9 Ways Hospitals Should Prepare for HIPAA Audits
According to Matt Jackson, director with Protiviti, a global consulting firm with a focus on IT and internal audit consulting, the OCR intends to develop a permanent audit program based on findings from the pilot audits. "It is still very likely that hospitals can be audited as part of the pilot. In addition, [OCR] fully expects that the process and the audit protocol will expand, and additional organizations will be audited," says Mr. Jackson. If a hospital is not selected for an audit under the pilot program before December, they may still be subject to future HIPAA audits under the expanded program.
"It is not a matter of if a hospital will be selected but when," says Reza Chapman, senior manager and one of the leaders of Ernst & Young's information security and privacy services practice.
Preparing for a potential audit — and HIPAA compliance in general — can be an overwhelming and time consuming initiative. In the face of stage 2 meaningful use, ICD-10 and other industry initiatives, hospitals may sideline audit preparations. However, any hospital could still receive an audit notification, so delaying preparations could be disastrous. When a hospital receives a notification, they only have 15 days to gather all the necessary material. In order to avoid the scramble, hospitals should prepare as if they will definitely be audited. If they do not receive a notification, then they will be prepared for a potential audit in the future. "Hospitals should be taking action right now. Assume the worst-case scenario — that you've been selected for an audit and have only two weeks to prepare," says Mr. Jackson.
Here Mr. Jackson; Mr. Chapman; Damon Petraglia, director of forensic and information security services for Chartstone Consulting and former federal contractor for HHS; and Mahmood Sher-Jan, CHPC, vice president of product management for ID Experts, discuss nine ways hospitals can adequately prepare for HIPAA audits and achieve success in the overall privacy and security of electronic personal health information.
1. Become familiar with audit protocol. Hospitals need to be familiar with the audit protocol, which is essentially a guide to what auditors will want documentation of during an audit. According to Mr. Chapman, remarks from OCR Director Leon Rodriguez have suggested there will be little leniency for HIPAA noncompliance given the 15-year history of HIPAA and the substantial technical assistance made available to hospitals. While it may seem intuitive, if a hospital has not thoroughly reviewed the protocol, it should. "Hospitals would be wise to leverage the publicly available audit protocol as they prepare for potential audit. It is a key step to determine what documentation the hospital would need if it were to receive a notification letter," says Mr. Chapman.
The audits will analyze processes, controls and policies of hospitals pursuant to the HITECH Act. OCR's comprehensive audit protocol contains requirements to be assessed through the audits. The protocol includes 168 performance criteria — 78 for security, 81 for privacy and 10 for breach — which detail key activities hospital management should implement to ensure HIPAA compliance.
According to Mr. Chapman, OCR intends for the audits to serve as a compliance improvement tool rather than an enforcement tool. However, if OCR does uncover serious compliance issues it could trigger a separate enforcement investigation, which could lead to sanctions, other penalties and corrective action plans.
"Hospitals have 15 days to prepare documentation related to the audit and are not afforded additional time to respond. Missing elements will be noted by the auditor and appropriate observations made. It will be up to the OCR to determine whether the missing elements necessitate a separate enforcement investigation," says Mr. Chapman.
2. Update and maintain documentation. Since auditors will request documentation from hospitals during an audit, one of the most important preparatory steps for a hospital is to maintain sufficient documentation of its efforts to follow and meet the audit protocol. "Documentation is a hospital's evidence. It should tell the hospital's compliance story to an auditor with little or no additional explanation needed. If a hospital is not prepared — if plans, procedures and actions are not in place — it becomes apparent quickly to [the auditors]," says Mr. Sher-Jan.
According to Mr. Jackson, if a hospital is missing the proper documentation, the auditors will assume the hospital did not meet the compliance element. "For example, hospitals are required to document where the PHI resides, the potential threats and vulnerabilities to that PHI and a plan to mitigate those risks. If the hospital does not have that documentation to turn over, it is reasonable to anticipate that the auditors will assume it did not go through the process," says Mr. Jackson.
3. Review results from initial pilot audits. According to Mr. Jackson, it is important that hospitals continuously monitor regulatory developments from the pilot audits. "Keep track of the regulatory updates and guidance, and look at areas in your hospital that have been identified as pain points from the initial audits," says Mr. Jackson. While OCR is not sharing results from all of the pilot audits because of the potential risk to organizations being audited, it does expect to share high-level guidance and preliminary results in areas where the most significant weaknesses were found. "It is a logical step for executives to review OCR findings and to assess where the hospital stands in those areas," says Mr. Chapman. OCR has already revealed the following five areas of weakness from the initial audits.
1. User activity monitoring
2. Contingency planning
3. Authentication and integrity
4. Media reuse and destruction
5. Risk assessment
4. Assess current HIPAA program governance. One of the best ways for hospitals to prepare for audits is by assessing current security and privacy governance structure. "In order for organizations to align with HIPAA rules, they need to make sure they have set up strong governance. How are they addressing the challenge of HIPAA? Are the right stakeholders engaged in the process? Do they have the right executive support to drive out the process as well as technical changes to address HIPAA rules? Clear governance needs to be established," says Mr. Chapman. In addition, hospitals should have conducted an evaluation of its compliance within the last two years. "Is the hospital doing what it needs to meet requirements? Someone should have looked at the audit protocol checklist and analyzed what the hospital has done to comply and mitigate associated risks," says Mr. Jackson.
5. Update the risk analysis. While a risk analysis is just one element of OCR's guidelines, it deserves a great deal of attention because it is one of the most challenging areas for an organization to accomplish successfully. A thorough risk analysis involves outlining the risk needs of the hospital, collecting data to understand the flow of personal health information across the hospital, identifying and documenting potential threats and vulnerabilities, assessing current security measures and determining the likelihood of threat occurrence. According to Mr. Chapman, the last step — determining the likelihood of threats — is often the least considered element of a risk analysis. "OCR provides guidance that a hospital should conduct a risk analysis, but it is not more specific than that. In the end, it is up to the hospital to perform a thorough analysis," says Mr. Chapman. "Part of the challenge is just doing the risk analysis. However, hospitals need to stay away from a control-based risk analysis where they go down the auto protocol like a checklist. Merely checking an element off the list will not satisfy the risk analysis requirement," says Mr. Chapman.
6. Run internal "mock" audits. In addition to updating risk analysis, a hospital should run a "mock" audit because it is an accurate, effective method to reach optimal security. "If [a hospital] finds weaknesses in its privacy and security, it can improve those on its own timeline, instead of OCR's. In addition, it allows the hospital to iron out weaknesses without the pressure of an audit," says Mr. Petraglia.
7. Change your mindset. According to Mr. Petraglia, in order for mock audits to be useful, executives need to have the mindset that findings are a good thing. "Management is usually worried by audits. The truth is that findings are good because you discover vulnerability in the hospital's processes, and you can do something to correct that. If you do not know about the weakness, the hackers will find it," says Mr. Petraglia. The time to be worried about findings is during a second audit. "You do not want to have more findings in a second audit than in a first audit," says Mr. Petraglia.
8. Focus on the "spirit" of the audit. It is very easy to follow the audit protocol as a checklist, but when a hospital's only goal is to be compliant; they may miss the "spirit" of the audit and overlook strong security safeguards. "There is a tremendous difference between compliance and security. Security is the mechanism to ensure privacy. When a hospital concentrates solely on compliance — being compliant with the wording of the HIPAA rules — it may limit itself and miss important security elements. You want to make sure you are focusing on the spirit of the audits — the privacy and security of patient information," says Mr. Petraglia. He recommends that hospital executives go through the audit protocol with the broader picture in mind. What is the goal of each element for security purposes? Why has OCR included these elements?
9. Discuss the process with other hospitals. If an element of the HIPAA rules or the audit protocol is unclear, hospitals should reach out to OCR as well as other hospitals and health systems. "The best thing that hospitals can do is to talk to each other. All the healthcare organizations can benefit from open communication and collaboration. If hospitals can share how they solved security problems and approached compliance, it will establish industry best practices," says Mr. Petraglia. The establishment of best practices will help hospitals apply techniques to situations that may be unique to their organizations. "[Hospitals] may be in different stages of sophistication for their culture of compliance. If they have access to best practices, they can implement them in regard to their own businesses processes and needs," says Mr. Sher-Jan.
The audit pilot program is only the second of three phases of OCR's health information privacy and security compliance program. The first step, now completed, was developing the audit protocols. The third step, to begin after the pilot audits are finished in December, is performing complete audits with revised protocols. For this reason, all hospitals and health systems should be moving toward better security and privacy of patient information with the audit protocol and HIPAA compliance as a guide. Regardless of inclusion in the pilot, all healthcare organizations may be audited in the future with new protocols. Beginning preparation now will be the difference between hospitals that do well during audits and those that do not.
More Articles on HIPAA Privacy & Security Audit Program:HIPAA/HITECH Risk Assessments: Are the Standards Being Met?
HHS Releases Protocol for HIPAA Audit Program
Office of Civil Rights Begins HIPAA Audits
© Copyright ASC COMMUNICATIONS 2016. Interested in LINKING to or REPRINTING this content? View our policies by clicking here.
To receive the latest hospital and health system business and legal news and analysis from Becker's Hospital Review, sign-up for the free Becker's Hospital Review E-weekly by clicking here.