healthcarecompliance101

Healthcare Compliance 101

Contingency Plan

Plan A… B… Contingency Plan!

 The purpose of any contingency plan is to allow an organization to return to its daily operations as quickly as possible after an unforeseen event.  The contingency plan protects resources, minimizes customer inconvenience and identifies key staff, assigning specific responsibilities in the context of the recovery.

 Contingency plans are critical to protecting the availability, integrity, and security of data during unexpected adverse events. Contingency plans should consider not only how to respond to disasters such as fires and floods, but also how to respond to cyberattacks. Cyberattacks using malicious software such as ransomware may render an organization’s data unreadable or unusable. In the event data is compromised due to a cyberattack, restoring the data from backups may be the only option to recover the data and restore normal business operations.

What Does a Contingency Plan Do?

ü Contingency Plan:  Focused on the steps to respond and recover operations in the event of an emergency or other disruption to normal operations.  Its major objectives are to ensure: (1) the containment of damage or injury to, or loss of, property, personnel, and data; and (2)the continuity of the key operations of the organization.

 Contingency plans aren’t just a good idea; regulations for certain industries require contingency planning.  For example, the HIPAA Security Rule requires that HIPAA covered entities and business associates establish and implement a contingency plan.[1]

 What’s Required for a HIPAA Contingency Plan?

ü Disaster Recovery Plan:  Focused on restoring an organization’s protected health data.

ü Emergency Mode Operation Plan (or Continuity of Operations):  Focused on maintaining and protecting critical functions that protect the security of protected health data.

ü Data Backup Plan:  Focused on regularly copying protected health data to ensure it can be restored in the event of a loss or disruption.

 Items to Address as Part of a HIPAA Contingency Plan

ü Applications and Data Criticality Analysis: Focused on identifying what applications and data are critical for the contingency plan.

ü Testing and Revisions: Focused on testing your contingency plan and revising any identified deficiencies.

 Key Steps on the road to Contingency Planning:

Make it Policy:  A formal policy provides the authority and guidance necessary to develop an effective contingency plan.

Identify what is Critical:  Knowing what systems and data are critical to operations will help prioritize contingency planning and minimize losses.

 Identify Risks, Threats and Preventative Controls:  Perform a risk analysis to identify the various risks that your business may face.  What has the potential to significantly disrupt or harm your operations and data?

    Contingency Plans & Risk Analysis:  The need for contingency plans appears as a result of a thorough and accurate analysis of the risks that your organization faces.  The end result of a risk analysis can provide a list of potential threats, risks, and preventative controls.  Prioritization of critical systems and information will help identify where to focus planning efforts.

 Create Contingency Procedures:  Establish the specific guidelines, parameters, and procedures when enacting the contingency plan and for the recovery of systems and data.  Here’s where the Disaster Recovery Plan, Emergency Mode Operation Plan and Data Backup Plan will fill in the overarching contingency plan.  Keep in mind:

o   The goal is to maintain critical operations and minimize loss.

o   Define time periods – What must be done during the first hour, day, or week?

o   Establish Plan Activation – What event(s) will cause the activation of the contingency plan?  Who has the authority to activate the contingency plan?

o   Use plain language – the plan should be understandable to all types of employees.

 Operationalize & Maintain the Plan:  Integrate the plan into normal business operations.

o   Communicate and share the plan and roles and responsibilities with the organization.

o   Establish a testing (exercise) schedule for the plan, to identify gaps and ensure updates for plan effectiveness and increase organizational awareness.

o   Review the plan on a regular basis and situationally when there are technical, operational, environmental, or personnel changes in the organization.

 Don’t wait for a disaster to happen before designing and implementing a contingency plan.

Reprinted from the Office of Civil Rights

Advertisements

Phishing – Cyber Attacks

Phishing is a type of cyber-attack used to trick individuals into divulging sensitive information via electronic communication by impersonating a trustworthy source.  For example, an individual may receive an e-mail or text message informing the individual that their password may have been hacked. The phishing email or text may then instruct the individual to click on a link to reset their password. In many instances, the link will direct the individual to a website impersonating an organization’s real web site (e.g., bank, government agency, email service, retail site) and ask for the individual’s login credentials (username and password).  Once entered into the fake website, the third party that initiated the phishing attack will have the individual’s login credentials for that site and can begin other malicious activity such as looking for sensitive information or using the individual’s email contact list to send more phishing attacks.  Alternatively, rather than capture login credentials, the link on the phishing message may download malicious software on to the individual’s computer.  Phishing messages could also include attachments, such as a spreadsheet or document, containing malicious software that executes when such attachments are opened.  Phishing is one of the primary methods used to distribute malicious software, including ransomware.

Individuals must remain vigilant in their efforts to detect and not fall prey to phishing attacks because these attacks are becoming more sophisticated and harder to detect.  Phishing attacks take advantage of popular holidays by impersonating messages from shipping vendors and ecommerce sites.  Similarly, phishing attacks regarding tax refunds are common during tax season (March and April).  A specific type of phishing attack, known as spear phishing, targets specific individuals within an organization. For example, a spear phishing attack could target an individual in the IT, accounting or finance department of an organization by impersonating the individual’s supervisor and directing the individual to a malicious website or to download a file containing a malicious program.  One of the primary methods of combating phishing attacks of all kinds is through user awareness.  OCR included information on cybersecurity training and awareness programs in its July 2017 newsletter.[1]

Tips to avoid becoming a victim of a phishing attack include:

  • Be wary of unsolicited third party messages seeking information.  If you are suspicious of an unsolicited message, call the business or person that sent the message to verify that they sent it and that the request is legitimate.
  • Be wary of messages even from recognized sources. Messages from co-workers or a supervisor as well as messages from close relatives or friends could be sent from hacked accounts used to send phishing messages.
  • Be cautious when responding to messages sent by third parties.  Contact information listed in phishing messages such as email addresses, web sites, and phone numbers could redirect you to the malicious party that sent the phishing message.  When verifying the contents of a message, use known good contact information or, for a business, the contact information provided on its web site.
  • Be wary of clicking on links or downloading attachments from unsolicited messages.  Phishing messages could include links directing people to malicious web sites or attachments that execute malicious software when opened.
  • Be wary of even official looking messages and links.  Phishing messages may direct you to fake web sites mimicking real websites using web site names that appear to be official, but which may contain intentional typos to trick individuals.  For example, a phishing attack may direct someone to a fake website that uses 1’s (ones) instead of l’s (i.e., a11phishes vs. allphishes).
  • Use multi-factor authentication.  Multi-factor authentication reduces the possibility that someone can hack into your account using only your password.  OCR’s November 2016 cybersecurity newsletter included information on types of authentication.[2]
  • Keep anti-malware software and system patches up to date.  If you do fall for a phishing scam, anti-malware software can help prevent infection by a virus or other malicious software.  Also, ensuring patches are up to date reduces the possibility that malicious software could exploit known vulnerabilities of your computer’s or mobile device’s operating system and applications.
  • Back up your data.  In the event that malicious software, such as ransomware, does get installed on your computer, you want to make sure you have a current backup of your data.  Malicious software that deletes your data or holds it for ransom may not be retrievable.  Robust, frequent backups may be the only way to restore data in the event of a successful attack.  Also, be sure to test backups by restoring data from time to time to ensure that the backup strategy you have in place is effective.

Phase Two HIPAA Audits Have Begun

July 12, 2016

OCR’s Phase Two HIPAA Audits Have Begun

Phase Two of OCR’s HIPAA audit program, which officially began a couple of months ago, has officially kicked into high gear.   Selected covered entities have now received notification letters regarding their inclusion in the desk audit portion of the audit program.  Letters were delivered on Monday, July 11, 2016 via email to 167 health plans, health care providers and health care clearinghouses (covered entities).  The desk audits will examine the selected entities’ compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Security, and Breach Notification Rules.

The desk audits are focused examinations of documentation of entity compliance with certain requirements of the HIPAA Rules (see table below).  OCR selected these provisions for focus during the desk audits because our pilot audits, as well as our enforcement activities, have surfaced these provisions as frequent areas of noncompliance.  Entities received two email communications, which were sent to the contact information confirmed by the entity during the pre-audit phase of the program. Nevertheless, these emails may be incorrectly classified as spam in the recipient’s email service.  Covered entities should monitor their spam filtering and junk mail folders for emails from OSOCRAudit@hhs.gov.   One e-mail includes a notification letter providing instructions for responding to the desk audit document request, the timeline for response, and a unique link for each organization to submit documents via OCR’s secure online portal. A second email contains an additional request to provide a listing of the entity’s business associates and also provides information about an upcoming webinar, where OCR will explain the desk audit process for auditees and take their questions.    Entities have 10 business days, until July 22, 2016, to respond to the document requests. Desk audits of business associates will follow this fall.

For more information, see http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/index.html.

Requirements Selected for Desk Audit Review

Privacy Rule Notice of Privacy Practices & Content Requirements   [§164.520(a)(1) & (b)(1)]
Provision of Notice – Electronic Notice   [§164.520(c)(3)]
Right to Access  [§164.524(a)(1), (b)(1), (b)(2), (c)(2), (c)(3),  (c)(4), (d)(1), (d)(3)]
Breach Notification Rule Timeliness of Notification  [§164.404(b)]
Content of Notification  [§164.404(c)(1)]
Security Rule Security Management Process —  Risk Analysis  [§164.308(a)(1)(ii)(A)]
Security Management Process — Risk Management  [§164.308(a)(1)(ii)(B)]

 

Responding to a CyberSecurity Incident

July 2016

Is your Covered Entity or Business Associate Capable of Responding to a CyberSecurity Incident?

Computer security incident response is an important element of an information technology program.  It can assist Covered Entities and Business Associates in promptly detecting breaches, decreasing loss and damage, mitigating the weaknesses that were exploited, protecting the confidentiality, integrity, and availability of data, and restoring IT services back to normal.

HIPAA defines security incidents as attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.  (See the definition of security incident at 45 CFR 164.304).  HIPAA also identifies breaches as, generally, an impermissible acquisition, access, use, or disclosure under the HIPAA Privacy Rule that compromises the security or privacy of the protected health information. (See the definition of breach at 45 CFR 164.402).

According to a survey recently conducted, 43% of the survey respondents lack formal incident response plans and procedures, and 55% percent of them lack formal incident response teams.  Also, 61% of these respondents have experienced a data breach in over the past two years, which included unauthorized access, denial of service, or malware infection.   Cybersecurity-related attacks have continued to rise and become more destructive and disruptive.  According to a different study, in 2014 the average cost to a company suffering a data breach affecting personally identifiable information (PII) was $3.5 million, with an average cost of $145 per individual.

With the constant upsurge of security breaches that involve cyberattacks and as required by the HIPAA Security Rule, Covered Entities and Business Associates should have security incident response capabilities established.  Although effective incident response planning can be a complex task, it should be one of Covered Entities’ and Business Associates’ priorities.

When establishing incident response capabilities, Covered Entities and Business Associates should consider:

Ø  Developing incident response policies , plans, and procedures

An incident response policy assists Covered Entities and Business Associates in having a proper, concentrated, and coordinated approach to responding to incidents. The incident response plan should provide a roadmap for implementing the entity’s incident response capabilities.  The plan should also meet the Covered Entities’ and Business Associates’ distinctive requirements that relates to their mission, sizes, structures, and functions, and identify the necessary resources and management support. Incident response policies and plans should be approved by management and reviewed on an annual basis.

 

The incident response procedures should be based on the incident response policy and plan.  Incident response procedures are outlines of the specific technical processes, tools, techniques, and forms that are utilized not only by the incident response team, but also by staff who need to report an incident.  These procedures should include the entity’s processes for:

  • preparing for incidents;
  • detecting and analyzing incidents;
  • containing, eradicating and recovering from incidents; and
  • conducting post-incident activities and reviews.

 

Ø  Building relationships and setting up plans for communicating with internal and external parties regarding incidents

Building relationships and lines of communication between the incident response team and other groups, both internal and external can be challenging.  Covered Entities and Business Associates should plan the communication with these groups before an incident occurs.

 

Before establishing incident response policies and procedures, the incident response team should first develop relationships and lines of communication with internal groups within its organization, such as the IT department, public affairs office, legal department, internal law enforcement, and management.

 

Also, the incident response team should discuss with its entity’s public affairs office, legal department, and management about sharing information with external groups.  Covered Entities and Business Associates are often required to communicate with external parties regarding an incident and should comply whenever applicable.  External parties could consist of federal agencies, law enforcement, media, internet service providers (ISPs), vendors, or other incident response teams.

 

Ø  Staffing and training
Covered Entities and Business Associates should staff their incident response team with people who have the appropriate skillsets.  These skills could include network administration, programming, technical support, intrusion detection, and CyberSecurity forensic analysis; team members should also possess teamwork and communication skills.

 

Furthermore, incident response team and staff members should be provided with the necessary training to be effective in their roles, and to carry out their responsibilities during an incident or when an incident is suspected.

 

Resources:

National Institute of Standardization and Technology (NIST): http://csrc.nist.gov/publications/PubsSPs.html(Special Publication 800-61, Computer Security Incident Handling Guide)

Office for Civil Rights (OCR): http://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html(HIPAA Breach Notification guida

New Guidance on Ransomware – Protect ePHI

Your Money or Your PHI:  New Guidance on Ransomware

One of the biggest current threats to health information privacy is the serious compromise of the integrity and availability of data caused by malicious cyber-attacks on electronic health information systems, such as through ransomware.  The FBI has reported an increase in ransomware attacks and media have reported a number of ransomware attacks on hospitals. In recognition of the threat that ransomware poses to critical healthcare infrastructure, the Secretary of HHS recently sent the attached letter to chief executive officers (CEOs) of companies in the health care sector.  This letter highlights the importance of robust security compliance to combat ransomware attacks.

To help health care entities better understand and respond to the threat of ransomware, the HHS Office for Civil Rights today released new Health Insurance Portability and Accountability Act (HIPAA) guidance on ransomware. The new guidance reinforces activities required by HIPAA that can help organizations prevent, detect, contain, and respond to threats, including:

  • Conducting a risk analysis to identify threats and vulnerabilities to electronic protected health information (ePHI) and establishing a plan to mitigate or remediate those identified risks;
  • Implementing procedures to safeguard against malicious software;
  • Training authorized users on detecting malicious software and report such detections;
  • Limiting access to ePHI to only those persons or software programs requiring access; and
  • Maintaining an overall contingency plan that includes disaster recovery, emergency operations, frequent data backups, and test restorations.

 

Some of the other topics covered in the guidance include: understanding ransomware and how it works; spotting the signs of ransomware; implementing security incident responses; mitigating the consequences of ransomware; and the importance of contingency planning and data backup.  The guidance makes clear that a ransomware attack usually results in a “breach” of healthcare information under the HIPAA Breach Notification Rule.  Under the Rule, and as noted in the guidance, entities experiencing a breach of unsecure PHI must notify individuals whose information is involved in the breach, HHS, and, in some cases, the media, unless the entity can demonstrate (and document) that there is a “low probability” that the information was compromised.

Ransomware is a type of malware (malicious software) that encrypts data with a key known only to the hacker and makes the data inaccessible to authorized users. After the data is encrypted, the hacker demands that authorized users pay a ransom (usually in a cryptocurrency such as Bitcoin to maintain anonymity) in order to obtain a key to decrypt the data. Ransomware frequently infects devices and systems through spam, phishing messages, websites, and email attachments and enters the computer when a user clicks on the malicious link or opens the attachment.

Organizations need to take steps to safeguard their data from ransomware attacks. HIPAA covered entities and business associates are required to develop and implement security incident procedures and response and reporting processes that are reasonable and appropriate to respond to malware and other security incidents.

The guidance can be found at: http://www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf. Please feel free to share the attached letter, and the link to the new HIPAA guidance, with interested colleagues.

From the Office of Civil Rights (OCR)

June  7, 2016

What’s in Your Third-Party Application Software?

Recently, it has been reported that third-party application software security vulnerabilities are on the rise.  Third-party application software is designed to work within operating systems and to assist users in executing tasks on computers and other devices.  For example, Microsoft Windows 7 is an operating system that controls the way computers work and how other programs function, but Acrobat Adobe is a third-party application that is utilized by computer users to create, modify, and read PDF files.  Many Covered Entities and Business Associates may think their computers and devices that utilize operating systems are secure because the Covered Entities and Business Associates are deploying operating-system updates, but many systems are still at risk from third-party software.

According to a recent study, a majority of companies use third-party applications or software, but less than 1 in 5 companies has performed verification on these third-party software.  Also, it was reported in companies that install their operating-system patches, a fair amount have third-party software that remain unpatched.

Furthermore, third-party software may have numerous security vulnerabilities that do not stem from the applications themselves.  Misconfigured servers, improper files settings, and outdated software versions may contribute to third-party software security vulnerabilities.

Covered Entities and Business Associates Should Consider:

Testing Software Prior to Installation

Covered Entities and Business Associates should define the criteria they are willing to accept for safe third-party applications, including open source and public domain applications. Applications should meet the corporate standards set by the entities and also satisfy compliance requirements, and entities should test against these criteria.

The purpose of conducting security testing on software is to reveal flaws in its security mechanisms and finding the vulnerabilities or weakness of software applications. For example, conducting testing may find out how vulnerable a system may be to flaws in applications and determine whether data and resources are protected from potential intruders.

Covered Entities and Business Associates should work with their Business Associate vendors to test their applications for security vulnerabilities prior to installation, and on a regular basis after the software has been installed.

Installing Software Patches or Updated Versions

Software patches repair “bugs” in applications and software programs.  Patches are updates that fix a particular problem or vulnerability within a program.  Covered Entities and Business Associates should be installing patches or updating the software versions promptly and on a continuous basis.  The majority of software developers disclose their security flaws to public; however, attackers exploit these known vulnerabilities if Covered Entities and Business Associates do not fix the security flaws in a timely manner.

Though applying patches is essential to ensure the security of information systems, patches should be assessed prior to deployment to determine the risk they pose to the Covered Entity’s information systems.

Reviewing Software License Agreements

A software license agreement (also known as end user license agreement (EULA)) highlights the risks that can make ePHI vulnerable. Data can be compromised if Covered Entities and Business Associates ignore the language in a software license agreement, as such behavior can expose a computer and its connected networks and systems to security risks.

Software license agreements are legal binding agreements that can have restrictions on how the software can be used; the agreements can require entities to agree to certain conditions when using the software, and can also limit their ability to sue for damages.

To protect information systems and networks from security and privacy problems related to EULAs, US-CERT recommends that entities:

  1. Review the Software EULA – Before installing any software, take the time to read its EULA.
  2. Beware of Firewall Prompts When Installing Software – During installation, if your firewall generates a prompt asking whether you want to allow certain inbound or outbound connections, proceed with caution. Verify that the software requires changes to your firewall settings for normal operation and that you are comfortable with this operation.
  3. Consider the Software Publisher – If you are not familiar with the company or organization that published the software, review the software EULA with added scrutiny.

Resources:

United States Computer Emergency Readiness Team (US-CERT): www.us-cert.gov(Software guidance)

HIPAA Rights to Access Health Information

New Consumer Tools Explain HIPAA Right to Access Health Information

 

Earlier this year, the HHS Office for Civil Rights (OCR) released comprehensive guidance on the right of individuals under the Health Insurance Portability and Accountability Act (HIPAA) to access and receive copies of their health information.  Providing individuals with easy access to their health information empowers them to be more in control of decisions regarding their health and well-being.  Individuals who can access their health information are better able to monitor chronic conditions, adhere to treatment plans, find and fix errors, and directly contribute their information to research.

 

This guidance is available to all members of the public – but was initially aimed primarily at entities covered by HIPAA. In addition, individuals need tools to help them understand the right to access their health information.   To make OCR’s HIPAA access guidance more understandable for individuals, we teamed up with the HHS Office of the National Coordinator for Health IT to create easy-to-understand tools, including videos and an “infographic,” an illustrated fact sheet.  The videos have been recorded in English, but are available with a Spanish caption.

 

  1. Individuals’ Right under HIPAA to Access their Health Information

This video addresses the basics of the HIPAA access right.  For example, the video explains the individual’s right to access their medical records and that access may only be denied in very limited circumstances.

  1. HIPAA Access Associated Fees and Timing

This video explains that individuals may be charged reasonable fees for copies of their health information that include only certain labor, supply, and postage costs (where applicable) associated with making and delivering the copy requested by the individual.  The video also explains when access should be free, such as through a patient portal.

  1. HIPAA Access and Third Parties

This video focuses on the right of individuals to request that their health information be sent to a third party of their choice, such as a family member or even a mobile application.

  1. HIPAA Access Infographic

This one-page fact sheet, with illustrations, provides an overall summary of key aspects of the HIPAA right of individuals to access and receive a copy of their health information.

 

To learn more about individuals’ rights under HIPAA to access their health information, please visit:http://www.hhs.gov/blog/2016/01/07/understanding-individuals-right-under-hipaa-access-their.html

$750,000 Settlement Highlights the Need for HIPAA Business Associate Agreements

 

Raleigh Orthopaedic Clinic, P.A. of North Carolina (Raleigh Orthopaedic) has agreed to pay $750,000 to settle charges that it potentially violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule by handing over protected health information (PHI) for approximately 17,300 patients to a potential business partner without first executing a business associate agreement.  HIPAA covered entities cannot disclose PHI to unauthorized persons, and the lack of a business associate agreement left this sensitive health information without safeguards and vulnerable to misuse or improper disclosure.  Raleigh Orthopaedic is a provider group practice that operates clinics and an orthopaedic surgery center in the Raleigh, North Carolina area.

 

OCR initiated its investigation of Raleigh Orthopaedic following receipt of a breach report on April 30, 2013.  OCR’s investigation indicated that Raleigh Orthopaedic released the x-ray films and related protected health information of 17,300 patients to an entity that promised to transfer the images to electronic media in exchange for harvesting the silver from the x-ray films.  Raleigh Orthopedic failed to execute a business associate agreement with this entity prior to turning over the x-rays (and PHI).

 

“HIPAA’s obligation on covered entities to obtain business associate agreements is more than a mere check-the-box paperwork exercise,” said Jocelyn Samuels, Director of the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR).  “It is critical for entities to know to whom they are handing PHI and to obtain assurances that the information will be protected.”

 

In addition to the $750,000 payment, Raleigh Orthopaedic is required to revise its policies and procedures to: establish a process for assessing whether entities are business associates; designate a responsible individual to ensure  business associate agreements are in place prior to disclosing PHI to a business associate; create a standard template business associate agreement; establish a standard process for maintaining documentation of a business associate agreements for at least six (6) years beyond the date of termination of a business associate relationship; and limit disclosures of PHI to any business associate to the minimum necessary to accomplish the purpose for which the business associate was hired.

Unauthorized Filming of Your Patient Could Result in HIPAA Violation

Unauthorized Filming for “NY Med” Results in $2.2 Million Settlement with New York Presbyterian Hospital

 

Today, the Department of Health and Human Services, Office for Civil Rights (OCR) announced that it has reached a $2.2 million settlement with New York Presbyterian Hospital (NYP) for the egregious disclosure of two patients’ protected health information (PHI) to film crews and staff during the filming of “NY Med,” an ABC television series, without first obtaining authorization from the patients. In particular, OCR found that NYP allowed the ABC crew to film someone who was dying and another person in significant distress, even after a medical professional urged the crew to stop.

 

“This case sends an important message that OCR will not permit covered entities to compromise their patients’ privacy by allowing news or television crews to film the patients without their authorization,” said Jocelyn Samuels, OCR’s Director.  “We take seriously all complaints filed by individuals, and will seek the necessary remedies to ensure that patients’ privacy is fully protected.”

 

By allowing individuals receiving urgent medical care to be filmed without their authorization by members of the media, NYP’s actions blatantly violate the HIPAA Rules, which were specifically designed to prohibit the disclosure of individual’s PHI, including images, in circumstances such as these.

 

OCR also found that NYP failed to safeguard protected health information and allowed ABC film crews virtually unfettered access to its health care facility, effectively creating an environment where PHI could not be protected from impermissible disclosure to the ABC film crew and staff.  In addition to the $2.2 million, OCR will monitor NYP for two years as part of this settlement agreement, helping ensure that NYP will remain compliant with its HIPAA obligations while it continues to provide care for patients.

OCR Launches Phase 2 of HIPAA Audit Program

March 21, 2016

OCR Launches Phase 2 of HIPAA Audit Program 

As a part of its continued efforts to assess compliance with the HIPAA Privacy, Security and Breach Notification Rules, the HHS Office for Civil Rights (OCR) has begun its next phase of audits of covered entities and their business associates.  Audits are an important compliance tool for OCR that supplements OCR’s other enforcement tools, such as complaint investigations and compliance reviews.  These tools enable OCR to identify best practices and proactively uncover and address risks and vulnerabilities to protected health information (PHI).

In its 2016 Phase 2 HIPAA Audit Program, OCR will review the policies and procedures adopted and employed by covered entities and their business associates to meet selected standards and implementation specifications of the Privacy, Security, and Breach Notification Rules.  These audits will primarily be desk audits, although some on-site audits will be conducted.

The 2016 audit process begins with verification of an entity’s address and contact information.  An email is being sent to covered entities and business associates requesting that contact information be provided to OCR in a timely manner.  OCR will then transmit a pre-audit questionnaire to gather data about the size, type, and operations of potential auditees; this data will be used with other information to create potential audit subject pools.

If an entity does not respond to OCR’s request to verify its contact information or pre-audit questionnaire, OCR will use publicly available information about the entity to create its audit subject pool.  Therefore an entity that does not respond to OCR may still be selected for an audit or subject to a compliance review.  Communications from OCR will be sent via email and may be incorrectly classified as spam.  If your entity’s spam filtering and virus protection are automatically enabled, we expect entities to check their junk or spam email folder for emails from OCR.

Post Navigation