In response to feedback from the early recipients of the OCR random audits they have updated the timeline requirement associated with the documentation submission at the start of the audit process. Originally 10 business days were allowed for organizations to collect and forward the information requested in the Notification Letter. That has now been changed to 15 business days giving organizations an additional week to meet this requirement. That should make it much easier for organizations to accomplish this task, but it is still not enough time for those who are not ready or do not have their documentation organization. Every little bit helps though, so this is positive step in the right direction.
What a great conference again this year. Kudos to David Holtzman, OCR, and Kevin Stine, NIST, for outstanding job they did putting the conference together and hosting it. Great turn out, more than in previous years, to keep their track record in tact on steady growth. Lots of good speakers as always and especially good to hear from the folks in Washington with respect to what is coming. It was also a pleasure to be able to speak for the fourth straight year in a row, and I had a great panel with me to discuss Cloud computing security.
Another speaker provided some much anticipated information about the first twenty OCR random compliance audits, started last December and completed this March. Ms. Linda Sanches, OCR Senior Advisor, Health Information Privacy and Lead, HIPAA Compliance Audits, not only provided information on the program and what to expect, but she also provided the first real peek under the covers, so to speak, with respect to how the first sites performed. She provided approximately fifteen slides that analyzed the results from those audits and identified the leading issues for both Privacy and Security. Issues such as Conduct of Risk Analysis, Contingency Planning, User Activity Monitoring, Media Reuse and Disposal, Authentication/Integrity, Encryption, Physical Access Controls, Incident Response and Granting/Modifying Access were all identified as problem areas. She did the same for Privacy, and while there were many more areas identified the top five were procedures around handling Deceased Individuals, Personal Representation, Business Associate Contracts, Disclosures for Judicial and Administrative Purpose and Verification of the identity of those requesting PHI. The focus has not changed. It remains compliance measurement, but she did say that at least one out of the twenty could expect another visit since they had done nothing prior to the audit.
Also of interest was the announcement that the Audit Protocol would soon be out, this week supposedly, so that everyone can see for themselves exactly the level of scrutiny they can expect if audited. The audits continue and will be completed by the end of the year. Following this an evaluation of the audits and their results will be undertaken and report published.
There were a lot of other great presentations to include Leon Rodriguez, Head of OCR, who talked about the convergence of Privacy and Security and the importance of sound controls and well constructed programs. Looking forward to 2013. Hopefully we’ll see even more folks there and on line.
The US Court of Appeals for the Ninth Circuit held that an individual may be criminally convicted of knowingly obtaining health information in violation of HIPAA, even if the individual did not know that the access was illegal. The decision serves as a reminder to health care providers, health plans and their business associates that ignorance of the law is not an excuse to criminal prosecution with respect to HIPAA, and that significant repercussions may result from accessing patient information without a valid reason. This reported by Adam Greene, a Partner with Davis Wright & Tremaine.
There have been many discussion around what constitutes appropriate access, the application of Minimal Necessary, willful neglect, patient consent, and accounting for disclosures. This decision important for two reasons. It should serve as Adam suggests in his Alert as a teaching moment for those who work in healthcare that there should always be a legitimate reason for their access to a patient’s information, but it is also important as a reminder to healthcare organizations that they need to actively control and monitor access to patient information.
The first twenty audits conducted by KPMG on behalf of OCR are complete and under review as we speak by OCR. We have published several posts and conducted several webcasts with respect to the audit process, timeline and how to prepare. In our presentations we have covered the types of information requested by the auditors, but not the actual document request list.
The list contained here is the one received from our client. It is instructive as to the types of information you will be asked to produce if audited, but there are a few caveats that I would like to remind everyone of as well.
1. The audit protocol and all of its supporting documentation to include this list are still under review by OCR and subject to revision. If you recall the process that OCR laid out for the pilot phase of the first 20 audits, there would be a review and time to revise the audit protocol, as appropriate, then more audits, and more opportunity to review/revise, with the goal of having a final audit protocol by year’s end. Sue McAndrew, OCR, reconfirmed this when she and I spoke this past week at the NCHICA Academic Medical Centers Privacy & Security Conference in Raleigh/Durham. So the first caveat the list is subject to change.
2. Like any audit tool, this document request list may be applied differently depending on the size and type of organization and/or there may also be other forms of the list for other organizations. The list shared here went to a hospital. We understand that there are multiple, context-based audit protocols, as well as protocols for the audits of particular aspects of the Rules, per the contract between the OCR and KPMG. Sue McAndrew also provided that they hope to have the final protocol(s) and supporting documentation available for everyone before year’s end.
As we have shared with many of your, the list herein is communicated as an attachment to the Notice of Audit letter that each site receives to start the audit process. It is related to the first requirement in the audit process, providing documentation to the audit team within 10 business days of the date of the audit letter, and represents the first opportunity for the site to demonstrate readiness. Collecting and providing the documentation on the list can be a daunting task for large institutions, organizations with decentralized execution, of if organizations don’t have their documentation well organized and accessible. As you look at this list be thinking about how readily you can collect, organize and transmit your responses to this request. Is your documentation current? Is it complete? Does all of the “supporting” documentation referenced in your policies/procedures live together? Does operational practice align with what is communicated in your documentation? These are all important questions to answer before the audit. So, without further adieu, here is the list:
As suggested by Leon Rodriguez another fine has been levied by HHS for non compliance. This time against a Phoenix-based physician practice for $100,000 for failing to meet HIPAA Privacy and Security requirements to protect patient information. Significant in HHS statement was the following:
“This case is significant because it highlights a multiyear, continuing failure on the part of this provider to comply with the requirements of the Privacy and Security Rules,” said Leon Rodriguez, Director of OCR. ”We hope that healthcare providers pay careful attention to this resolution agreement and understand that the HIPAA Privacy and Security Rules have been in place for many years, and OCR expects full compliance no matter what the size of the covered entity.”
So if there was any doubt out there about being on OCR’s radar the message here as well as the message sent by the selection of multiple small entities in the initial 20 random compliance audits ought to provide a wake up call. I think it is safe to say that Mr. Rodriguez means business.
Finally the Omnibus Rule that will address many of the HITECH Act revisions has been officially acknowledged as received by the Office of Regulatory Affairs at OMB starting the final review process before it is published. The Omnibus Rule was officially registered with OMB on Saturday March 24, 2012. The rule will cover many of the outstanding aspects of HITECH and include:
- Changes to the HIPAA Privacy and Security protections
- The Final Breach Notification Rule
- Enforcement and Compliance Interim Final Rule, and
- The proposed rule covering GINA
Accounting for Disclosures (AOD) will come out separately and is very close to being ready. Language that supports AOD can be found in the recently released NPRMs for Meaningful Use Stage 2 and Implementation Standards and Certification Criteria that are both out for public comment now. AOD is still expected to cover accounting for access to information related to Treatment, Payment and Operations and require and automated accounting. Several write ups of the NPRMs have already alluded that requirements in those rules are geared towards supporting automated auditing and the ability to produce an audit list, something that was very controversial when the AOD NPRM first came out last year.
Between the OCR Audit Program and the Omnibus Rule 2012 is shaping up to be a busy and exciting year for healthcare privacy and security.