Looking back at past audits by the Office of Civil Rights (OCR) is the best place to start. The OCR enforces the HIPAA Privacy Rule, Security Rule, Breach Notification Rule and the confidentiality provisions of the Patient Safety Rule.

The Office of Civil Rights’ “Lessons Learned from OCR Privacy and Security Audits” revealed the most common findings and causes identified in 2011-2012 audits.  This program only involved covered entities as the audit date occurred before the compliance deadline for business associates.

HIPAA

AUDIT FINDINGS: COVERED ENTITIES AWARENESS OF HIPAA/HITECH REQUIREMENTS

The audit results showed that 30% of the findings uncovered the fact that the entities were simply unaware of any specific HIPAA/HITECH requirement. Of the total audit findings, this lack of awareness represented 39% of the Privacy Rule, 27% of the Security Rule and 12% of the Breach Notification findings.

Healthcare Security

PERCENTAGE OF TOTAL AUDIT FINDINGS DUE TO LACK OF AWARENESS

Source: OCR March 7, 2013

Interestingly, the majority of the HIPAA/HITECH requirements state exactly what the covered entities should be doing to be in compliance.   Specific areas where the entity was unaware of any requirements:

Privacy Rule

  • Notice of Privacy Practices
  • Access of Individuals
  • Uses and Disclosures (Minimum Necessary and Authorizations)

Security Rule

  • Risk Analysis
  • Media Movement and Disposal
  • Audit Controls and Monitoring

Other detected causes identified included lack of usage of available resources, incomplete implementation and willful disregard.

The OCR auditors evaluated policy and procedures and reviewed the relevant documentation for:

Breach Notification

  • Notification to Individuals
  • Timeliness of Notification
  • Methods of Individual Notification
  • Burden of Proof

Security   (Administrative, Physical and Technical Safeguards)

  •                   Risk Analysis
  •                   Access Management
  •                   Security Incident Procedures
  •                   Contingency Planning and Backups
  •                   Media Movement and Destruction
  •                   Encryption
  •                   Audit Controls and Monitoring
  •                   Integrity Controls

 

Privacy

  •                   Notice of Privacy Practices
  •                   Rights to Request Privacy Protection of PHI
  •                   Access of Individuals to PHI
  •                   Administrative Requirement
  •                   Uses and Disclosures of PHI
  •                    Amendment of PHI
  •                   Accounting of Disclosures

Audit Findings

AUDIT FINDINGS AND OBSERVATIONS BY TYPE OF COVERED ENTITY 

Source: OCR March 7, 2013

Smaller entities had issues with Breach Notification, Privacy and Security Rules. The healthcare providers had the greatest proportion of findings compared to other covered entities.

HIPAA

AUDIT FINDINGS AND OBSERVATIONS BY RULE

Source: OCR March 7, 2013

Compliance with the Security Rule seemed to be the most troublesome, accounting for almost 2/3 of the audit findings. Under the Privacy Rule’s Administrative requirements, the majority of the issues related to policies and procedures and adequate training.

Review these focus areas in your practice and make sure you are aware of all of the current requirements.   Please do not wait for an OCR audit to start your compliance program.