OCR Shares Preliminary HITECH Audit Results; What Regulated Entities Can Expect Next

[authors: M. Daria Niewenhous and Dianne J. Bourque]

Last week at the OCR/NIST conference, Building Assurance through HIPAA Security, Linda Sanches of the Office for Civil Rights provided an extensive update on the pilot HITECH audit program, including preliminary findings,  what regulated entities can expect next and suggestions for covered entities concerned about being audited.  Mintz Levin attended the conference and is pleased to share some of the highlights below:

 The initial round of audits included 8 health plans, 10 providers, and 2 clearinghouses.

• Providers had the most findings (81%).  Provider findings were both privacy and security related.
• The most common privacy findings included misuse of the PHI of deceased individuals, compliance with the patient confidential disclosures right, disclosures for judicial  proceedings, compliance with the patient access right, failure to follow policies and procedures, no evidence of policy and procedure implementation, insufficient policies and procedures, failure to review and update policies on an ongoing basis, and failure of the organization to prioritize HIPAA compliance.
• The most common security findings included insufficient contingency planning, insufficient user activity monitoring, and failure to conduct and/or to update risk assessments. 
• Business associates were not included in OCR’s preliminary round of audits, but will be targeted in later rounds
• OCR is refining its audit protocol and will be posting it soon on the OCR website.  OCR advises covered entities to use the protocol to measure their own compliance
• In the first round of audits, covered entities were required to produce documents within 10 days of OCR’s initial written request.  For the next round of audits, OCR is extending that time period to 15 days in light of the difficulties that covered entities had in meeting the 10 day deadline.  No extensions of the 15 day period will be granted.
• There are no current plans to impose sanctions based on audit findings.  In future audit rounds, compliance review, investigation and sanctions are all possible following negative audit findings. 
• Notifications to the final 75 covered entities selected for audit this year will be mailed this week. 

OCR’s general advice for covered entities was to conduct regular program reviews and updates.  Covered entities were advised to look at their  compliance programs,  re-evaluate and make necessary updates on a regular basis.  According to OCR, ongoing policy review and revision is a compliance requirement.