OCR getting tougher about information security
In the healthcare field, the word “audit” is about as welcome as the word “Zika.” But it’s inevitable that there will be more audits this year, in addition to investigations, related to information security shortcomings.
That’s because the Office for Civil Rights (OCR) has moved from the concept of performance audits in 2012, focused on efforts to comply, to compliance audits in 2017, focused on evidence of practice. And this year and beyond, an audit can result in a full-blown OCR investigation based on the severity of identified weaknesses or gaps.
What happened? Last September, the Office of the Inspector General issued a report scolding the OCR for its weak enforcement of HIPAA regulations based on evidence of incomplete investigations, lack of follow-up, inadequate documentation, a lousy tracking system for identifying repeat offenders, and the absence of a permanent audit program. Now OCR has decided to play “No More Mister Nice Guy” with healthcare organizations. The office’s new Phase 2 Audit Protocol is significantly tougher and more comprehensive than the 2012 version.
These Phase 2 audits will “evaluate auditees against a comprehensive set of HIPAA compliance controls.” For example, the Security Rule controls to be audited are those addressing Security Management Process requirements for Risk Analysis and Risk Management. Here’s what we know about this year’s audit process:
- An auditee has 10 business days to submit requested information via OCR’s secure portal which should contain the specific policies, procedures and evidence of practice.
- Only documentation submitted on time is reviewed; no “credit” will be given for submitting documentation later.
- All documentation must be current as of the date of the request.
- If no documentation is available, the auditee must provide a statement to that effect.
- Auditors will not be able to contact the covered entity for clarifications or ask for additional information.
It’s time to get your act together. And if the audits aren’t reason enough, OCR has also stepped up its level of investigations and resulting settlement agreements. To date, OCR has entered into resolution agreements and corrective action plans with 40 healthcare organizations since 2008, nine (9) of which have occurred just in the first seven and a half months of 2016. And fines have increased significantly; the most recent, $5.55 million, is the highest single-entity fine ever.
Corrective action plans continue to be robust based on discovered weaknesses and gaps – and they stem from just about every type of security lapse imaginable. 90 percent of those organizations failed to do even the basics of implementing sufficient policies and procedures. More than 4 out of 5 of them failed to implement training or sanctions for noncompliance. Over 50 percent failed to have a documented process for responding to security incidents; 25 perecent neglected to provide sufficient oversight of business associates. And several were cited for insufficient safeguards, failure to encrypt sensitive files or even to designate an accountable “security owner” in the organization. The two of the most recent corrective action plans will be monitored by OCR for 3 years, rather than the previously more common 2-year period.
OCR investigators and auditors are taking a much deeper dive into compliance programs requiring not only documented policies and procedures, but the evidence that those policies and procedures have been implemented and are being followed. OCR investigators are now opining on whether the security measures in place are “reasonable and appropriate” for the organization. “Certifications” claiming that an organization is “secure” or “compliant” will not be recognized by the regulators, nor will they ward off an audit or investigation if one is warranted.
The OCR has also eliminated the classic excuse of “we never thought of that.” The new Audit Protocol anticipates that healthcare organizations will protect reasonably anticipated threats or hazards to the security/integrity of ePHI (which now include criminal hacks and ransomware). And organizations are now expected to protect against reasonably anticipated uses or disclosures of ePHI not permitted by the Privacy Rule (which includes snooping and sharing of health data by unauthorized employees).
There is a way to dramatically reduce the likelihood of an OCR investigation at your organization. Do what OCR recommends in the first place: implement an information risk management (IRM) program utilizing the National Institute of Standards and Technology (NIST) Cybersecurity Framework, the NIST IRM process, and a proven maturity model. As Jocelyn Samuels, OCR Director, said in the press release following the Advocate settlement agreement, “We hope this settlement sends a strong message to covered entities that they must engage in a comprehensive risk analysis and risk management [program] to ensure that individuals’ ePHI is secure.” These steps will also reduce the likelihood and impact of a breach.
There are certain terms – like Hospital-Acquired Infection – that cause hospital leaders to toss and turn at night. But your organization can take steps to keep “investigation” from joining that list by implementing a comprehensive IRM program that improves steadily over time.