The Office of Civil Rights (OCR) is in the midst of a pilot program through which it is performing spot-check audits of HIPAA covered entities for privacy/security and breach-notification compliance. OCR, on behalf of the Department of Health & Human Services, began the program in November 2011. Now, many providers are wondering if they'll be among the unlucky few to undergo an OCR audit.
"A lot of people are wondering whether or when or what would cause them to be on this list of organizations that could get a call or a knock on the door from OCR," said Mahmood Sher-Jan, vice president of product management at ID Experts.
"It is like winning the lottery," said Chris Apgar, president and CEO at Apgar & Associates. "It's true – only 150 audits this calendar year, and the latest from the Office of Civil Rights is that it's anticipating the program will start off in June instead of July. They anticipate finishing the pilots and collecting all the data by the end of this month, and doing the evaluation and modifications to the program to make it more consistent. So, if you happen to be lucky and your number comes up, there are really a few reasons why you're going to get an audit."
Sher-Jan and Apgar outline three “hot buttons” that could trigger an OCR audit:
1. Prior breaches involving 500 or more patient records. If you've reported one or more breaches affecting 500 patient records or more, said Sher-Jan, your chances of being audited could go up. "It's the types of event that would attract a headline for your organization and get you a lot of national coverage that could make you a target for being audited or a poster boy for lack of compliance," he said. There may not be hard evidence proving numerous breaches automatically calls for an audit, he added, but logically it is something to keep in mind. "The more your entity continues to get air time at the OCR and in the media, I think there is a probability that your chances would improve." The number 500 is key in keeping track of these types of breaches, since a breach of this size requires notifications to be made not only to those affected, but also OCR. "That's when you show up on the Wall of Shame of OCR, and if you show up on that wall, your chances could increase," said Sher-Jan.
2. Complaints from patients or employees. Complaints can come from two groups of people, both Sher-Jan and Apgar noted: patients or employees. "Patients who find out their information could be exposed, or that the organization isn't following privacy rules, could submit a complaint to OCR," said Sher-Jan. OCR has "identified links clearly" for patients to submit complaints, Apgar explained. When a complaint is filed, whether from an employee or a patient, OCR first determines whether or not they have jurisdiction. "If they don't, then they notify the person who submitted the complaint and say, 'This is where you need to go,'" he said. "Now if OCR believes it's in their jurisdiction, they'll follow through with the entity and say, 'Here's the complaint. Provide the documentation that says the complaint is false or [those that say] you have the proper processes in place to demonstrate compliance.'" Employees fall under a different category when submitting a complaint, which is the whistleblower provision of the Privacy Rule. "So as a whistleblower employee, there are certain requirements of what I need to do, and I need to file a complaint as a whistleblower," said Apgar. "There are protections against it."
3. Prior visits from OCR. Having numerous breaches and your name in a headline doesn't increase your chances of undergoing an audit, as much already having visits from OCR, said Apgar. "It's when OCR shows up on your doorstep too many times, or it's something that's egregious," he said. "That's one of the things OCR said: Either you're going to fall into a normal process of selecting entities for audit, or, if you continue to get in trouble, there's a higher likelihood they'll show up." Apgar pointed out the importance of the difference between audits and civil penalties, saying organizations can see a civil penalty for something related to a breach, but it doesn't necessarily mean you're going to the top of the list. "[OCR] hasn't moved any further as far as detailing [audits], and I don't anticipate any additional information coming out until they've had a chance to review the piloted audits," he said. "After that point, there will be more general information released about the audit selection."
Follow Michelle McNickle on Twitter, @Michelle_writes