make a good business better

Blog Information Security

Print Divider Print Divider Branding

HIPAA and OCR Audits: Gearing Up

09/24/2014  |  By: Mark Fulford, CISSP, CISA, ABCP, HITRUST, Shareholder, Information Security


Social Logo Social Logo Social Logo Social Logo

If your organization is subject to HIPAA’s Privacy, Security, and Data Breach Rules, you could be the target of an OCR Compliance Audit. Prior to the HITECH Act, HIPAA’s scope was limited to healthcare providers, payers (insurers), and healthcare information clearinghouses. In the post-HITECH world, business associates must also comply and are subject to the same audits—and penalties for non-compliance—as traditional covered entities.

OCR Audits: Who is the OCR and Why Might They Audit Me?

The OCR is the Department of Health and Human Services’ (HHS) civil rights and health privacy rights law enforcement agency. The OCR investigates complaints, enforces rights, publishes regulations and develops policy. The agency also provides technical assistance and public education to ensure understanding of and compliance with non-discrimination and health information privacy laws. It is the OCR’s job to ensure that the privacy practices of several million healthcare providers, plans and clearinghouses adhere to Federal privacy requirements under HIPAA. The OCR annually investigates more than 10,000 citizen complaints alleging discrimination or violations of HIPAA. As part of the HITECH Act and updates to the HIPAA Enforcement Rules, HHS—through the OCR—was tasked with assessing the state of compliance with HIPAA and reporting those findings to Congress on a periodic basis. With that mandate, in addition to the enforcement activities which were ongoing, the audit program was initiated.

HIPAA Mandated Compliance: OCR Audits

In 2012, the OCR instituted a pilot program to investigate HIPAA compliance, conducting random OCR audits on 115 covered entities. What they found was troubling:

1. Minimal Protection: A number of organizations lacked even rudimentary safeguards to protect their networks. Many of these organizations had not even done the required risk analysis, which is only the first step in figuring out what (and where) protection is needed.

 2. Poor Data Management: Many covered entities did not have a handle on where their data ‘lived.’ Some of it was in spreadsheets, some on individual workstations and much of it was—as expected—in core clinical applications. Plus, a lot of data was traveling around on mobile devices, being accessed from a variety of public places. It could be anywhere. The audits found that many organizations were not using any type of encryption to safeguard data on mobile devices and removable storage devices such as backup tapes, USB drives and other external media. This finding was also supported by the types of breaches that were being reported.

3. Lack of Oversight: Overall, the OCR discovered a general lack of monitoring and audit control. No one was minding the store, and breaches often went undetected. Since the enactment of HITECH in 2009, the HHS lists over 1000 serious data breaches of over 500 records—compromising over 33 million individualpatient records—on their website ‘wall of shame.’ (Yes, they post the offending organizations’ names.) And it’s only just begun. The OCR audits are expected to resume later this year as soon as a new e-portal has been developed to support the audit process. This time, there will be a larger number of audits. The OCR is targeting 200 or so entities for desk audits and an undisclosed number for more comprehensive on-site audits. These audits will continue on into 2015 and include not only covered entities, but business associates as well. If you are a covered entity or a business associate, now is the time to begin preparing for a possible audit.

Learn everything you need to know to prepare for the upcoming OCR audit in our new (free) guide, OCR Audits Demystified. On LinkedIn or Twitter? Follow us on LinkedIn and on Twitter at @lbmcsecurity. OCR_CTAs  Learn more about how our team at LBMC Information Security can help your team armor up with a wide range of network defense servicesContact us today!

Posted in: Healthcare