HHS Audits: How to PrepareExperts Explain Evidence to Gather, Steps to Take
The Department of Health and Human Services conducts three types of audits or investigations involving privacy and security issues. But preparing for any of these inquiries requires similar steps.
Experts who presented a workshop at the recent 2013 HIMSS Conference say the best way to prepare for any HHS inquiry, based on findings of investigations so far, is to: Conduct a thorough risk assessment; set clear security and privacy policies and procedures; train workers on privacy and security policies; document all security and privacy efforts; and know where to locate those documents if needed as evidence during an audit.
In 2012, the HHS Office for Civil Rights, through its contractor KPMG, conducted 115 HIPAA compliance audits in its pilot program, as mandated under the HITECH Act. That program is on hold for now while OCR analyzes the findings of initial audits. But officials expect the program to resume after the federal fiscal year ends on Sept. 30 (see: HIPAA Audits: A Status Report.)
In addition, OCR launches investigations once it receives a report of a breach or someone files a complaint. OCR will expand such an investigation if it finds evidence of willful neglect to comply with HIPAA, notes independent consultant Tom Walsh.
In fact, some of the largest HIPAA penalties against organizations have been levied after OCR uncovered HIPAA non-compliance issues, such as the lack of timely risk assessment or insufficient employee training, while investigating small breaches (see: Another Big Fine After a Small Breach).
In a third auditing effort at HHS, the Centers for Medicare and Medicaid Services last year launched audits to confirm those receiving payments from Medicare or Medicaid under the HITECH Act's electronic health record incentive program were actually qualified to receive the payments.
One of the most important steps to take in advance of any kind of HHS audit or investigation is to prepare and document a timely risk assessment, experts say.
The HIPAA Security Rule requires a risk assessment, as does the HITECH Act EHR incentive program, Walsh notes. And auditors checking for compliance with HITECH or HIPAA will want to see extensive documentation of the assessment, as well as mitigation steps taken as a result, Walsh and others say.
One of the most important steps any organization can take to prepare for an audit is to "do your own walk-through before an agency has a reason to come in," advises Mary Brandt, a long-time security consultant who's now vice president of health information management at multi-specialty practice Scott & White Healthcare in Temple, Texas. That walk-through should include extensive documentation, she stresses.
For instance, in cases where patients refuse to sign a notice of privacy practices, which must be provided under HIPAA, "be sure to document in the EHR or elsewhere that the patient was offered the NPP but refused to sign it," she says.
If HHS decides to audit or investigate your organization, it will send a letter notifying your director of compliance or another official, says Mark Dill, director of information security at the Cleveland Clinic, which, like many larger organizations, has undergone a few OCR investigations triggered by complaints. The letter will likely also include a "consolidated data request," or list of evidence needed to complete the investigation.
Several departments, including legal, compliance, internal audit, clinical and IT, as well as third-party contractors, likely will be involved in gathering that data, Dill says.
Evidence that generally should be gathered for an audit, Dill says, includes:
- A complete list of policies and procedures and evidence that staff is complying with them;
- Documents with paragraphs highlighted that address regulators' specific requests;
- Proof of security incident response and reporting, including a statement of work or contracts with third parties;
- Documentation of employee training, such as a list of course attendees and test results, as well as copies of periodic policy reminders that your organization has sent to employees;
- Access control documentation, such as a list of the methods and mechanisms used to control user access, external audit reports and screen shots of role-based access to EHRs;
- Proof of encryption for data at rest and data in transit. That includes a device inventory that validates encryption is turned on. If encryption is not used, organizations must carefully document why it was not reasonable to use the technology and outline what alternative measures they are using instead.
To date, OCR's complaint-driven investigations at Cleveland Clinic - which have only included remote audits and no onsite investigations - have been completed with no findings of HIPAA violations, Dill says.
Additional Summit Insight:
Hear from more industry influencers, earn CPE credits, and network with leaders of technology at our global events. Learn more at our Fraud & Breach Prevention Events site.