Meaningful Use: How Do You Prepare Adequately For Phase Two Of OCR Audits?

Tuesday, July 15, 2014

Check marks with a green colored pencil The United States Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is set to begin its second phase of audits under the HITECH Act, choosing approximately 350 organizations to undergo “desk audits.” Many of these organizations also will receive an onsite visit by OCR auditors. This summer, prior to the formal auditing period, the OCR is requesting an online survey be completed by more than 550 organizations, asking for information about organization size, locations, services, and internal contacts for an audit.

In phase one, auditors focused on communication of privacy practices, risk analysis, access management, incident response plans, and proper disposal of digital media. Only 11 percent of the 115 organizations audited got by without a “finding” or “observation,” and more than half had at least one finding or observation in the area of security.

“Just like with phase one, individual or organizational providers and their business associates (BAs) don't have an adequate audit defense by responding that they are unaware of a specific security requirement,” says George Bailey, MS, CISSP, GCIH, who is the senior advisor-security for Purdue Healthcare Advisors. “In order to meet the requirements in the areas of privacy, security and breach notification, you must understand the HITECH requirements and be able to show a history of compliance prior to the audit.”

Bailey says that phase 2 audits likely will focus on the areas of compliance failure in phase 1, and he advises you to follow these steps:

  • Step 1: Update your privacy policies and procedures to reflect the Omnibus Rules.
  • Step 2: Have documentation to prove your policies/procedures are being followed.
  • Step 3: Have a risk analysis and risk management measures in place.
  • Step 4: Be able to demonstrate compliance with your burden of proof under the breach notification rule.
  • Step 5: Work with your BAs in advance to ensure they are aware of requirements and ready for a potential audit.
  • Step 6: Contact Purdue Healthcare Advisors if you need a security risk assessment or guidance in conducting your own audit.

Bailey believes that the third step is sure to be a strong area of focus because two thirds of the covered entities audited in phase one failed to have either a risk analysis or risk management measures in place. Bailey also urges you to respond quickly to the OCR if you receive an audit notification. Failure to respond in a timely fashion may bump your organization up to a full compliance review.

George BaileyGeorge Bailey, MS, CISSP, GCIH, is an information technology security professional with more than 17 years of experience in network security, remote access, wireless security and digital forensics. He has presented at many security-related conferences and is routinely published in academic journals. Contact him at (765) 494-7538 (office) or (765) 409-3948 (mobile) with questions about your organization's audit-preparation challenges.

Tags: Quality Services

Purdue University, West Lafayette, IN 47907 (765) 496-1911

© 2014 Purdue University | An equal access/equal opportunity university | Copyright Complaints

If you have trouble accessing this page because of a disability, please contact Purdue Technical Assistance Program