Desk audits are coming, but what are they like?
The Department of Health and Human Services (HHS) Office of Civil Rights (OCR) will begin conducting desk audits for Health Insurance Portability and Accountability Act (HIPAA) compliance this fall, which has many providers wondering just what they will be like. Most HIPAA experts expect the desk audits to be relatively pain-free, but until someone goes under the microscope, no one can be sure.
OCR is selecting a sample of covered entities, which includes hospitals and other medical service providers, to perform desk audits. OCR has started contacting 500-800 covered entities in preparation to survey these entities this summer. From that 500-800 entity survey group, OCR is going to select 350 covered entities on which to perform desk audits. Some hospitals will be included. The HIPAA desk audits start in October 2014, and they will run until June 2015.
The hospitals won’t receive notice that they are getting a desk audit until late summer or early fall of this year. The desk audits represent phase two of OCR’s HIPAA audit program, notes Melissa Goldman, JD, an attorney with the Florida Health Law Center in Davie. Phase one, which began in 2012, involved full on-site audits for covered entities conducted by the outside accounting firm KPMG, but the desk audits will be much narrower, more targeted, and conducted by OCR, Goldman says. OCR also will audit some business associates of each provider audited, she says.
So how will the desk audits be conducted? The term "desk audit" is intended to convey that the audit will not be an on-site visit, but rather providers should be able to respond to the audits from their desks by providing policies and documentation of privacy policies and procedures, explains Patricia Wagner, JD, an attorney with the law firm of Epstein Becker Green in Washington, DC. For organizations that are well-organized, the response process should be relatively pain-free, she says. Rather than an on-site visit during which the auditors would interview employees about HIPAA compliance, the desk audit is strictly a look at documentation. That difference means that you won’t have to tie up a lot of employee’s schedules with time to meet personally with auditors.
"Providers should ensure that their privacy policies and procedures reflect the compliant privacy and security practices of the organization," Wagner says. "Providers won’t have the opportunity, as they might in an on-site audit, to describe a process that takes place that may not be otherwise documented."
The inability to explain anything lacking or unclear in the documentation will put some organizations at a disadvantage, Goldman says. "The documentation will speak for itself, whether that is good or bad," she says. "If your documentation is such that you’re compelled to explain what isn’t there on the page, or why you didn’t write something exactly in the way the statute requires, you may be in trouble."
For that reason, risks managers and compliance officers should assess their documentation now, before it is requested in an audit, Goldman says. In addition to having all the required policies and procedures, you should ensure that there are no privacy notices that have not been signed and that you have a system for tracking compliance.
Third-party risk management will be a major focus of the desk audits because it is now required in the statute, notes Michael D. Ebert, JD, partner with the accounting and consulting firm of KPMG in Philadelphia. Ebert led the work to develop the HIPAA audit program for the government. In this area, auditors will be looking at how the provider or associate is protecting health information and whether it is meeting the protocol requirements of the security rule, he says. (See the story on p. 4 for more tips on surviving a desk audit.)
"In the initial audits, two-thirds of the findings were in security, but only one-third of the test procedures performed were in security," Ebert says. "That’s why OCR has said they are going to focus more on the security rule than in the privacy rule. This time they’re reversing it so that two-thirds of the testing will be about security, and one-third will be about privacy."
To that end, auditors are likely to look at whether providers are training employees on HIPAA compliance and making them aware of the security and privacy rules. This auditing might cover everything from annual training programs to placards in elevator lobbies reminding employees not to talk about PHI in common areas.
Goldman suspects one area of interest will be risk assessments, which were the weak points in many phase one audits. She cautions that conducting a proper assessment is not enough; you must also provide adequate documentation of the assessment, agrees Ebert, noting that in his experience, 90% of risk assessments do not meet OCR’s standards. One reason is that most risk assessments are performed internally rather than by an independent evaluator, he says.
If the risk assessment or any other significant component is inadequate, the desk auditors could refer the provider for a live on-site audit, Ebert explains, and that step opens up the possibility of finding many more deficiencies. Fines also can be assessed without an on-site audit.
Device security might be examined
Goldman also expects OCR to look at device security.
"Are your computers password protected, at a minimum? Are you sending email with encryption?" she says. "I think encryption might be more of an issue with the 2015 and 2016 audits, but it’s entirely possible they will inquire about this year. If it is not encrypted, do you have documentation showing that you informed the patient of that and the patient agreed to receive the email anyway?"
Expect follow-up requests and questions after supplying the material requested initially, Jorge Rey, CISA, CISM, CGEIT, director of information security and compliance with the accounting firm Kaufman Rossin, based in Miami. Be responsive and transparent, but also think about what you’re sending, he says.
A primary goal should be helping the auditor understand what you are sending and how it is responsive to the documentation request. Don’t send a batch of documents and let the auditor sort out what they are.
"You can always put your best foot forward," Rey says. "If the auditor requests policy A, send that information with a cover noting that this is policy A, in response to your request on whatever date. Provide that information in the way that makes it as easy as possible for the auditor. No one likes going through an audit, but if you help the auditor, the auditor may be able to help you as you’re going through the process."
Ebert, with his extensive experience working with the earlier HIPAA audits, says providers and their business associates should take the desk audits seriously. The fact that they involve only documentation and not on-site visits should not lead to complacency, he says. "I suspect a lot of covered entities will not meet the requirements of a desk audit," he says.
- Jorge Rey, CISA, CISM, CGEIT, Director of Information Security and Compliance, Kaufman Rossin, Miami. Telephone: (305) 646-6076. Email: email@example.com.
- Patricia Wagner, JD, Epstein Becker Green, Washington, DC. Telephone: (202) 861-4182. Email: firstname.lastname@example.org.