OCR getting tougher about information security
In the healthcare field, the word “audit” is about as welcome as the word “Zika.” But it’s inevitable that there will be more audits this year, in addition to investigations, related to information security shortcomings.
That’s because the Office for Civil Rights (OCR) has moved from the concept of performance audits in 2012, focused on efforts to comply, to compliance audits in 2017, focused on evidence of practice. And this year and beyond, an audit can result in a full-blown OCR investigation based on the severity of identified weaknesses or gaps.
What happened? Last September, the Office of the Inspector General issued a report scolding the OCR for its weak enforcement of HIPAA regulations based on evidence of incomplete investigations, lack of follow-up, inadequate documentation, a lousy tracking system for identifying repeat offenders, and the absence of a permanent audit program. Now OCR has decided to play “No More Mister Nice Guy” with healthcare organizations. The office’s new Phase 2 Audit Protocol is significantly tougher and more comprehensive than the 2012 version.
These Phase 2 audits will “evaluate auditees against a comprehensive set of HIPAA compliance controls.” For example, the Security Rule controls to be audited are those addressing Security Management Process requirements for Risk Analysis and Risk Management. Here’s what we know about this year’s audit process: