E-News Exclusive

Create a Body of Evidence to Prevent Future Auditing Woes

By Michelle Robles

In a perfect world, audits would not figure into any health care organization’s or business associate’s (BA) world. They would not suffer from malicious outside attacks from those looking to infiltrate their or their clients’ protected health information (PHI). Since audits do exist and are carried out fairly regularly, it’s best to prepare and gather the evidence—also known as the Body of Evidence (BOE)—required to prove that steps were taken to prevent a breach.

Understanding Audits
On July 11, 2016, the Office for Civil Rights (OCR) officially began the first phase of the 2016 Audit Program. This focused exclusively on covered entities (CEs) such as health plans, health care providers, and health care clearinghouses. Later in the year, the audit focus will be on BAs.

The OCR has provided HIPAA Security, Privacy, and Breach Rule Audit Protocols to assist organizations and clarify what evidence is required as part of its new audit program. These protocols, which will be used during OCR audit investigations in 2016 and 2017, consist of 180 protocol areas broken out into the following three categories: 89 privacy rule protocols, 72 security rule protocols, and 19 breach notification protocols. These protocols will be used to audit CEs and BAs alike.

Guidance Is Lacking
In the past, the OCR has not provided much guidance on its audit methodology; this has left organizations to interpret what might be needed if an audit were to occur. Since there has been no clear direction from the OCR in the past, many organizations often do nothing and maintain no evidence to substantiate that they have taken all the proper precautions to secure their or their clients’ PHI.

Take Steps to Keep PHI Safe
Now more than ever, the health care industry has been under attack from malicious outsiders, which has left the OCR busy as organizations report a larger than normal amount of breaches. Typically, the OCR will perform an investigation of some type on organizations that have either reported a breach or had a complaint issued against them to ensure that it is adequately securing its PHI.

In this most recent round of audits, the OCR wanted to avoid misinterpretation and confusion so it provided the audit protocols to both CEs and BAs. This enabled CEs and BAs to prepare in advance and build their evidence catalog in preparation for an audit. The OCR can request to audit against any one of the protocols, but usually it will request a combination of them.

Understand the Auditing Process
If an organization incurs an audit by the OCR, it has 10 days upon receipt of the notification letter to provide all of the requested evidence (in the format of Excel, Word, PDF, or a combination thereof) to an OCR audit portal. In order for organizations to be able to respond within that short amount of time, they must have most evidence already assembled and organized according to each individual protocol. Creating a BOE in advance of an audit saves time.

Creating a BOE
The culmination of the documented evidence covering all three areas within the 2016 OCR audit protocol is known as the BOE. The BOE consists of documented evidence that demonstrates the organization has successfully addressed each regulation area and its associated audit protocol questions within all three areas.

The documented evidence can take many forms, eg, screen shots, logs, and policies and procedures. Typically, a combination of all forms of documented evidence will be expected by the auditor. If the organization identifies gaps while putting together the BOE, the expectation of the OCR is that the organization will add the identified gap areas to its current comprehensive corrective action plan so the auditor can see the organization is addressing the gap and that full effort is involved.

If a BOE does not exist, organizations may find creating one within 10 days to be extremely challenging due to the complexity of the protocols and the level of effort it takes to address each question. The information needed to demonstrate the organization is compliant often requires a person with a special skill set and knowledge in security, privacy, and breach notification regulations. This professional should also be able to navigate through the OCR requirements with precision. With time of the essence, many organizations are reaching out to third parties to assist them in building their BOE.

If evidence is missing, the OCR can take a few different approaches to address the situation, including performing a full-scale, boots-on-the-ground audit and investigation, investigating the organization’s overall protection of PHI, or levying a fine (which can also include a multiyear corrective action plan under full oversight of the OCR).

Any of these actions are quite costly to an organization as it will require workforce and resources to execute quickly—a situation for which many organizations are neither prepared nor capable.

Lessons Learned
The threat landscape for health care organizations is growing substantially, and breaches are becoming common occurrences, increasing the chances of an OCR audit. By being proactive and creating a BOE in advance of an audit or breach, organizations and BAs will save themselves and their clients time, aggravation, and potentially costly fines.

— Michelle Robles is a security consulting principal at Dimension Data Healthcare and a Body of Evidence expert.