Issue link: https://beckershealthcare.uberflip.com/i/170067
18 Special Section: Health Information Technology According to Mr. Chapman, OCR intends for the audits to serve as a compliance improvement tool rather than an enforcement tool. However, if OCR does uncover serious compliance issues it could trigger a separate enforcement investigation, which could lead to sanctions, other penalties and corrective action plans. "Hospitals have 15 days to prepare documentation related to the audit and are not afforded additional time to respond. Missing elements will be noted by the auditor and appropriate observations made. It will be up to the OCR to determine whether the missing elements necessitate a separate enforcement investigation," says Mr. Chapman. 2. Update and maintain documentation. Since auditors will request documentation from hospitals during an audit, one of the most important preparatory steps for a hospital is to maintain sufficient documentation of its efforts to follow and meet the audit protocol. "Documentation is a hospital's evidence. It should tell the hospital's compliance story to an auditor with little or no additional explanation needed. If a hospital is not prepared — if plans, procedures and actions are not in place — it becomes apparent quickly to [the auditors]," says Mr. Sher-Jan. According to Mr. Jackson, if a hospital is missing the proper documentation, the auditors will assume the hospital did not meet the compliance element. "For example, hospitals are required to document where the PHI resides, the potential threats and vulnerabilities to that PHI and a plan to mitigate those risks. If the hospital does not have that documentation to turn over, it is reasonable to anticipate that the auditors will assume it did not go through the process," says Mr. Jackson. 3. Review results from initial pilot audits. According to Mr. Jackson, it is important that hospitals continuously monitor regulatory developments from the pilot audits. "Keep track of the regulatory updates and guidance, and look at areas in your hospital that have been identified as pain points from the initial audits," says Mr. Jackson. While OCR is not sharing results from all of the pilot audits because of the potential risk to organizations being audited, it does expect to share high-level guidance and preliminary results in areas where the most significant weaknesses were found. "It is a logical step for executives to review OCR findings and to assess where the hospital stands in those areas," says Mr. Chapman. OCR has already revealed the following five areas of weakness from the initial audits. • User activity monitoring • Contingency planning • Authentication and integrity • Media reuse and destruction • Risk assessment 4. Assess current HIPAA program governance. One of the best ways for hospitals to prepare for audits is by assessing current security and privacy governance structure. "In order for organizations to align with HIPAA rules, they need to make sure they have set up strong governance. How are they addressing the challenge of HIPAA? Are the right stakeholders engaged in the process? Do they have the right executive support to drive out the process as well as technical changes to address HIPAA rules? Clear governance needs to be established," says Mr. Chapman. In addition, hospitals should have conducted an evaluation of its compliance within the last two years. "Is the hospital doing what it needs to meet requirements? Someone should have looked at the audit protocol checklist and analyzed what the hospital has done to comply and mitigate associated risks," says Mr. Jackson. 5. Update the risk analysis. While a risk analysis is just one element of OCR's guidelines, it deserves a great deal of attention because it is one of the most challenging areas for an organization to accomplish success- fully. A thorough risk analysis involves outlining the risk needs of the hospital, collecting data to understand the flow of personal health information across the hospital, identifying and documenting potential threats and vulnerabilities, assessing current security measures and determining the likelihood of threat occurrence. According to Mr. Chapman, the last step — determining the likelihood of threats — is often the least considered element of a risk analysis. "OCR provides guidance that a hospital should conduct a risk analysis, but it is not more specific than that. In the end, it is up to the hospital to perform a thorough analysis," says Mr. Chapman. "Part of the challenge is just doing the risk analysis. However, hospitals need to stay away from a control-based risk analysis where they go down the auto protocol like a checklist. Merely checking an element off the list will not satisfy the risk analysis requirement," says Mr. Chapman. 6. Run internal "mock" audits. In addition to updating risk analysis, a hospital should run a "mock" audit because it is an accurate, effective method to reach optimal security. "If [a hospital] finds weaknesses in its privacy and security, it can improve those on its own timeline, instead of OCR's. In addition, it allows the hospital to iron out weaknesses without the pressure of an audit," says Mr. Petraglia. 7. Change your mindset. According to Mr. Petraglia, in order for mock audits to be useful, executives need to have the mindset that findings are a good thing. "Management is usually worried by audits. The truth is that findings are good because you discover vulnerability in the hospital's processes, and you can do something to correct that. If you do not know about the weakness, the hackers will find it," says Mr. Petraglia. The time to be worried about findings is during a second audit. "You do not want to have more findings in a second audit than in a first audit," says Mr. Petraglia. 8. Focus on the "spirit" of the audit. It is very easy to follow the audit protocol as a checklist, but when a hospital's only goal is to be compliant, they may miss the "spirit" of the audit and overlook strong security safeguards. "There is a tremendous difference between compliance and security. Security is the mechanism to ensure privacy. When a hospital concentrates solely on compliance — being compliant with the wording of the HIPAA rules — it may limit itself and miss important security elements. You want to make sure you are focusing on the spirit of the audits — the privacy and security of patient information," says Mr. Petraglia. He recommends that hospital executives go through the audit protocol with the broader picture in mind. What is the goal of each element for security purposes? Why has OCR included these elements? 9. Discuss the process with other hospitals. If an element of the HIPAA rules or the audit protocol is unclear, hospitals should reach out to OCR as well as other hospitals and health systems. "The best thing that hospitals can do is to talk to each other. All the healthcare organizations can benefit from open communication and collaboration. If hospitals can share how they solved security problems and approached compliance, it will establish industry best practices," says Mr. Petraglia. The establishment of best practices will help hospitals apply techniques to situations that may be unique to their organizations. "[Hospitals] may be in different stages of sophistication for their culture of compliance. If they have access to best practices, they can implement them in regard to their own businesses' processes and needs," says Mr. Sher-Jan. The audit pilot program is only the second of three phases of OCR's health information privacy and security compliance program. The first step, now completed, was developing the audit protocols. The third step, which was planned to begin after the pilot audits finished in December, is performing complete audits with revised protocols. For this reason, all hospitals and health systems should be moving toward better security and privacy of patient information with the audit protocol and HIPAA compliance as a guide. Regardless of inclusion in the pilot, all healthcare organizations may be audited in the future with new protocols. Beginning preparation now will be the difference between hospitals that do well during audits and those that do not. n