OCR audits: An opportunity to understand patient privacy

Was your organization or hospital subject to an OCR phase 2 audit in 2016? Chances are no, considering only a small subset of 167 healthcare providers, plans, and clearinghouses found themselves in this position. In 2017, on-site audits will begin, and it’s safe to say that OCR audits are just getting started.

Understand how your organization can better address the OCR’s audit inquiries, and more generally, patient data security. The Protenus platform supports many of them by providing insight into how your workforce interacts with patient data in the EHR.

What OCR cares about

Regardless of whether or not you were audited in 2016, these audits matter. They force healthcare organizations to consider in-depth how they address elements of HIPAA’s security, privacy and breach notification rules. Organizations will be asked to report how they:
• Regulate patients’ rights to access ePHI

• Dispatch notifications to affected patients

• Monitor access controls

• Manage Business Associate compliance and contracts

• Run and implement security training for staff

• Use safeguards to monitor data access at physical workstations


OCR chose to focus on these issues because they were revealed as frequent areas of noncompliance during the first phase of audits, and they will likely remain a focus in the future.

OCR’s intent is not to send a “gotcha” message

While “audits” can be an unsettling word, OCR has repeatedly explained that their primary purposes are to develop tools and guidance that will assist the industry in compliance self-evaluation and in preventing HIPAA breaches—not to give organizations a slap on the wrist or send a “gotcha” message. Its plan is to develop a more permanent audit program based on an evaluation of the results and procedures used in the phase 2 audits.

Brad Rostolsky, a partner at Reed Smith, summarized well how covered entities should approach these audits: “Preparing for this is really no different than just generally trying to make sure that your house is in order and ensuring that your privacy officer or compliance officer, your in-house legal team, and external legal team are all in communication about what’s in place.”

In other words, think of audits as an opportunity to get your ducks in a row—evaluate your risk assessment to acutely understand what your team does to protect privacy, and then assess the efficacy of these activities. After all, the consequences of noncompliance are high so if you haven’t already started, the time to start this process is now.

How to get prepared

With 180 areas for potential audit inquiry, figuring out where to start can be overwhelming. With health data breaches on the rise and patient data at greater risk than ever before, it’s essential to have measures in place to protect patient privacy.

A first step in improving an organization’s adherence with HIPAA standards is to understand where its privacy, security, and breach notification shortcomings exist. Detailed risk assessments and proactive patient privacy monitoring tools can assist because they provide both an initial snapshot, but more importantly a constantly updated and complete pictures of what is happening in the EHR. Once this is understood, it’s possible to fill these gaps by educating the workforce about policy improvements.

While your organization might not have been subjected to a phase 2 audit, you can expect future rounds and higher penalties for noncompliance in the future. Learn how to avoid ending up in an undesirable situation.