OCR Releases Guidance Documents for Phase 2 Audits OCR Releases Guidance Documents for Phase 2 Audits

OCR Releases Guidance Documents for Phase 2 Audits

On July 11, 2016, the United States Department of Health & Human Services, Office for Civil Rights (OCR) notified 167 covered entities that they had been selected for Phase 2 desk audits. Since then, covered entities and business associates not selected for this round of audits have had many questions about the audit process. To clarify the process to the public at large, and help regulated entities prepare for future audits and improve their overall compliance programs, OCR released three targeted guidance documents: (1) a comprehensive question-and-answer set addressing questions from auditees; (2) a chart placing OCR's desk audit document requests in context with HIPAA requirements, associated protocol audit inquiries, and questions from auditees; and (3) slides used in OCR’s July 13, 2016 webinar for the selected auditees. These documents supplement the Phase 2 audit protocol released earlier this year.

Slide Show from July 13, 2016 Auditee Webinar

OCR conducted a webinar for covered entity auditees on July 13, 2016. Covered entities (CE) and business associates (BA) should review these slides in detail for points of interest salient to their particular organization. Highlights include:

  • OCR will conduct 200-250 total audits of both covered entities and business associates, including more than 200 desk audits and a smaller number of comprehensive, on-site audits. 
  • The stated purposes of Phase 2 audits are to:
    o   Identify industry best practices
    o   Discover risks and vulnerabilities that OCR has not encountered through its enforcement activities
    o   Enable OCR to get in front of problems before they result in breaches
  • The slides further state that audits are "primarily a compliance improvement activity" to help OCR better understand compliance efforts and determine what technical assistance materials to develop, including tools and guidance to help regulated entities self-evaluate their HIPAA compliance programs and prevent breaches. 
  • But the burning question remains: can audits form the basis for enforcement? OCR answers this question directly: "Under OCR's separate, broad authority to open compliance reviews, OCR could decide to open a separate compliance review in a circumstance where significant threats to the privacy and security of PHI are revealed through the audit."
  • OCR does not intend to post a listing of audited entities and findings. While the agency states it "may" be required to disclose "audit notification letters and other information about these audits" under FOIA or other public-request statutes, it does note in the questions-and-answers document that it believes a FOIA exception applies to entity-specific documents (see below). The takeaway: there is an argument against release of company-specific documents submitted by an auditee, but it is not a certainty.
  • To select auditees, OCR divided plans into group plans and issuers, and providers into hospitals, practitioners, eldercare/skilled nursing facilities, health systems, and pharmacies. It used “randomized selection algorithm” to select auditees from these groups. Entities that are subject to ongoing OCR investigations were not selected.
  • OCR will draw the BA selection pool "largely" from among BAs identified by audited CEs. (Takeaway: If you are a BA, OCR may select you for audit even if it did not select the CE for which you provide services). 
  • Entities should submit the requested documents, and only those documents. However, the entity will not receive "credit" for a later document submission.
  • If the CE does not have the requested documents, it must submit an "explanation for the deficiency" with its response.
  • Auditees may respond to OCR's draft findings, and OCR will include written responses in its final audit response.
  • OCR stated that the same rules and expectations with respect to CE desk audits will apply to the BA desk audits.
Comprehensive Question-and-Answer Set

The question-and-answer set resulted from queries submitted during OCR's July 13, 2016 webinar for the selected covered entity desk auditees. OCR categorized the questions by subject matter: technical, administrative, general, breach notification, privacy, security, and business associates. Covered entities and business associates should carefully review the entire document for questions that may be particularly relevant to their organization. Significant learnings from this document include:

  • Selected entities were not limited to health care providers. One auditee described itself as "in the energy industry with a [self-insured] medical plan." In at least one case, OCR selected two different locations of the same covered entity for separate desk audits: one privacy-related, the other security-related.
  • The effective dates for the requested documentation varied by request: some were for "current" documents (as of July 11, 2016, "and not later"), others were for documents effective during the past calendar year, 6 years ago, etc. This underscores HIPAA's requirement to keep documentation required by the various rules for the prescribed time period (at minimum, for 6 years).
  • Covered entities that receive audit findings will not need to submit a corrective action plan. When specifically asked whether "fines" might result, OCR responded: "[t]he audit program is a compliance tool OCR is using to provide guidance on how entities need to comply with the various HIPAA Rules. With that, a final report will be provided to the CE."
  • When asked whether company-specific documents will be available to the public via a FOIA request, OCR responded: "We believe that a company specific document submitted by a CE for the audit is covered by the following exemption from FOIA: Exemption 4: Trade secrets or commercial or financial information that is confidential or privileged."
  • Lack of cooperation with the desk audit process will almost certainly lead to inclusion in the on-site audit pool.
  • It is "possible, but not likely," that OCR will select a covered entity who is also a business associate for inclusion in the business associate audits.
  • OCR apparently asked certain covered entities to submit photographs of their Notice of Privacy Practices posted on their facilities’ walls, with the text readable.
  • OCR asked CEs selected for desk audits to identify all of their BAs. OCR will choose business associates for audit from among those identified using a "randomized process."
Right to Access PHI

In its Phase 2 audits and enforcement activities, OCR has placed great importance on an individual’s right under the HIPAA Privacy Rule to access his or her protected health information (PHI).[1] 

  • Further clarification provided by the Phase 2 Audit Guidance Documents on individuals' right to access (PHI) includes:
    o   There is "no one required process" for fulfilling access requests.
    o   "The individual right to access includes the right to inspect or obtain a copy, or both, of the PHI, as well as to direct the covered entity to transmit a copy to a designated person or entity of the individual’s choice. Therefore, requests by the individual to transmit a copy to a designated person should be included. However, requests for disclosures of PHI that are merely authorized by the individual are not considered an exercise of the access right and should not be included."
    o   "The individual right to access their protected health information is not the same as their right to request an accounting of disclosures of their information."
    o   It is likely that all patient requests for medical records made to a physician's office constitute a request for access: "Generally, an individual has a right of access to inspect and obtain a copy of protected health information about the individual in a designated record set, for as long as the protected health information is maintained in the designated record set, and the covered entity must permit individuals to request access to that information. Access requests include requests for medical records made by patients that fit this description."
    o   "An access request may be for the entire designated record set but is not limited to that. An individual may request access to portions of the record, such as a medication list, a lab report or other information."
OCR's focus on access rights cannot be overstated. In January 2016, OCR released a fact sheet to clarify individuals' "core right" to access and obtain a copy of their health information. Commenting on what it called an "important step" for access rights, OCR emphasized: "Unfortunately, based on recent studies and our own enforcement experience, far too often individuals face obstacles to accessing their health information, even from entities required to comply with the HIPAA Privacy Rule. This must change."
On what was this "experience" based? Non-compliance with access rights was one of OCR's top findings from the 2011/2012 pilot audit program, and is an area of focus in the Phase 2 audits. However, the agency's emphasis became apparent much earlier – with its first imposition of a civil money penalty (CMP), against Cignet Health in February 2011, requiring Cignet Health to pay $4.3 million.

Cignet Health failed to provide access to 41 individuals who had requested copies of their medical records. Most of these individuals lodged complaints with OCR, and the agency launched an investigation. The CE’s troubles compounded when it failed to cooperate in any meaningful way with the investigation. In this case, OCR determined that the CE failed to provide 41 individuals timely access to obtain a copy of PHI about them in the CE’s designated record sets.

Commenting on OCR's Notice of Proposed Determination, former OCR Director Georgina Verdugo admonished: "Covered entities and business associates must uphold their responsibility to provide patients with access to their medical records, and adhere closely to all of HIPAA’s requirements ….The U.S. Department of Health and Human Services will continue to investigate and take action against those organizations that knowingly disregard their obligations under these rules.”

Security Rule Risk Analysis and Risk Management Plan

The HIPAA Security Rule risk analysis and risk management plan has also been a great priority for OCR in both its Phase 2 audits and its enforcement efforts.

  • A Security Rule risk analysis is an "an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate." (45 CFR 164.308(a)(1)(ii)(A)). Risk analysis is a required implementation specification of the security management process administrative safeguard, meaning covered entities and business associates must perform the analysis to be in compliance with the Security Rule. 
  • A skimpy or non-existent risk analysis is a serious issue for covered entities and business associates. Numerous high-dollar settlements with regulated entities have centered on failure to complete an enterprise-wide risk analysis, including OCR's most recent resolution agreement/corrective action plan (RA/CAP) against The University of Mississippi Medical Center (announced on July 21, 2016). That investigation started as so many do, with the CE's self-report of a stolen password-protected laptop. During its investigation, OCR determined that the CE was aware of risks and vulnerabilities to its systems as far back as April 2005, yet no significant risk management activity occurred until after the breach, "due largely to organizational deficiencies and insufficient institutional oversight." The CE paid a $2,750,000 settlement amount and adopted a corrective action plan to help assure future compliance with the HIPAA Rules. Commenting on the enforcement action, OCR Director Jocelyn Samuels emphasized: “In addition to identifying risks and vulnerabilities to their ePHI, entities must also implement reasonable and appropriate safeguards to address them within an appropriate time frame …. We at OCR remain particularly concerned with unaddressed risks that may lead to impermissible access to ePHI.”
In its Phase 2 Audit Guidance documents, OCR clarifies certain aspects of the risk analysis:

  • When asked whether OCR would consider absence of a risk analysis to be a "significant threat" to PHI triggering an enforcement action, OCR responded simply: "Please include … a rationale for why a risk analysis will not be submitted." In other words, perform a risk analysis or be subject to enforcement.
  • The amount of evidence required to show compliance with the risk analysis implementation specification is "whatever amount is necessary to show that an accurate and through assessment of potential risks and vulnerabilities to the confidentiality, integrity and availability of all of the ePHI the entity creates, receives, maintains or transmits has been conducted."
  • CEs and BAs may use a business associate or other third-party vendor to conduct the risk analysis.
  • CEs and BAs must "make appropriate documentation available to appropriate individuals or groups in order for those individuals or groups to perform their job duties with respect to implementing procedures of the Security Rule to which the documentation pertains." (See 45 C.F.R. § 164.316(b)(2)(ii)). These individuals or groups may include IT teams, security teams, management, and legal counsel. CEs and BAs must also document management approval of plans and/or projects to implement security measure to remediate or mitigate identified risks. Such approvals might include "management signatures on risk management plans or other indicators of approval for implementation and/or documentation showing approval and funding of specific projects to implement security measures."
Selected Protocol Elements with Associated Documentation Submission Requests and Related FAQs

OCR recently published a Phase 2 audit protocol identifying approximately 180 areas for potential audit inquiry: 89 from the Privacy Rule (addressing notice of privacy practices, rights to request privacy protection, access, administrative requirements, uses and disclosures, amendment, and accounting of disclosures), 72 from the Security Rule (administrative, physical, and technical safeguards), and 19 from the Breach Notification Rule. On July 12, 2016, OCR announced the requirements it had selected for desk audit review:

OCR has now mapped document request lists, and auditees' questions and answers, to appropriate areas of the protocol. Questions and answers are addressed above. Document requests that were issued to the covered entity auditees related to the selected Privacy Rule, Breach Notification Rule, and Security Rule requirements were:

Privacy Rule

            1.         Notice of Privacy Practices and Content Requirements:
  • A copy of all notices posted on the website and within the facility, as well as the notice distributed to individuals, in place as of the end of the previous calendar year.
            2.         Provision of Notice – Electronic Notice:
  • URL for the entity website and URL for the posting of the entity notice, if any.
  • If the entity provides electronic notice, policies and procedures regarding provision of the notice electronically.
  • Documentation of an agreement with the individual to receive the notice via email or other electronic form.
            3.         Right to Access PHI:
  • Policies and procedures for individuals to request access to PHI.
  • Documentation related to the first five access requests which were granted, and evidence of fulfillment, in the previous calendar year (remove PHI if possible).
  • All documentation related to the last five access requests for which the entity extended the time for response to the request (remove PHI if possible).
  • Any standard template or form letter required or used by the CE to document access requests. 
Security Rule

            1.         Security Management Process – Risk Analysis:
  • Policies and procedures regarding the entity's risk analysis process.
  • Documentation demonstrating that policies and procedures related to risk analysis were in place and in force six (6) years prior to the date of receipt of notification of audit.
  • Documentation from the previous calendar year demonstrating that documentation related to risk analysis is available to persons implementing it, is periodically reviewed, and is updated as necessary.
  • Documentation of the current risk analysis and the most recent prior risk analysis.
  • Documentation of current risk analysis results.
            2.         Security Management Process – Risk Management:
  • Policies and procedures related to the risk management process.
  • Documentation demonstrating that policies and procedures related to risk management were in place and in force six (6) years prior to the date of receipt of notification of audit.
  • Documentation from the previous calendar year demonstrating that documentation related to risk management is available to persons implementing it, is periodically reviewed, and is updated as necessary.
  • Documentation demonstrating the efforts used to manage risks from the previous calendar year.
  • Documents demonstrating the security measures implemented to reduce risks as a result of the current risk analysis, and documents demonstrating that current and ongoing risks are reviewed and updated.
Breach Notification Rule

            1.         Timeliness of Notification
  • Documentation of five breach incidents from the previous calendar year affecting fewer than 500 individuals, including the date individuals were notified, the date the CE discovered the breach, and the reason, if any, for delayed notification.
            2.         Content of Notification
  • Documentation of five breach incidents affecting 500 or more individuals for the previous calendar year.
  • A copy of a single written notice sent to affected individuals for each breach incident.
  • Any standard template or form letter for notification purposes.

OCR’s guidance documents offered the following takeaways regarding the Phase 2 audit program timeline:
  • CE desk audits are underway and will continue "through the end of the year."
  • BA desk audits will begin in late September 2016.
  • On-site BA and CE audits will begin in "early 2017." OCR will conduct its on-site audits against a "comprehensive set of HIPAA compliance controls." (Note: As yet, these have not been identified).
  • In late fall 2016, OCR will notify the CEs and BAs that are selected for on-site audits.

Phase 2 of OCR's HIPAA compliance audit process is well underway, and includes both CEs and BAs. Bit by bit, OCR is disclosing audit process details – among the most significant of which is that CEs and BAs cannot rule out the possibility of audit-based enforcement actions. This is important information for regulated entities even if OCR does not ultimately select them for a Phase 2 audit. The process itself offers important clues to areas of compliance that OCR finds particularly significant, not only for enforcement purposes, but for regulated entities to best safeguard the confidentiality, integrity, and availability of PHI and protect individuals’ rights with respect to PHI.

For more information on HIPAA compliance and audits, contact Kim Metzger or a member of our Data Security or HIPAA Privacy and Security practices. For more information on how Ice Miller can help you prepare for a HIPAA audit, read our "Own Your Audit" guide.

This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader’s specific circumstances. 

[1] See 45 C.F.R. § 164.524.

View Full Site View Mobile Optimized