The Office of Civil Rights Audit Pilot Program has come to an end with 115 audits, primarily in person, having been completed. The Pilot Program had multiple revelations in privacy, some of which were probably, not so surprising. Of the primary issues discovered the following were top concerns to OCR:
- Failure of the covered entity to provide an accurate Notice of Policy Practices to its patients;
- Failure by the covered entity to grant individual access to records in a timely and appropriate fashion;
- Failure of the covered entity to comply with the minimum necessary standards; and
- Failure to obtain appropriate authorizations
In the Security area the concerns were those that we frequently see from CMS, OCR and others including:
- Failure by the covered entity to complete a risk analysis,
- Failure to properly store or dispose of media, including inventory failure;
- Failure to have appropriate audit controls; and
- Failure of general monitoring such as occurred in Idaho State when it took down the system for general maintenance and when it put it back up, failed to put the firewall or any security processes in place for over 10 months.
The Pilot Program didn’t reveal anything new or unusual. In terms of what we might expect based on the prior corrective action plans and more than 22,000 complaints which OCR has dealt with in regard to HIPAA violations and problems. The mistakes seem consistent. OCR is starting to develop the idea however, that we have been warned - act accordingly.
OCR has now announced the implementation of its indicated regular Audit Program. This will be handled and managed by OCR staff itself rather than outsourcing. The Pilot Program was outsourced to KPMG who handled the work of the audits providing the audit documentation to OCR for review. OCR staff will conduct all new audits and anticipates beginning the audit process for 350 covered entities in October of 2014 and continuing through June of 2015. OCR will then select approximately 50 Business Associates in 2015 for a similar audit process. It is anticipated that the audits themselves will, for the most part, be desk audits, where policies, protocols, documentation, audit logs and similar items are requested and then reviewed by OCR staff without an on sight review and visit. OCR has also indicated that it will post on its website its updated audit protocol before the program begins so that covered entities may use this to prepare for internal compliance as well as the audit program itself. It can be anticipated however that any ongoing audit program will focus on those areas of concern, such as inventory, media control, encryption and similar items which have consistently been identified as problems across the board for all previously audit covered entities and which crop up consistently in generalized HIPAA complaints and corrective action plans.