by Roger Shindell
The audits are coming! The audits are coming! The Office for Civil Rights has given fair warning that its 2016 round of compliance audits are about to unfold. OCR is responsible for administering and enforcing HIPAA Privacy, Security, and Breach Notification Rules. While OCR investigates complaints and compliance issues, it also maintains an audit program, which is mandated by the HITECH Act.
2016 will be the year that OCR will finally relaunch its "Random Audit" program, under pressure from Congress.
At the same time, the Department of Health and Human Services Office of the Inspector General completed a study in September that was titled in bold broad letters: "OCR SHOULD STRENGTHEN ITS OVERSIGHT OF COVERED ENTITIES’ COMPLIANCE WITH THE HIPAA PRIVACY STANDARDS." In the report, OIG stated that it had found OCR was not properly doing its job of pro-actively auditing HIPAA Covered Entities.
One can only imagine that with combined pressure from Congress and public lashing by the OIG, that OCR will launch audits with renewed vigor. Indeed, OCR has already announced plans to conduct comprehensive on-site audits as well as desk audits in 2016.
Given this compliance pressure, this article re-introduces basic HIPAA requirements. While the information presented here may be more then anyone really cares to know about HIPAA, it is critical to every healthcare practice. If the depth of the information appears overwhelming, there is good news: There are resources available to help you through the compliance process, and demystify it to address your compliance needs so you will have a successful encounter with OCR in the event of an onsite or desk audit.
What is an OIG audit?
The audit protocol covers all the aspects of your compliance efforts including:
With desk audits, an on-site visit does not occur, but OCR asks for documentation regarding various aspects of your compliance. The document requests must be satisfied in a 20-day period, which may seem like a lot of time. Consider, however, that the document request can ask for up to 6 years of information, on such things as your security risk assessments and remediation plans, your policies and procedures, your training logs, and any other documentation related to your HIPAA privacy and security program.
The focus for both on-site and desk audits will be on those areas that OCR compliance investigations have historically found to be lacking. These include:
New this year is a focus on Business Associates. As part of the audit protocol, OCR will be collecting information on Business Associates, and with that information select BAs to audit. Why does this matter to you? Under the Final Omnibus rules, which went into effect in 2014, your relationship with your Business Associates significantly changed! Now you have an obligation to assure yourself that your BA are complying with HIPAA Regulations, just like you. And if they are not? Welcome to "double jeopardy."
But that is only the beginning. OCR has published its intent to investigate specific security regulations, including:
Security Risk Assessment & Risk Management
OCR will inquire about your policies and procedures to conduct an accurate security risk assessment of vulnerabilities to confidentiality, availability, and integrity of patient PHI.
They will check to see if your risk assessment covers any regulation updates, or if it has evaluated changes to the operational or material changes for your organization, and if the assessments have been done on a periodic basis.
They will examine your remediation plan for addressing potential risks and vulnerabilities to PHI, decreasing them to an “acceptable” level, as well as whether or not it has been updated on a periodic basis.
Security policies and procedures need to address specified criteria of the security rule; CE/BAs should be clear to address data that is transported in and out of the organization.
Appropriate IT Systems and Services
The security rules is technology neutral and does not mandate any particular technology, but OCR will assess whether your IT solutions are appropriate for protecting the PHI that you create, receive, maintain, or transmit.
They will also want to ensure that you have protected against threats or hazards to security and integrity of your PHI, and that you have protected your against unauthorized disclosures.
Lastly, they will want to ensure that you have trained your workforce in your policies and procedures in this area. Security measures for CEs and BAs can be adopted in relation to an entity’s size, complexity, and capabilities of the CE/BA, and the CE/BAs technical infrastructure, hardware, and software security capabilities, as well as probability and criticality of potential risks to ePHI.
An Assigned Security Official with Documented Responsibilities
OCR will check to see whether you and your BAs have assigned a specific security official to oversee the development, implementation, monitoring, and communication of security policies and procedures. A job description must clearly document assigned responsibilities.
The content of the job description should both match the requirements of the security rule, and Official's responsibilities (e.g., job description) and evaluate the content in relation to the specified criteria. OCR will determine if the responsibilities of Security Official have been clearly defined and communicated to the entire organization.
Workforce security and verification of proper access to electronic PHI
OCR will be evaluating if your staff have the knowledge, skills and abilities to fulfill their roles, and that management verified their experience and qualifications. Policies and procedures for granting access to ePHI will be evaluated, as well as evidence of this approval process. You must provide evidence that the workforce member do in fact have access appropriate to their job function.
Evidence of policies and procedures for terminating access to ePHI when employment of a workforce member ends (e.g. voluntarily or involuntarily) or job functions change (e.g. transfers, promotions), and procedures for monitoring this process must be available.
Note, workforce security is an addressable standard, that means if you have not fully implemented workforce security measures, as required in the regulations, you must provide your rationale for not doing so, but rather justify the measures you have substituted.
Information Access Management
You must provide evidence that there are specific criteria for granting access to ePHI, as well as access controls (and security measures around access controls), and that they are periodically reviewed and updated. Criteria on security measures for access controls must be in place. OCR will determine if the entity's IT system has the capacity to set access controls to ePHI.
Criteria must also be established for standards to authorize access and document, review, and modify a user's right of access to a workstation, transaction, program or process. Since access authorization, like access establishment and modification, are addressable specifications, if you have not fully established workforce security measures, you must provide evidence as to your rationale for not doing so. You must be able to provide documentation as to how this process is evaluated, documented, and periodically reviewed.
You must identify types of workstations, analyze their physical surroundings, establish procedures limiting access to workstations, and implement physical safeguards for the workstations. These practices must be established in policies and procedures with evidence of periodic reviews.
Device and Media Controls
You must provide evidence of policies and procedures that address methods for final disposal of ePHI, accountability for all movement and disposal of your hardware and electronic media, data backup and storage procedures, and procedures for reuse of electronic media.
Encryption and Decryption
OCR will assess your policies and procedures around encryption standards, which must be reasonable and appropriate, based on the size and complexity of your organization. As an addressable specification, at least for ePHI you store, if you have not fully instituted encryption measures, you must provide evidence as to your rationale for not doing so.
OCR will assure themselves that you have adequate access controls that come from your having analyzed workloads and operations, identifying the needs of all your users, technical access control capabilities, ensure all your users have been assigned a unique identifier, and have developed an access control policy.
Hardware and software related to access controls will be evaluated. Policies and procedures should address user access, reviewing and updating of user access, and emergency access procedures.
Automatic logoff, termination of access as needed, determination of which activities will be tracked or audited, as well as auditing and system activity review tools, and standard operating procedures will be evaluated.
Policies and procedures around integrity of ePHI must be in place, including identification of all users who have been authorized to access ePHI, mechanisms to authenticate ePHI, authentication methods, and the applicability and evaluation of authentication method to current systems and applications.
The writer Jane Wagner says, "Reality is the leading cause of stress amongst those in touch with it."
Again, the information presented in this article is probably more then you really care to know about HIPAA. It is important, and it is reality. At this point you may feel stressed by the depth of the information. If so, take heart – there are resources available to demystify the process, so that you can comply with the regulations and have a successful encounter in the event OCR lands on your doorstep.
Tune in next month when we will discuss some of these resources, as well as how to evaluate their usefulness to help you successfully address HIPAA requirements.
Roger Shindell is CEO of Carosh Compliance Solutions, which specializes in HIPAA compliance consulting for small to midsize practices and their business associates. Shindell currently is a member of both the HIMSS Risk Assessment and HIT in Rural/Underserved Region Work Groups and sits on the AHIMA Privacy and Security Council. Shindell more than 30 years of multidisciplinary experiencein healthcare and has served as an advisor and principal in healthcare, technology, and service companies. Contact him at MailTo:firstname.lastname@example.org.
Comment on this article by writing to email@example.com
©2015 by Rowan Consulting Associates, Inc., Colorado Springs, CO. All rights reserved. This article originally appeared in Tim Rowan's Home Care Technology Report. homecaretechreport.com One copy may be printed for personal use; further reproduction by permission only. firstname.lastname@example.org