Preparing for the Final Audit
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
Already have an account? Sign In »
you and your team members were taking a nap. You guys have worked so hard the last 18 months. You're just playing wiped out and exhausted and, well, this whole thing is a little bit non eventful. Nothing's really happening. We're not quite sure we're waiting for. No one's contacting us about her hip a readiness. In fact, instead of a roar of activity, the silence is deafening.
So this is less than 3.6 of the Sai Buri implementing a hip of compliance program for leadership. We're going to actually walk through and work through the Department of Health and Human Services Office of Civil Rights and how they actually select covered entities and business associates for potential audits,
how they audit and what this whole HIPPA compliance, audit and penalty thing is all about. So if you will grab your coffee, tea or energy drink, stretch out the sleepiness and maybe go walk around the building and stretch those tired muscles out. Well, we can get back to work.
So in today's lesson, we'll work through some of the recent history of audits, and then we will review what the OCR calls phase one of a thought a program that started back in 2012 and Phase two, which launched in 2016, and we will talk through who will be audited. On what basis will oddities be selected? How will the selection process work
general timelines for audits and even talk about who pays for it. So if you're ready to put on your best business attire and at least look the part of compliance,
let's go to our mailbox to see if we have anything from the OCR giving us a clue and what we're even doing at work today.
So the Health Information Technology for Economic and Clinical Health Act high tech required the Department of Health and Human Services, HHS Office for Civil Rights OCR to conduct audits of covered entities and business associates in order to ensure compliance with HIPAA privacy, security and breach notification rules. In 2012, the OCR initiated a pilot program
to assist the process is implemented by 115 covered entities to comply with hip his requirements.
The pilot program was a three step process Initial protocol development test these protocols by conducting 20 audits and then three full audit execution using revised protocol materials which were completed by the end of December 2012. Ah wide, a wide range of covered entities were audited in phase one to cover the widest pool of covered entities.
Thought of process began when selected entities received a notification letter from the OCR notifying them
that they had been selected, and the first steps were to start providing documentation of their privacy and security compliance efforts. Every auto included a site visit in which auditors interviewed key personnel and observed all the organizations processes to determine compliance. After the on site, a draft report was created describing how the audit was performed, its findings
and the actions that covered Entity took. In response to those findings,
the covered entity had the opportunity to remediate any compliance issues. The final report included the steps the entity took to resolve any compliance issues identified by the audit, and it also described best practices. Maybe you can now understand why standards outside of hip likeness 853 and ISO 27,000 and one and 27,000
two are used.
We don't want to be told about best practices. We wanna be using them.
So as of June 30th, 2020. Since the compliance state of the privacy rule in 2000 and three, the OCR has received 237,000 complaints and performed more than 1000 compliance reviews with 99% resolution of the 237,000 complaints,
28,000 cases required changes in privacy practices and corrective actions by or providing technical assistance
to HIPAA covered entities and their business associates. In 12,000 cases, no violations were found and in 43,000 cases by the HHS and OCR provided assistance and guidance to the covered entities. Early resolution occurred and no further actions were necessary, and in more than 60% of the complaints, 150,000 of them
no eligible case for any kind of enforcement was deemed necessary. The case was then dropped,
but in 75 cases, fines or civil pent penalties were imposed, resulting in $116 million in total penalties against many different types of entities, including national pharmacy change, major medical centers, group health plans, hospital change and small provider offices.
So in 2016, the OCR announced and implemented phase two of its HIPPA audit program by first sending out an address verification letter to certain covered entities, followed by a questionnaire. The new round of audits was to focus on business associates of health care providers, insurers,
another HIPAA covered entities to meet selected standards and implementation, specifications of the privacy, security and breach notification rules.
The Phase two program took places and took place in three phases. Desk audits have covered entities in other words, paperwork followed by a second round of desk audits. And then these audits were to examine compliance with specific requirements of the privacy, security and breach notification rules. Phase three was conducted on site,
and these addicts examined a broader scope of requirements from the hip rules than the desk audits.
Some of the desk oddities could be further investigated based on their paperwork or black of paperwork and subject to an on site audit. If these audits were toe identify a serious compliance issue, OCR would initiate a compliance review and then open up a case for deeper investigation. Three OCR didn't openly published documentation who was audited
and their findings and the results of any enforcement actions.
But under the Freedom of Information Act fo a OCR may have been required to release altered information if requested by the public. So the audits aren't trying to put you out of business. And there are a lot of opportunities to take corrective actions before any kind of enforcement actions were taken.
But with 116 million in fines after investigating 237,000 cases since the ACT one in effect,
compliance is certainly important, and it's the public's right to know if you're going to protect their privacy.
So when we break this down and you remember that are covered entities. Their health plans, like insurance companies and HMOs, clearinghouses those companies that assist with billing and healthcare providers from clinics to doctors, dentists, psychologists, chiropractors, nursing homes and pharmacies. And when we look at the numbers, we understand why HHS and the OCR has to sample for audits At the time of the recording,
there are 1600 health organizations, or HMOs,
900 health insurance companies, 6000 hospitals, 1200 medical non profit clinics, clinics, 1.1 million doctors, 200,000 dentists, 100,000 psychologists and 70,000 chiropractors. So we don't wanna be audited.
We aren't going to call the OCR and ask for them to send out their best crackerjack team and please ordered us because our team wants a great report card.
Since we've worked so hard the last 18 months, it's complaints or sampling and most of the time when we do hear from HHS, they want us to provide information in writing and we move on to the next thing. But if we're on their radar, they will absolutely come knocking. So last year 2019, there were 418 HIPPA data breaches reporting
where in total, 35 million Americans had their pH I compromised. That's roughly 10% of the US population.
There were 30,000 complaints to the OCR last year in the US that led to the 338 compliance reviews. And there were 39,000 total cases investigated, with 9000 being cleared with technical assistance from HHS
and the OCR and tin instances of financial penalties were eight entities were given the average financial penalty of $1.2 million with a total vines,
total fines and civil penalties reaching $12.2 billion. So hopefully this part of our discussion will help to clarify the likelihood and outcomes of this thing called the HIPPA audit.
So if you're done counting your stacks of money, you save the organization by not being honored this year. Let's go ahead and review with the quiz question. So what are two ways you could be selected for HIPPA audit? That's right. Well, it comes down toe when a complaint has been filed against you and now you're on the OCR s radar. Or the second way is that based on your size and type of the organization, you are public or private where you're located,
how many employees you have, A bunch of variables were thrown into the pot
and then your chosen to be a random sampling to perform a desk, Got it. And if you're really lucky and you're a poker player and a great gambler, you get to go to the HIPPA and OCR World Poker Tournament held by an audit. In your very own conference room, you have won the grand prize and just like on TV, you get to see what cards are in. The auditors hand the whole time, so you're guaranteed to win
really awesome stuff
when it comes to playing poker with the OCR. You know what betting all in on the river while you're only holding a pair of threes is a great call because the OCR will pay for their on site investigation and audit you, your business associates and any and all of your covered entity friends while you're off the hook for having to flip the bill. So there are some poker hands we really can bet on.
So in this lecture we learned about the who and the why of hip audits.
And we looked looked into what the OCR calls their phase one and Phase two audits, from sending out letters to verify your address, to performing desk audits to being on site. And we broke down the overall numbers of complaints, cases, case clearings, audits and enforcement penalties. So ending up my friends and let's go all in on our compliance hand. We've been working the last 18 months on because you know what?
I really like our chances
So great flop if we had a tin in your hand to get the straight. But since all we have is a pair of fours, it looks like we're gonna have to fold until our next lecture. We will be reviewing the operations management of our HIPPA compliance program. Where we go from here is the day to day operations in keeping our compliant program up to date and ahead of the cyber threat agents out there
who are always evolving and always adapting to control this and steal the most important asset. Our health care organization has
our data. So until then, on behalf of all of us here cyber A Thanks so much for joining us.
We're hoping you're enjoying the show so far. Take care.
Always be learning and pleasant journeys.
HIPAA Compliance Program Operations Management