Preparation Tips for OCR Privacy, Security Audits

This past weekend, privacy and security officers from across the country gathered to discuss the most complex aspects of the HITECH Omnibus Rule implementation during Saturday’s Privacy and Security Institute. These discussions included how to handle the right to request restriction of information if services are paid for out of pocket, Notice of Privacy Practices changes, business associate agreement updates and changes in indemnification, and breach notification and risk assessment processes.

The privacy and security officers discussed the balance needed to handle confidentiality issues, technology, and workflow accommodations with the complexities of regulatory disparity and laws such as HIPAA and ARRA/HITECH.

Mac McMillan, CEO of Cynergis Tek, Inc, presented “OCR Audits – The Next Generation” and discussed in detail audit processes, protocols, and lessons learned from recent Office for Civil Rights audits. McMillan discussed the 115 total OCR audits conducted by the federal government through December 2012 that measured performance against 169 requirements in three focus areas—privacy, security, and breach notification.


Low Risk of Audit, But Be Prepared

McMillan explained that around 10 percent of the covered entities selected and audited had no audit findings. This means that for the remaining 90 percent of the audits, corrective actions were necessary. However, for the 10 percent, which were in some cases totally unprepared for the audit, there may be more to follow. OCR is considering whether to pursue further review or investigation of these entities, which could lead to a formal settlement action.

HIM professionals should stay tuned to see how things play out over the next few months, McMillan recommended.

When asked “What are the chances of my facility being chosen for a HIPAA compliance audit,” McMillan responded “You want to be prepared for an audit, protect the data, focus on complaints and breaches—but your odds of winning big in Vegas are better than your odds of getting contacted for an OCR HIPAA audit.”


Security Audit Findings

The majority of OCR’s findings—60 percent, were security related—McMillan said. Some of the main areas where security compliance fell short (in order from most to least prevalent) included:

  • Risk analysis
  • Access management
  • Contingency planning and backup strategy
  • Audit controls and monitoring
  • Media control and destruction
  • Workstation security
  • Security incident procedures
  • Encryption
  • Integrity


The most common root causes of noncompliance identified were the lack of resources, technology, and an expressed lack of understanding of the requirement, as well as a general lack of security expertise.

Covered entities need to refocus efforts to complete their risk analysis and assessment, and in some way address all requirements of the HIPAA Security Rule. Addressable standards often were handled improperly by many covered entities, McMillan said.

Failure to address, failure to address with a reasonable alternative control, or failure to document a credible rationale were the most commonly cited discrepancies when entities were audited on their security practices. According to McMillan, the largest majority of the findings were in smaller provider institutions.


Privacy Audit Findings

The privacy-related OCR findings showed issues with the following areas (in order from most to least prevalent):

  • Minimum necessary
  • Business associate agreements
  • Personal representatives
  • Judicial and administrative
  • Identity verification
  • Authorizations
  • Deceased individuals


The privacy areas identified as needing more focus included training, policies and procedures, compliance management, and sanctions processes.

McMillan recommended a focus on audit readiness and response with steps such as:

  • Understand the limitations of audit protocol
  • Understand how the protocol works
  • Use the online OCR protocol as a tool to conduct “spot” audits
  • Exercise full demonstration of tasks for both privacy and security
  • Produce documentation when requested


Follow the news and get insights from AHIMA’s 85th annual Convention and Exhibit being held October 26-30 in Atlanta, GA. For a complete list of event coverage on the Journal of AHIMA website, click here.


Submit a Comment

Your email address will not be published. Required fields are marked *

Share This

Share This

Share this post with your friends!