make a good business better

Blog Information Security

Print Divider Print Divider Branding
 

OCR Audit Delays: Unintended Consequences

02/04/2015  |  By: Mark Burnette, CPA, CISSP, CISM, CISA, CRISC, CGEIT, ITIL, QSA, Shareholder, Information Security

Share

Social Logo Social Logo Social Logo Social Logo

The Office for Civil Rights (OCR) has announced that the next round of HIPAA audits has been delayed. (We stopped calling them the 2014-2015 OCR Audits long ago.) What they haven’t said is when the audits are going to start. Apparently, affected entities are left to our own devices to figure that out.

So what’s going on here? According to the OCR, the audit portals and project management tools that are needed to facilitate the audit process are not yet ready for prime time. We’re a bit perplexed as to why this is just now being acknowledged as an issue, but we’re buying it. Clearly, without a fully functioning infrastructure, the audits would be a nightmare for the OCR and every organization subjected to one. But what is most concerning about the delay is the message that the OCR is sending to covered entities and their business associates. The lack of communication and ongoing delays suggests that overseeing and enforcing HIPAA regulations is simply not a high priority for the Federal Government.

OCR Audit Delays: A Tactic that Doesn’t Work

In 2009, HITECH was enacted in part to address the abysmal job that healthcare organizations were doing of complying with HIPAA regulations. As part of HITECH, an initial round of audits took place in 2012, auditing 115 covered entities and exacting stepped-up compliance and, in some cases, stiff fines. That got everyone’s attention. As a result, when the 2014-2015 OCR Audits were announced, many organizations that were struggling with compliance began to scramble, taking compliance more seriously and putting better controls in place. But now, the OCR has slipped into ‘hurry up and wait’ mode. You can almost hear the collective sigh of relief across the industry as organizations put their data security compliance initiatives on hold, or at least dial back the intensity. It reminds me of an old Little Rascals episode I saw as a kid. One of the Rascals is arguing with a bully. To make his point, the bully draws a line in the dirt with a stick. Don’t cross this line, or else… So the Rascal defiantly steps across the line. Taken aback, the bully draws a new line, giving the Rascal a wider berth. I mean it. Don’t cross this line or else… If the audits are intended to encourage compliance, imagine how the delays are undermining this worthy goal. Given the pervasive lack of compliance across the industry, the ongoing ‘saber rattling’ by the OCR can hardly be having a positive impact on improving the security of patient data.

OCR Audit Delays: Diluted Effectiveness

Whether or not the audits are a particularly welcomed event, the industry as a whole would benefit from the audit process. Audits often find pockets of noncompliance and/or niggling issues that are currently leaving many organizations—and their patients—exposed. The government's failure to execute the audit process dilutes this important oversight. And because of the delays, many organizations are unfazed by the threat of audit. Until the government draws a line in the sand—and sticks to it—many healthcare entities will be undeterred by potential consequences. Granted, in an ideal world, the government shouldn’t have to intervene to get companies to do the right thing. And often times, it doesn’t. Many of our clients are taking their own initiative to conduct risk assessments and close gaps in compliance—despite the OCR Audit reprieve. But healthcare organizations are struggling with regulations on all sides. For most, a large chunk of resources has been diverted to execute Affordable Care Act directives. It’s almost as if the delayed OCR Audits have given covered entities unspoken ‘permission’ to put HIPAA regulatory initiatives on hold with other priorities competing for resources. In other words, when resources are tight, non-revenue generating initiatives (like government-mandated data security controls) are too easily set aside, especially if no one is watching. If the OCR keeps announcing that the audits are coming—and then continues to push them back—many healthcare organizations will continue to fall below compliance and not be particularly motivated to do anything about it.

Learn more to prepare your firm for the upcoming OCR audit in the new guide, OCR Audits Demystified. On LinkedIn or Twitter? Follow us on LinkedIn and on Twitter at @lbmcsecurity. ocr audit

Posted in: Healthcare