Written by HITRUST Independent Security Journalist Sean Martin.
As many members of HITRUST will recall, Phase 1 Audits performed by the Office for Civil Rights (OCR) began back in 2012, focusing primarily on the policies and procedures surrounding security—with only a light touch on privacy. While the program may have proven successful in terms of taking a pulse of the security, privacy and breach-notification practices of the Covered Entities (CEs), the results of the audits found that over 70% of the organizations audited were not compliant. Furthermore, Business Associates (BAs) were not even included in Phase 1 Audits.
As the HHS tasks the OCR with Phase 2 Audits, which are targeted for completion by the last day of this calendar year, organizations can expect a number of changes. The changes are sure to impact how organization approach and conduct audits as they brace themselves for a potential follow-on desktop audit, a deeper on-site audit—and the worst possible outcomes—enforcement actions and even more painful resolution agreements.
As a means to help organizations get ready, Michael Parisi, Director of Assurance at PwC (PricewaterhouseCoopers), shared a list of 10 tips to embrace as they head into this year’s audit season:
Tip 1: Know the Scope of the Phase 2 Audits
In the Phase 2 Audits, more individual providers will be targeted than were assessed in the past. It doesn’t matter if the organization is one of the largest health plans or a small individual, all will be held to the same selection process and the same standards.
Where Phase 1 Audits focused primarily on security, organizations can expect the scope to expand in Phase 2 to include an evenly-distributed view across security, privacy and breach notifications. While analyzed documents don’t have to be updated within the audit year, they most certainly need to be current. Finally, Phase 2 has been updated to reflect the latest Omnibus Rule requirements, which means there is an increased focus on business associates.
Tip 2: Understand the Logistics and Mechanics of the Process
With a target completion date of Dec 31, 2016, the OCR is planning to move through this process relatively quickly. This is supported by a majority of the assessments being conducted via desktop audits with only 3-5 on-site audits being performed. Exceptions are made if the auditors see something that triggers a deeper dive.
The results of the audit will determine the enforcement actions required. Keep in mind that the OCR’s inspection of the documentation submitted could result in an enforcement action—without any on-site assessment being performed.
Tip 3: Start Preparing Your Questionnaire and Supporting Documentation
If the organization receives an initial data verification questionnaire, it doesn’t mean the organization has been selected for an audit. This questionnaire is geared toward gathering information to determine whether or not the organization lands on the list of the organizations to be selected for an audit. Organizations have 14 days to respond.
Everything must be submitted electronically. If the response is not completed in time, or not at all, the OCR can consider this a failure. If this occurs to your organization, brace for an on-site audit. Also keep an eye out for communications from the OCR—look for emails that land in your spam and junk folders. Missing emails will not be accepted as a reason for non-submission.
Tip 4: Be Proactive and Define What “Comprehensive Assessment” Means
In Michael’s experience, the HITRUST CSF is viewed as a comprehensive risk-assessment framework, but it must be documented! Acceptance of these results by the OCR is highly dependent upon the scope of the assessment. While the OCR won’t formally declare the HITRUST assessment as a comprehensive assessment, they have declared the framework as a good model to follow.
It’s not required that every risk be 100% mitigated at the time of submission. However, risk acceptance and/or the corrective action plan (CAP) must be well documented. Organizations must define what the plan is to cover the gap.
Tip 5: Adhere to Encryption Requirements
This one is simple—the regulator accepts no excuses in this area—classify the devices and encrypt them.
Tip 6: Get Your BA Listing and Agreements In Order
Be ready to provide the full BA list. There will be a lot or repetitive information, so consider using a template. Also know that the OCR will likely cross-reference other public information that is “available” to them to validate the accuracy of the information submitted.
The OCR could take a sample of the BA list to audit, or they may take the full list and select all of them for an audit. The OCR is also toying around with the idea of reviewing BA agreements between CEs and BAs, performing some level of comparison across agreements to create a baseline.
Tip 7: Don’t Skimp on Your BA Due-Diligence
CEs must conduct due-diligence for the BAs with whom they intend to do business. The process must take into account the potential to access PHI. Without this, a CE could be found negligent.
Leverage SOC2 + HITRUST to ensure you are getting a level of third-party assurance from your vendors. As a BA, also take this opportunity to get ahead of the assessment curve and start producing this information even if the organization is not currently being asked for it. Expect more and more CEs will request start to request this information.
Tip 8: You Can’t Hide
In short, no organization is safe. If you don’t respond, you will automatically be included in the audit selection. A late response is considered a non-response….and the OCR could decide to not look at the submission at all—you will go straight to an audit. And, be warned, on-site audits are more likely if you don’t respond timely or at all.
Tip 9: Put Your Best Foot Forward; It’s All About Your Behavior
This holds true from the Phase 1 Audits. The OCR wants to know that you are taking it seriously. They also want to know if you know where risk exists in your organization and that you are addressing the risk.
As a whole, the OCR wants to see that your organization has a healthy risk acceptance cadence—that your risk management program makes sense. Accountability is critical, including having a process in place to hold your vendors accountable.
Tip 10: Take Advantage of This Opportunity
Use this opportunity to think outside the box. This can be so much more than a painful audit.
Consider using the Phase 2 Audits as a means to gain board-level attention and to drive more efficiency, coordination and collaboration amongst your security, operation and compliance teams.
Don’t just start with the OCR protocols; consider using a comprehensive framework that not only addresses OCR, but also other elements of risk management and policy compliance. Also look at third-party assurance across the entire organization. Find a way to assess once and report many.
Be prepared, be transparent, be consistent and be honest to avoid undue challenges during Phase 2. Take the time now to get ahead of the request—especially if you are a BA that has yet to be tapped for an audit. The time could be coming sooner than you think!
If you are a CE that works with a lot of BAs, the result of BA analysis by the OCR could change how they look at your risk. So choose your partners wisely and keep a current view of their risk posture handy at all times.