From the Experts: Lessons Learned to Ace the New Round of HIPAA Compliance Audits

This article is based on Session 1 of our recent 5-part webinar series, “HIPAA Audits Are On The Way—Are You Ready?” Watch the replay here.

The Office for Civil Rights (OCR) is launching a new round of HIPAA compliance audits for covered entities and business associates. This is the third round of audits required under the HITECH Act.

Whether you’ve already undergone a previous audit or you’re anxiously waiting to see if you’ll get selected in this round, audit preparation likely elicits a feeling of dread. Historically, it has taken a lot of time and tied up many resources throughout the process. The good news is that you can draw on lessons from previous audits to ensure you do what’s reasonable and appropriate for your healthcare organization.

The Audit Trail

OCR conducted Phase I Audits in 2011-2012 as part of a pilot program, auditing 115 covered entities and included on-site visits. Phase II Audits took place in 2016-2017, with 166 covered entities and 41 business associates under review but did not include on-site visits.

Since then, OCR has been under pressure from the government, specifically the Office of the Inspector General, to return to auditing organizations on HIPAA compliance and to do so more formally and systematically.

On Feb. 12, 2024, OCR issued a notice of proposed rulemaking that announced it was launching a survey for covered entities and business associations to gather more information about previous audits’ effectiveness. OCR will use this information to determine how it manages future HIPAA audits.

This latest round of audits should begin later this year and evaluate organizations’ HIPAA compliance and effectiveness in safeguarding protected health information (PHI).

Understanding the OCR Audit Process

In previous audits, OCR’s processes were designed to assess the industry’s HIPAA compliance accurately. The agency selected healthcare entities covering a range of providers, health plans, and clearinghouses. They looked at entity size, affiliations, locations, and whether an entity was public or private. Health plans were categorized as either group plans or issuers. Providers were categorized by type of hospital, practitioner, elder care/skilled nursing facility (SNF), health system, or pharmacy.

OCR randomly selected organizations in each category, and then, in Phase 2, selected business associates.

OCR audits are similar to a real OCR investigation. The process begins when OCR initiates contact via two email communications: an initial notification letter and a document request.

Entities and business associates have 10 days to respond to document requests. Next, OCR reviews those documents against audit protocols before providing draft findings and allowing auditees to respond. OCR considers those responses when issuing a final audit report.

Ten days is a short time to respond to an OCR audit or investigation document request. Looking at your existing processes, could you provide OCR with everything needed within 10 days? Do you know where the documents are stored? What are they called? Who has access? What does it take to access them? If you haven’t conducted audit tests or drills, now is the time to evaluate your existing processes and make improvements to accurately and quickly respond to an OCR request.

Understanding Audit Results

In Phase 2 audits, OCR issued compliance effort ratings on a scale of 1 to 5:

1. Audit results indicate the entity complies with the selected standards’ goals, objectives, and implementation specifications.
2. Audit results indicate the entity substantially meets criteria. It maintains appropriate policies and procedures, and documentation and other evidence of implementation meet requirements.
3. Audit results indicate the entity’s efforts minimally address audited requirements. Audit indicates the entity has attempted to comply, but implementation is inadequate, or some efforts indicate a misunderstanding of requirements.
4. Audit results indicate the entity made negligible efforts to comply with the audited requirements; for example, policies and procedures submitted for review are copied directly from an association template or evidence of training is poorly documented and generic.
5. The entity did not provide OCR with evidence of a serious attempt to comply with the Rules.

Applying 2016-2017 Audit Findings to Your Audit Prep

On Dec.17, 2020, OCR issued its 2016-2017 HIPAA Audits Industry Report. The report provided:

• A snapshot of HIPAA compliance within a sample of the healthcare industry, based on the OCR Audit Protocol.
• Examples of widespread noncompliance.
• OCR recommendations and opportunities for improvement.

Seven key elements were included in Phase 1 audits:

• Privacy Rule
  • Notice of Privacy Practices & Content Requirements
  • Provision of Notice – Electronic Notice (Website Posting)
  • Right of Access

• Breach Notification Rule
  • Timelines of Notification
  • Content of Notification
• Security Rule
  • Security Management Process
  • Security Management Process

For two of them, timeliness of breach notification and provision of notice, OCR found widespread compliance across covered entities and business associates.

What happens if you fail a random OCR audit?
The Health Information Technology for Economic and Clinical Health Act of 2009 requires OCR to periodically audit covered entities and business associates for their compliance with the requirements of HIPAA. The audits are designed to complement OCR’s enforcement program, which investigates specific covered entities or business associates through complaint investigations and compliance reviews; seeks resolution of potential violations through voluntary compliance, corrective action plans, and settlements; and, in some instances, imposes civil money penalties.
 
Corrective Action Plans (CAP) require organizations to make specific changes to their privacy, cybersecurity, and/or breach response programs to prevent future violations and bring the organization into compliance with HIPAA. Another outcome can be a monetary penalty, varying based on the organization’s degree of culpability in the violation(s). Penalties can range from $100 to $50,000 per violation (with annual adjustments based on inflation).
 
In addition, HIPAA permits State Attorneys General to bring civil actions on behalf of state residents for violations of the HIPAA Privacy and Security Rules. It’s important to note that OCR also works with the DOJ to refer potential criminal violations that may be identified during an audit or investigation. 

Privacy Rule Compliance

However, there were significant deficiencies across the rest. A mere 2% of covered entities fully met Privacy Rule requirements. Most covered entities failed to:

• Provide all required content for a Notice of Privacy Practices (NPP). (Often, organizations had one, but it didn’t include all the necessary elements.)
• Properly implement individual right of access requirements (e.g., respond within 30 days; reasonable cost-based fee).
• Provide all required content for breach notification to individuals.

For Notice of Privacy Practices, OCR requested:

• Copy of NPP distributed to individuals.
• Copy of all NPPs posted on entity website and within the facility.

OCR found nearly two-thirds of covered entities failed to meet content requirements or made minimal/negligible efforts to comply.

Lessons learned to prepare for your audit:

• Use the Model Notices of Privacy Practices available on OCR’s website
• Utilize OCR’s Audit Protocol. It includes questions and topics that will help ensure you have the right content in your notice.

For Right of Access, OCR requested:

• Access requests
• Extensions to access requests
• Access requests templates and/or forms
• Notice of Privacy Practices.
• Access policies and procedures

At the time of the audit, almost all covered entities (89%) failed to demonstrate they correctly implemented the individual right of access. Only one audited entity received a 1 rating for complete access implementation.

OCR found these recurring Right of Access issues:

• Not documenting access requests
• Unreasonable cost-based fee policy or incorrect blanket fees
• Lack of policies regarding:
  • Requesting/accessing PHI or procedures for providing access
  • Access to PHI not maintained by the entity
  • Timely written denial and the basis for denying an access request
• Incorrectly denying access to:
  • PHI in a designated record set (e.g., test results, Rx history)
  • A designated third party
  • PHI in the desired form/format (e.g., requiring in-office pick-up)
• Requiring individuals to submit signed authorization forms
• Notice of Privacy Practices did not:
  • Correctly describe individual rights
  • Identify (or correctly identify) the patient’s right to timely access

Lessons learned to prepare for your audit:

• Review the Office of the National Coordinator for Health Information Technology (ONC)’s Improving the Health Records Request Process for Patients
• Utilize OCR Audit Protocol questions to understand OCR’s expectations for compliance
• Review the 2016-2017 HIPAA Audits Industry Report Appendix

Breach Notification Compliance

For Content of Breach Notification, OCR requested:

• Standard template or form letter for breach notification to individuals
• List of breaches, if any, which occurred in the previous calendar year
• Written notice sent to affected individuals in the last calendar year

The audit determined that most breach notification letters lacked the required content elements. OCR rated 39% of audited entities as a 4.

OCR found these Breach Notification issues:

• Frequently omitted content requirements:
  • Describe the unsecured PHI involved in the breach
  • Steps for individuals to protect against potential harm from the breach
  • Detailed explanation of the entity’s investigation and mitigation activities
  • No dates on the notification letters and documentation
  • Inadequate contact information
    • No way to ask questions or learn more information (e.g., toll-free telephone number, email, website, or postal address)

Lessons learned to prepare for your audit:

• Train workforce members on:
  • Requirements for breach notification letters
  • How to properly document and inform affected individuals
  • De-identification

Security Rule Compliance

For security risk analysis, OCR requested:

• Current and prior risk analyses and results
• Risk analysis policy and procedures
• Documentation of risk analysis process and evidence documentation is periodically reviewed and updated

The audit revealed that few covered entities (14%) and business associates (17%) conduct risk analysis activities. Business associates, however, generally showed greater compliance (17% at 1 or 2) than covered entities. This may be because of the requirements already placed on business associates that handle PHI. Many have risk analysis requirements in service level agreements (SLAs) and similar engagement documents. And, many also already have certifications like SOC2 to work with covered entities in the first place.

OCR found entities failed to:

Identify and assess the risks to all their ePHI

• Develop and implement policies and procedures re: risk analysis
• Identify threats/vulnerabilities, consider potential likelihoods and impacts, and
• rate the risk to ePHI
• Review and update a risk analysis after:
  • Changes in the environment and/or operations
    • Security incidents
    • A significant event
• Conduct risk analyses consistent with policies and procedures.

Lessons learned to prepare for your audit:

• It’s your responsibility to conduct appropriate risk analyses
  • Many entities rely on third parties to manage or perform risk analyses; however, these third parties frequently fail to meet requirements
  • Entities incorrectly assumed a purchased security product satisfied all Security Rule requirements
• You must understand and comply with risk analysis requirements to appropriately safeguard PHI
• Include risk analysis in your risk management programs:
  • You can get technical assistance from OCR, ONC, and the National Institute of Standards and Technology (NIST)

For Security Risk Management, OCR requested:

• Documentation of efforts used to manage risks
• Risk management policies and procedures
• Evidence of current and ongoing risks is reviewed and updated
• Evidence risk management process is reviewed and updated

Here, a staggering 94% of covered entities and 88% of business associates failed to implement appropriate risk management requirements. While some identified risks, they failed to implement proper security measures.

OCR found entities were:

• Lacking technical safeguards (access controls, audit controls, etc.) needed to protect ePHI
• Did not know:
  • Acceptable levels of risk
  • Vulnerabilities applicable to their environment
  • How to mitigate risks or vulnerabilities to ePHI in their organization
• Assessing potential risks and vulnerabilities to some ePHI instead of all
• No remediation plans or not implementing within a reasonable timeframe
• Implementing a risk management plan, but failing to update it

Lessons learned to prepare for your audit:

• Be prepared to:
  • Provide documentation for policies and procedures
  • Demonstrate you have implemented sufficient security measures to reduce risks and vulnerabilities to a reasonable and appropriate level
• If you use contracted security firms, it does not remove the responsibility to establish a compliant security program from your organization
• Utilize resources to help with implementing appropriate risk management programs in the Industry Report Appendix