OCR HIPAA Audit Program Update

Covered Entities and many Business Associates are keenly aware of the initiation of the latest round of HIPAA Audits being performed by KPMG, on behalf of the Office for Civil Rights. Powered by $9.2 million in tax payer funding, KPMG was selected to perform the audits in two phases. The Covered Entity and Business Associate identification and catalog was based upon the selection criteria established in a previous phase in a public contract awarded to the firm of Booz Allen Hamilton.

So what’s happening right now? Where’s our promised Audit Protocol so that we can prepare?

These are the first two questions we hear almost every day.

Linda Sanches, OCR Senior Advisor, Health Information Privacy Lead, HIPAA Compliance Audits recently presented at the NIST / OCR Conference, Safeguarding Health Information: Building Assurance Through HIPAA Security. Linda presented some key information, but did not deliver or present the Audit Protocol we have all been waiting for. Based upon results from the first 20 pilot audits, here are some of the key takeaways. The top Security issues included findings across Covered Entities related to:

User Activity Monitoring (Logging)
Contingency Planning (Disaster Recovery, Business Continuity, Business Impact Analysis (BIA))
User & System Authentication & Data Integrity
Media Reuse and Destruction (Think USB drives, Hard Drives, Optical Media, etc.)
Lack of conducting a Proactive Risk Analysis
Granting, Modifying, and Removing User Access
Incident Response Planning, Mitigation, Remediation of Core Issues
Encryption (Data at Rest)
Physical Access Controls (Access to Data Centers, Workstations, Mobile Devices)

95 additional Covered Entities are in the process of receiving their selection letters as the next phase in the current audit contract. The total number of audited Covered Entities will be 115 by December of 2012. What is extremely important to note is that OCR and KPMG will be very carefully reviewing the trends that were evident from the initial 20 Audits, and the balance of 95, to determine the focus of future Audits. What that really means: Organizations and areas that are struggling today, and that have become evident areas of concern from the current Audit Program will receive vastly increased scrutiny in subsequent phases.

Linda recommended the following next steps:

Conduct a robust Risk Analysis.
Find all of your PHI, not just the obvious PHI (Consider unstructured data, archived data, etc.)
Map the data flow of PHI in to, throughout, and out of your organization. Without this knowledge, it is impossible to achieve compliance.
Determine all of the lines of business affected by HIPAA.
Create, if needed, update always, and train workforce members on your HIPAA and Security Policies, supporting Procedures, and Practices.

References:

1. Department of Health and Human Services, Office for Civil Rights, Audit Program Home Page, http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/index.html

2. http://csrc.nist.gov/news_events/hiipaa_june2012/day2/day2-2_lsanches_ocr-audit.pdf

Please contact RISC Management & Consulting to schedule a webinar on this topic, or for assistance developing your OCR / KPMG HIPAA Audit Response Kit at http://www.RISCsecurity.com