"It is better to meet danger than to wait for it.
He that is on a lee shore, and foresees a hurricane,
stands out to sea and encounters a storm to avoid a shipwreck."
— Charles Caleb Colton
These three lines of poetry may, in fact, describe your best plan of action in approaching the Office for Civil Rights audits: Be prepared. Be proactive. Stay organized. Educate yourself and those around you. Batten down the hatches, and soon enough the storm will subside.
OCR conjured the first of such "storms" in 2011-2012 when it conducted a pilot project to assess compliance with the then-new HIPAA Omnibus rule. OCR learned that two-thirds of the covered entities they audited were not in compliance. Many hadn't performed the crucial internal risk assessments meant to gauge their vulnerability to breaches, and others were suffering from a total lack of awareness of HIPAA requirements. It wasn't pretty.
OCR took these humbling findings and used them as a guide for composing more permanent audit procedures to be launched later this year. Great anxiety and gnashing of teeth generally accompany any news of audits, but the OCR audits should be received with gratitude for both covered entities and business associates. Seriously.
Despite the obvious inconvenience factor, the OCR audits are designed to help you correct any deficiencies in your privacy and security programs before things get messy. And knowing that such deficiencies can result in fines of up to $1.5 million per incident, doesn't it make sense to embrace audits? Audits are grand opportunities to get your house in order. And fall 2014 is the time to ensure your organization's compliance, privacy, security and HIPAA teams make it so.
That was then
OCR's audits in 2013 assessed the compliance performance of a variety of healthcare providers. These audits were conducted in the form of lengthy, multi-day visits that delved deeply into the organizations' compliance policies, practices and documentation. The first audits were random and not selected because of past reported incidents or lack thereof. The next wave of OCR audits will be dramatically different.
This is now
The next wave of OCR audits will come in the form of potential desk audits, or more focused audits to address a particular issue. OCR randomly selected a pool of 550-800 covered entities for round two audits. If you are to be included in the next audit selection, your organization will have already received a pre-visit survey/questionnaire, according to a summary of OCR's presentation during "OCR Audits of HIPAA Privacy, Security and Breach Notification, Phase 2," at the 2014 Compliance Institute hosted by the Health Care Compliance Association.
The pre-screening questionnaire enables auditors to focus on specific areas of concern. They also identify areas where additional information must be obtained from either the covered entity or business associate. Based on survey responses, the agency will identify 350 specific organizations for audit by first sending additional data requests this fall and then initiating Phase 2 audits in 2015.
I believe this next wave of audits will use a methodology similar to the Joint Commission's Tracer evaluations. If there is focus on a particular issue or incident, then all documentation related to that incident must be made available for the auditor's review.
If you receive such a request, you have exactly two weeks or ten business days to provide all material to the reviewers. All documents must be included within a single submission. No late submissions will be accepted. And no document predating is allowed. The complete protocol is available for public review on the OCR's website at: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/protocol.html.
Training and more training
If you are selected for an audit in the future, your odds for success are better if you assure all new employees receive job-specific training to help them understand the intricacies of handling PHI. Testing should be ongoing, and staff members should take regularly scheduled refresher courses.
Upon completion of all training programs, have employees take an assessment to assure that they understand the course content. Just as in previous years, OCR will still expect your response and the delivery of your documentation in a timely fashion, without delays or excuses.
Best practices remain true
Stay on top of training for both new and existing staff members. Keep track of mitigation efforts and training logs. Keep documentation orderly and accessible. If your organization has obvious issues in satisfying patients' requests for records, fix the situation. Take a hard look at your risks.
Should your organization receive notification of an audit, don't panic. Don't send incomplete packages, claiming you weren't prepared to respond, and then send additional data. Excuses simply won't fly. Stay calm. An OCR audit may seem like a hundred-year storm — but there may very well be a rainbow at the end of it.
Rita Bowen, MA, RHIA, CHPS, SSGB, is a distinguished professional with over 20 years of experience in the health information management industry. She serves as the senior vice president of health information management and privacy officer of HealthPort where she is responsible for acting as an internal customer advocate. Most recently, Ms. Bowen served as the enterprise director of HIM Services for Erlanger Health System for 13 years, where she received commendation from the hospital county authority for outstanding leadership. Ms. Bowen is the recipient of Mentor FORE Triumph Award, distinguished member of AHIMA's Quality Management Section, has served as the AHIMA president and board chair, on the AHIMA Board of Directors, Council on Certification and various task groups for privacy certification. Ms. Bowen is an established speaker on diverse HIM topics and an active author on privacy and legal health records.
The views, opinions and positions expressed within these guest posts are those of the author alone and do not represent those of Becker's Hospital Review/Becker's Healthcare. The accuracy, completeness and validity of any statements made within this article are not guaranteed. We accept no liability for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with them.