The OCR adopts the do-it-yourself desk audit

Physicians still complacent about their HIPAA compliance programs could soon be subjected to the Office for Civil Rights’ (OCR) latest Phase 2 HIPAA Desk Audit Program, which began in mid-July. The pool of covered entities (CEs) selected to-date represents a small percentage of practices across the healthcare industry.  

Phase 1 audits included both onsite and desk audits.  In Phase 2, CEs will be audited via email, a much more convenient way for the government to check on practices and make sure they’re protecting patient information.  These practices will have to spend precious time finding and uploading pages of documents proving they have a HIPAA compliance program in place.

Related: Cybersecurity finally becoming healthcare priority

The desk audit comes with five questions and a 10-day deadline. Each question, related to privacy and security policies and procedures, requires evidence of implementation, with “clear, complete and responsive” documentation.

The OCR offers a webinar to explain the questions, but many participants remain confused.  Even CE security and compliance officers are befuddled by HIPAA-related questions and the documentation being requested.  Contact information is unavailable if webinar participants have follow-up questions.  Still the OCR expects practices to muddle through.

Simple questions, difficult answers

Here are some examples of OCR Audit Questions:

Breach Incidents

Upload documentation of five breach incidents for the previous calendar year affecting fewer than 500 individuals, documenting the date individuals were notified, the date the covered entity discovered the breach, and the reason, if any, for a delay in notification.

Practices are being asked to reference documentation for five security incidents or breaches.  When an incident occurs, the practice must document it with a description of what was done to resolve it and what was done to prevent it from happening again. The practice needs to determine whether the breach should be reported, if patients were affected and a sample of the letter notifying them of the breach.

Next: How to comply in advance and breeze through the desk audit

CEs that did not experience a breach during that time period are not advised how to respond to the question.

Notice of Privacy Practices

Upload a copy of all notices posted on website and within the facility, as well as the notice distributed to individuals, in place as of the end of the previous calendar year.

Blog: Think you're safe without a proper BA agreement? Think again

Practices must produce copies of Notice of Privacy Practices to give to patients or to send electronically, with authorization from the patient to receive the notice via email. They must also post it on their website and display it in the office.

Patient Requests for Their Medical Records

Upload all documentation related to the first five access requests for medical information, which were granted, plus evidence of fulfillment, in the previous calendar year.

This question pertains to the first five requests from patients who requested a copy of their medical records they need for medical billers, specialists or other third parties. 

Upload any standard template or form letter required by or used by the covered entity to document access requests.

This is the form patients submit to access their medical records.

Failure to document answers could result in a secondary audit that will be more comprehensive, with far more than five questions-the practice’s entire HIPAA compliance program would be reviewed

Comply in advance and breeze through the desk audit

What recourse do these practices have? How do they set aside time to provide the answers and still run a busy practice? At a minimum, practices should:

- Perform a risk assessment to identify security measures taken to prevent the likelihood of a threat and its impact. A security risk assessment looks at how patient information is currently protected. How often does the practice perform data backups? Do employees have the minimum level of access to patient information? Is there a procedure to make sure that employees who leave the practice no longer have access to patients’ medical records?

Next: You need to be ready

- Train employees. Make sure they know how to spot phishing scams and suspicious links in emails and recognize fraudulent IT experts who call to say the practice needs to upgrade an operating system. Employees should also know to avoid conducting business on public WiFi, and minimize sharing on social networks.

- Have a response plan. Be sure to have an incident response plan in the event of a security breach. The plan should include who will be on the response team, what actions the team will take to address the breach, and what steps they’ll take to prevent another breach from occurring. Make sure the plan is documented and all employees are trained on what they need to do.

Related: Tough questions to ask vendors about HIPAA compliance

- Create policies and procedures, including different scenarios of the HIPAA privacy rules, such as when practices can share patient information with or without authorization. 

Practices exist in a HIPAA world, where every compliance measure must be proven. Whether the OCR flags your practice or not, be ready.

Art Gross is the president and CEO of HIPAA Secure Now!, which provides security services to medical practices.