Protecting patient data and health information is something our government takes very seriously. In 2009, the Office for Civil Rights (OCR) assumed responsibility for enforcing the HIPAA Security Rule. More recently the OCR implemented their program of audits of covered entities and business associates, thereby making sure that patient data is actually safe, and not just in theory. Last year, $22,855,300 in penalties were paid to OCR in 2016 to resolve alleged HIPAA violations.

Proactively Preparing for Your OCR Audit

OCR audits are ongoing. While you may or may not be selected as part of their random audit program, a breach notification or HIPAA related complaint may land you in the crosshairs. In 2016, the OCR released several new protocols for their audits to ensure healthcare organizations were taking the proper measures to protect patient health information (PHI).

One of the most significant notes from the latest audits is the time in which you are expected to respond. Covered entities and business associates should be working to ensure that they have the required compliance documents and materials ready, especially given OCR’s aggressive timetable: if selected for an audit, an auditee will have only 10 days to respond to OCR.

This means that the most effective time to start preparing for a potential OCR audit is now.

12 Areas to Focus on for a Potential OCR Audit

The original OCR audits focused on the following areas:

  1. Risk analysis—The OCR will be expecting organizations to assess their own procedures and the commensurate safety of ePHI with a high degree of objectivity.
  2. Evidence of a risk management plan (e.g. list of known risks and how you are dealing with them)
  3. Policies and procedures and descriptions as to how they were implemented
  4. Inventories of business associates and the relevant contracts and BAAs
  5. An accounting of where ePHI is stored (internally, printouts, mobile devices and media, third parties)
  6. How you monitor mobile devices and mobile media (thumb drives, CDs, backup tapes)
  7. Documentation of breach reporting policies and how you have responded to breaches
  8. A record of security training that has taken place
  9. Evidence of encryption capabilities

The latest protocols added the following subject areas to the audit requirements:

  1. Privacy Rule requirements for a variety of PHI data and accounting of disclosures.
  2. Security Rule requirements for administrative, physical, and technical safeguards.
  3. Breach Notification Rule requirements.

Simplifying the Process with BALLAST

Even without the revamped protocol requirements, preparing an OCR audit can be overwhelming.

That’s where BALLAST comes in. In addition to helping you eliminate the guesswork and hard work of HIPAA risk assessments, BALLAST also incorporates the latest OCR protocol requirements in the event your hospital is selected for an audit.

And with the potential financial penalties for non-compliance, many hospitals literally can’t afford to get it wrong.

Click here to connect with our team to learn more about how BALLAST can help you navigate a potential OCR audit.

Mark Fulford

Mark Fulford

Mark Fulford, CISSP, CISA, ABCP, CRISC, is a Shareholder in the risk services division of LBMC, PC. With nearly 25 years of experience in information security audit and compliance, Mark understands how to translate technical jargon into actionable intelligence. With significant experience in healthcare, his expertise includes assisting companies with Sarbanes-Oxley, HIPAA & PCI, HITRUST compliance, as well as providing assurance to clients and their stakeholders through SOC 1 and 2 reporting engagements. More recently, his focus has been on helping organizations identify and manage information security risks through both guided and automated risk assessment techniques.