OCR’s 2016 Audit protocol encompasses 180 requirements and implementation specifications from HIPAA Privacy, Security and Breach Notification Rules. While the primary audit objective is to assess compliance of the HIPAA regulated industry, a secondary objective is to discover industry-common vulnerabilities that have remained undetected during routine OCR complaint investigations and compliance reviews. Based on the broad scope of potential audit topics and on OCR’s stanch audit objectives, indications point to substantial failure rates.
This article will focus on best practices to ensure compliance with HIPAA Privacy and Breach Rules (see the OCR Audit eBook link at the end of this article for information on HIPAA Security Rule best practices).
Based on the type of Covered Entity or Business Associate selected for audit, OCR will identify a subset of audit topics from among the 108 potential Privacy and Breach audit items. Since an organization has no way of knowing which of the 108 topics OCR will select, it is best to be prepared to demonstrate compliance with all 108 topics. Below is a summary of best practices for HIPAA Privacy and Breach that can help you assess your organization’s audit readiness:
- Conduct a Thorough Gap Analysis. Review policies, procedures and processes to make sure they are updated, consistently enforced and that documentation is available. HIPAA Privacy compliance calls for covered entities using or disclosing PHI to provide a Notice of Privacy Practices to patients, create and enforce internal privacy policies and procedures, implement employee training on those procedures, and maintain various logs, forms, and reports to provide proof they are “ensuring compliance” as “ensure” and “required” appears multiple times in the regulations.
- Appoint a Privacy Officer. The HIPAA Privacy Rule requires covered entities to designate an individual to oversee privacy compliance and respond to privacy-related complaints as well as establish and ensure privacy requirements with contracted Business Associates.
- Enforce Breach Administrative Requirements. Ensure your organization closely adheres to Breach requirements for training, complaint management, sanctions, prohibition of retaliatory acts and waiver of rights.
- Maintain Breach Policies and Procedures. Ensure all items have documentation and are fully operational. This includes policies, procedures and documentation for Breach definitions, notification to individuals, and timeliness, content and method of notifications. Best practice for HIPAA Breach compliance includes assessment, detection and mitigation of the disclosure of protected health information on an as needed and continuously available basis.
- Maintain Burden of Proof Documentation. Ensure updated and available documentation demonstrating Breach detection, assessment, mitigation and reporting processes. Breach notification is required if protected health information is disclosed in a manner “not permitted under the Privacy Rule”. All such occurrences are presumed to be a breach by default, and the burden of proof is on the Covered Entity to prove a “low probability and/or non-actionable” likelihood of protected health information having been compromised.
For more information on the best practices for 2016 OCR audit readiness, download our OCR Audit eBook by clicking on the below link:
BlueOrange Compliance has been providing privacy and security assessments, remediation, training and guidance since the inception of HITECH. Our team is comprised of former healthcare IT executives and top security, privacy and technology analysts. Our national client base consists of hospitals, physician provider practices, Nursing Facilities, LTC Pharmacies, LPCs, CCRCs, homecare, hospice and business associates. If you want to learn how BlueOrange Compliance can help you turn HIPAA complexity into HIPAA compliance, visit us at blueorangecompliance.com.