Lessons learned from the first 20 OCR audits

The past couple of months have been very hectic with all of the conferences and travel around the country so I missed blogging with my usual frequency. The good news is that a couple of newsworthy events happened during that time - one being the new ONC Guide for Privacy and Security of Health Information that I talked about in my last post. 

For this entry, I want to share some of the insights from the first 20 Office for Civil Rights (OCR) audits thanks to a presentation by Linda Sanches of OCR, who was a fellow speaker at the NIST/OCR conference in Washington, D.C. We have been talking about the audits, the process, the timeline and expectations ... and now, thanks to OCR sharing the results of these first audits, we can discuss what to examine in your program.

You recall that there were three physician practices selected as part of the original 20 audits performed by OCR. They fell in the Level 3 & 4 category of audit entities. Significant in the findings was the comparison of performance of small entities to larger entities. More than 80 percent of the total deficiencies noted were attributed to providers and more than 80 percent of those were found in Level 3 & 4 entities.  The assumption being that smaller entities have greater challenges or are not taking privacy and security seriously. 

When you look at the results of the audits from a focus perspective, 65 percent of the findings were in the security area, 26 percent in privacy and 9 percent in readiness to manage breaches.

The analysis provided two other important insights as well. With respect to privacy, there were no glaring trends by deficiency — the issue in privacy appears to be one of attention to detail, meaning deficiencies were fairly equal across all of the various privacy requirements and the subject’s audits. Due to the heavy process nature of privacy requirements around uses and disclosures, it is assumed the issue is really one of discipline in following processes. On the other hand, security deficiencies noted painted a very different picture and can help inform compliance preparations and review. Trends in deficiencies noted included risk analysis, user access, incident response, contingency planning, reuse and disposal of media, encryption, monitoring user access, authentication and physical access controls. 

OCR is very serious about these audits as the next wave is already underway, and they will continue throughout the remainder of this calendar year.  Once completed, the program will undergo review as well as the results of the initial audits. Following that, OCR will revise as appropriate and renew its audit activity. 

The question is would you fare better than those who are undergoing audit now? More importantly, if you had a complaint or worse yet a breach, how would you fare when OCR arrived to investigate the claim. Would you end up with a similar outcome to the Cardiac Physician practice in Phoenix earlier this year? If you don’t know, take a look at my last post and the resource discussed there, and perform a self-evaluation. 

Add new comment