The first thing you must understand about OCR audits going forward is that they are going to increase in number significantly. There are two strong evidentiary foundations for this: (1) under the proposed Privacy Rule of 2021 patients are provided with enhanced access to their PHI including the following three enhancements, which are the ones that we consider the most disruptive and insidious:
you can rest assured that patients who are not satisfied with access to your facilities (e.g., either because of time allocated or any other reasons) are going to complain to OCR; any complaint wherein OCR finds “willful neglect” on its face (e.g., denial of access to the facility) mandates and audit by OCR under HITECH Act §13410 (“Improved Enforcement”); (2) HHS has finally gotten around to requesting comments for the proposed methodology for patients to share in the CMPs levied against covered entities and business associates (collectively “Stakeholders”), which is mandated under §13410(c)(2). OK, they are 12 years late, but hey, this is the U.S. government we are talking about.
Once patients learn that there are financial incentives available for filing complaints with OCR then, of course, more complaints are certain to follow. Granted, many of these may be bogus and not show either “willful neglect” or any other violation, in which case they will end up in the OCR “bit bucket.” However, the proposed Privacy Rule turns front office staff into liability generating machines and many of these complaints will indeed show “willful neglect” on its face (review the resources section for additional information on the proposed Privacy Rule).
You should also understand that the 2018 OCR Audit Protocol is significantly more rigorous than what was proposed in 2012. Compare the two below:
OCR’s 2012 Protocol indicated they wanted to accomplish the following for each rule:
Breach Notification Rule
OCR’s 2018 Protocol
The Phase 2 HIPAA Audit Program reviews the policies and procedures adopted and employed by covered entities and business associates to meet selected standards and implementation specifications of the Privacy, Security, and Breach Notification Rules. The analysis is conducted using a comprehensive audit protocol, updated to reflect the Omnibus Final Rule. The audit protocol is organized by Rule and regulatory provision and separately addresses the elements of privacy, security, and breach notification. The audits performed assess entity compliance with selected requirements and may vary based on the type of covered entity or business associate selected for review. [Emphasis Added]
Comparing the protocols above, and remembering our lived experience at the time, the entire focus was on producing a Risk Assessment. Of course, that’s what everyone, including vendors, spent their time doing or for marketing software. However, it was obvious almost right away, that a Risk Assessment was nothing more than an analytical step. Yes, it was also a foundational analytical step, you couldn’t proceed without it (i.e., with respect to Security Rule compliance) but an exhaustive Risk Assessment did not remediate anything. It just identified what needed to be remediated. There was no requirement that taking an agile approach of assessing 10-20 high priority risks, and then begin remediating those, was not a viable approach. So that’s when we began advising our clients and we made the claim that using Expresso® a Risk Assessment could be done in three hours or less. Of course, our competitors claimed that was “snake oil,” but they had categorically misread that an agile approach has always been built into NIST best practices for conducting assessments. Unfortunately, some of our competitors are “still stuck on stupid” in this regard.
So, the takeaway here is that if you get audited, producing exhaustive assessments without remediation that meets the requirements of the Compliance Equation® are not going to be of any use to you. In fact, they will send OCR the opposite message, and that will certainly not inure to your benefit.
Expect a lot more OCR audits going forward. Expect them to be more rigorous looking for process results rather than analysis. We are long past the time where analysis will suffice. Further, because of the disruptive nature of the proposed Privacy Rule, and patients perhaps soon becoming financially incentivized to file complaints, what you should expect is a game changer in the way the HIPAA Rules are enforced.