During our last discussion we began talking about the Office for Civil Rights (OCR) and its recently launched compliance audit program. That program, as you recall, is part of OCR’s assigned responsibilities under the HITECH Act of 2009. OCR began developing its strategy for the program in 2010 with the help of Booz Allen Hamilton. Late last year, with the continued help of Booz Allen and the addition of KPMG, OCR began conducting these audits. The intent is to conduct 150 audits of covered entities by the end of 2012 and to use the results and lessons learned from these initial audits to inform the audit program going forward.
The first 20 audits selectees were notified on Dec. 1, 2011, and they included three physician practices, along with several hospitals, a pharmacy, a dental practice, a laboratory and a long-term care provider. This signaled that providers of all sizes and types would be included in the government’s audit approach.
The audit is essentially organized into three phases: audit preparation, onsite data collection, and analysis and report writing. A fourth phase involves disposition and remediation. The phase we will discuss today is the first — the preparatory phase. This phase begins prior to receiving notice of audit and continues up to the audit team coming onsite. There are several activities that will be conducted prior to an audit and once notice is received, but for the purposes of this discussion, we will focus on just one of those activities – producing documentation requested by the audit team.
The letter that notifies the OCR audit selection directs that certain information related to the organization’s compliance be furnished to the audit team within 10 business days of the date of the letter.
An attachment to the letter further identifies what information is requested, and specifically includes documentation that demonstrates compliance with HIPAA security, HIPAA privacy and the HITECH breach notification rule. It includes things like policies and procedures, risk assessment reports, security incident plans, disaster recovery plans, organization charts, data backup procedures, physical security procedures, Notice of Privacy Practices and privacy policies and procedures, training records, sanction and disciplinary procedures, etc. This is by no means the entire list, but I think you can see that the amount of documentation requested is not trivial. The timeline is short and the list is long. Entities need to focus on compliance and think about audit readiness now.
Compliance needs to be a routine part of our everyday workflow, so audit readiness is merely an issue of getting organized — we accomplish the requirements for both HIPAA privacy and security regularly and document those activities as we go. This way, if an audit is called, we have what we need to demonstrate compliance and just need to produce it. As we do this, we should consider audit readiness when deciding how to organize and retain the information. What will make it easy to retrieve and provide when requested?
There are two general approaches to this task. The first, which typically works well for smaller entities, involves creating a centralized location, directory or file share for retaining all compliance-related documents. The second method, used normally by larger entities with multiple divisions or locations, is to have a centralized index of compliance-related document requirements and decentralized retention. The goal for either approach is the same -- to be able to locate, retrieve and produce information relevant to compliance when requested.
Not being able to produce certain documents can equate to a deficiency. Not being able to produce other information can suggest a deficiency and lead to greater scrutiny by the audit team. Timely response to requests for information, with current and complete documentation, suggests that privacy and security are routine aspects of your practice and a culture of compliance is already in place. Make no mistake, this request for documentation is the first test of your organization’s audit readiness, and depending on how you are able to respond, will impact the tone of the audit.
If you have not done so recently, assess the current state of your compliance documentation as it relates to the HIPAA Privacy and Security rules. Make it a goal to close the gaps within the next 90 days, but do so smartly. Cover the bases and communicate any updates or new policies to your staff. Your documentation must be worth the paper it’s written on. If not, this will catch up to you when the next phase of the audit, the on-site data collection, begins.