The agency in coming months will complete its assessment of the pilot, announce findings and put together the permanent program, with the hope of starting in fiscal year 2014, which begins on Oct. 1, 2013. Rodriguez says he has no idea yet of the scope of the program.
Consulting firm KPMG conducted the pilot audits and assessed compliance with 169 requirements under the HIPAA privacy, security and breach notification rules. Now, OCR is learning which gaps in protecting health information cause the most breaches. “We want to hit more entities and be more focused on parts of the privacy and security rules for which breaches are at high risk,” Rodriguez says. “We want to be focused on the things that really matter in terms of compromising patient confidentiality.”
A big bull’s-eye will be deficiencies in an organization’s risk analysis. Covered entities audited in the pilot program often had conducted a shallow analysis that wasn’t updated as events warranted, such as new business strategies or new information systems. With any business change, an entity must review its risk analysis, Rodriguez notes. Yet, two-thirds of pilot participants--including 80 percent of providers--did not have a complete and accurate risk analysis.
Another red flag for OCR is the use of data encryption. Under the security rule, encryption is an “addressable” requirement. An organization deciding not to encrypt must, through documentation, justify its decision and select a reasonable alternative. What is being found in the pilot program is that an organization either implemented encryption or did nothing at all in justifying and documenting reasonable alternatives. “They didn’t take the steps on what is a very critical requirement for security,” Rodriguez says.
So, a smart move for covered entities would be to conduct a comprehensive, ongoing risk analysis and take affirmative action on encryption or an alternative, he advises. Entities also should have more than a passing awareness of HIPAA requirements. In the pilot program, according to early OCR assessments, 30 percent of organizations cited for noncompliance were unaware of the requirement. “Most of these related to elements of the rules that explicitly state what a covered entity must do to comply,” according to an OCR assessment. The top unknown requirements included notice of privacy practices, access rights of individuals, minimum necessary and authorization provisions in the privacy rule; and risk analysis, media movement and disposal, and audit controls and monitoring in the security rule.
Rodriguez also cautions against doing something blatantly stupid that starts an audit off poorly. Don’t be the organization in the pilot program that printed its policies and procedures from an Internet site after getting notice of a forthcoming audit, with the date of the printout on the documentation. “We will have a robust program focused on high-risk areas and one thing they can absolutely count on is the risk analysis,” he says.
The cover story in the May issue of Health Data Management will examine how providers are getting ready for the random HIPAA audits.