules.

Providers should first familiarize themselves with the HIPAA Privacy and Security Rules, specifically those pertaining to the organization’s services and functions. The organization should understand all of its obligations under HIPAA and ensure that the appropriate staff members are aware of their personal responsibilities. An organization’s knowledge of HIPAA may be outdated, as HHS often issues new regulations and guidance related to privacy and security. Consequently, an organization’s education materials and policies may also be outdated if the organization has not regularly reviewed the HIPAA Privacy and Security Rules.

As a part of this step, organizations should review recent reports and guidance documents on HIPAA compliance released by the government. For instance, OCR issues annual reports to Congress on entities’ compliance with the HIPAA Privacy Rule. These reports offer specific examples of HIPAA privacy breaches and discuss the corrective actions implemented by the entities in response to their breaches. Therefore, understanding the HIPAA Privacy and Security requirements and OCR’s responses to HIPAA violations will be imperative in preparing for the OCR audits.

Step 2: Understand Audit Program’s Focus.

The main focus of the OCR Audit Program is to assess entities’ compliance with HIPAA. As providers assess their own risks, they should focus on the risk areas highlighted in past OIG reports. Providers should examine their internal controls to prevent data breaches and employ the applicable corrective actions discussed in OCR reports for their own organizations. Additionally, providers should note the OIG’s categorization of security risk areas: Administrative, Physical, and Technical safeguards. Providers are encouraged to focus their efforts on improving these safeguards to ensure compliance with HIPAA provisions.

Organizations are also encouraged to consult the OCR website, where the office posts the agenda for audits and goals of the Audit Program. The Audit Program is a “compliance improvement activity.”[6] As such, the program is intended to identify major vulnerabilities in HIPAA compliance and assist OCR in the development of tools that organizations can use to improve their compliance efforts. However, significant compliance issues may lead OCR to conduct a formal compliance review for that organization.

Step 3: Apply Knowledge to Policies and Procedures.

Organizations should be proactive in identifying and addressing their HIPAA compliance risks. After reviewing the HIPAA Privacy and Security rules and determining OCR’s focus for the Audit Program, providers should incorporate their findings into policies and procedures. If an organization finds that there is a HIPAA requirement for which it has no corresponding policy or procedure, it should take steps to develop one. Likewise, if an organization discovers that the trainings and education materials are outdated, it should make the necessary updates and administer new trainings to all appropriate employees.

Overall, the more risks providers can address prior to an OCR audit, the easier the audit process will be for the organization and OCR. This step is particularly important given the risk that OCR may initiate a formal compliance review for an organization with significant issues of noncompliance.

Conclusion

Throughout the course of 2012, various health care organizations will undergo an OCR HIPAA compliance audit. Before facing an OCR audit, organizations have a choice: to be proactive and address their HIPAA compliance risks; or to ignore their compliance issues and risk a lengthy OCR audit and possibly additional compliance reviews. When adopting the proactive approach, providers are encouraged to review the HIPAA Privacy and Security Rules and assess their compliance with those requirements. Providers should also familiarize themselves with the OCR Audit Program and its focus. Finally, providers are encouraged to update their policies and procedures to address their risks within HIPAA compliance. Regardless of whether providers are selected for the Audit Program, these steps will help to significantly improve the privacy, security and integrity of their health information.

OCR Audit Resources
  • Department of Health and Human Services Office of Inspector General.  “Nationwide Rollup Review of the Centers for Medicare & Medicaid Services (CMS) Health Insurance Portability and Accountability Act of 1996 Oversight.”  OAS-A-04-08-05609.  May 2011.
  • “HIPAA Privacy & Security Audit Program.”  The Department of Health and Human Services Office of Civil Rights.  18 Jan. 2012.
  • http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/index.html
  • HCPro.  “OCR Audit Readiness: Prepare for HIPAA Privacy and Security Inspections.”  Audio Conference.  Phyllis A. Patrick, MBA, FACHE, CHC and Kate Borten, CISSP, CISM, speakers; Dom Nicastro, moderator.

[1] OCR will not audit business associates during its first rounds of reviews which are expected to be completed by April 2012.

[2] In 2009, HHS delegated HIPAA Security oversight authority from CMS to OCR.  Thus, the OIG’s May 2011 report assessed OCR’s oversight of the HIPAA Security Rule.

[3] The OIG used the “Magnitude of Impact Definitions” as outlined in the “National Institute of Standards and Technology Special Publication 800-30.”

[4] The dates in Table 1 are derived from the chart on the OCR website for the Audit Program in the section, “When Will Audits Begin?”  <http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/index.html>.

[5] During the initial round of audits, OCR will not audit business associates.

[6] “HIPAA Privacy & Security Audit Program.”  The Department of Health and Human Services Office of Civil Rights.  18 Jan. 2012.  <http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/index.html>.