5 Steps to Prep for an OCR Audit

As featured on Healthcare IT News

By Benjamin Harris

This is going to be a big year on many health IT fronts: ICD-10, meaningful use, BYOD polices, the list goes on. It is also going to be the year where the Office of Civil Rights (OCR) plans to step up their compliance audits of hospitals in a crackdown on personal healthcare information (PHI) breaches.

“They’re going into 2013 with a lot more vigor right now,” says Lee Barrett, executive director of the Electronic Healthcare Network Accreditation Commission (EHNAC), about OCR’s approach to PHI audits. “Basically they’re putting the industry on notice.”

Barrett spoke to Healthcare IT News about some important factors to consider as hospitals move in to the new year, keeping an eye to a possible audit and better data handling and security overall.

1. Assure compliance with HIPAA/HITECH provisions of security, privacy and confidentiality of PHI. Every hospital necessarily is a big place when it comes to PHI. Sensitive information that is critical to a patient’s outcome and to the hospital’s reimbursement travels through many hands during treatment. There are standards in place that an organization can adhere to to protect this information- HIPAA and HITECH most notably. Still, keeping track of the information, making it accessible to the right people at the right time while protecting it from breach, loss or theft can amount to a full job. “It’s important for organizations to look across the entire infrastructure, creating what I would call a security framework for PHI,” says Barrett, who stresses the need to take a holistic view of information transfer. “Look at it from the standpoint from how information is flowing from al stakeholders and points,” he says. With increased audits on their way, Barrett says the need for accountability and having someone to oversee compliance is a sound investment. “Somebody needs to have responsibility,” he says. “You need a PHI safety officer to make sure [you] meet compliance. … Organizations need to be positioned to be able to address an audit.”

2. Conduct risk assessments, implement strategies. There are risks and snags lurking everywhere in a hospital’s communications structure. From how data is stored to how it makes its way from device to device, there is plenty of room for error, an overlooked weak point, or hole in the system’s armor. “Organizations need to understand their risk structure,” says Barrett. He talks about identifying any and all potential weak spots, and then tackling the respective security of each one. “Is the PHI available in databases? If so, which things are? Is there high risk data on workstations and laptops? Which ones?”

Any number of factors, if overlooked, can lead to a loss of PHI. “Look at things like facility access controls, workstation use and security, device and media controls,” says Barrett. With portable devices such as laptops, tablets, and flash drives, he says to look at “How is hardware removed and how is it audited?” Barrett notes that even after these gaps are plugged, vigilance is required: what happens when a new IT system is acquired, or if a separate branch merges with the organization? Additionally, healthcare organizations contract with many outside groups, and Barrett says part of a good security policy looks closely at those interactions. “Ensure that all data is encrypted and transferred over secure communications lines,” he says.

3. Be ready. No matter how much bolstering and toughening up a security protocol gets, that can’t guarantee that it will pass OCR’s muster. With 2012 being a bully year for the Office’s audit program and 2013 looking to step up that number, Barrett says it’s a sound investment to devote resources to being prepared for an audit. “Go through your risk assessments now, go through policies and procedures and if necessary and you feel it’s appropriate, have a third party review your infrastructure,” says Barrett. “Organizations that are prepared were able to pass the OCR audit.” He adds that the costs of a third party audit can be high, but that it may be money well spent when the alternative of a failed audit, or worse an actual breach, can toll a healthcare organization even more. “Organizations that have breaches, the PR disaster was greater than the resulting fine,” he says.

4. Know your neighbors. In many respects, a hospital is only as secure as the companies it works with are. PHI is PHI, and it doesn’t matter who has it- if it is insecure it reflects poorly on the organization that collected it in the first place. Barrett says that to guarantee PHI safety and fare better in an audit, organizations should look to partner with organizations that have undergone a third party review of their own. “They can demonstrate that the meet the bar and can meet the appropriate controls,” he says. Barrett lists some requirements that should form a baseline in what an organization would want to see in a potential partner: they “must refrain from selling or otherwise using PHI in such a way as to violate privacy… must utilize strong encryption, user authentication, message integrity, and support for nonrepudiation as security measures…” He also says that organizations should be able to show that their house is in order, protected against malicious software and people taking PHI with them on things like flash drives.

5. Know yourself. Demanding high standards of third parties means that the organization doing the demanding needs to meet those same requirements. Barrett says that organizations should undertake an internal review or a third party assessment regularly, to identify possible shortcomings and to develop best practices for moving forward. Barrett says that engaging a third party to provide an objective review can have some serious gains beyond just passing an OCR audit. “Organizations that have expertise, references, [and are] nationally recognized provide the credibility that customers and other interested parties and stakeholders” like to see, he says. He points out the values and resources that a third party can bring to a review as well, noting that they often “have the knowledge and expertise to identify gaps and recommend appropriate remediation actions … because they are aware of the best industry practices and have conducted similar reviews with many other healthcare stakeholders.” Barrett notes that there are a lot of these third party organizations, and that with a little “homework and research,” one that is nationally recognized and has a cost structure that is workable can be found.