How compliant is your organization on a Scale of 1 to 5?

The Office of Civil Rights (OCR) has been conducting Desk audits using a compliance rating tool on a scale of one to five, whereby 1 equals good; 3 equals fail; 5 equals Epic fail on compliance.

In 2016, two thirds of covered entities (CEs) and business associates (BAs) received a failing score following desk audits conducted by the Office of Civil Rights (OCR). Ninety percent of these CEs were found to lack an adequate risk analysis. Even worse, 94 percent were found to lack a privacy and security risk management program that was adequate. And, investigators are going to use the desk audit protocol for the next round of investigations.

The audit protocol was a performance based tool causing tremendous variance between 2012-2016. (2012 was good). In 2016, CEs and BAs weren’t prepared to provide the documentation required by auditors. OCR was not very objective in approach, whereby they were reported as being rigid rather than reasonable and appropriate based on the size and complexity of organizations audited. Results were not helpful in demonstrating how CEs and BAs were or were not adhering to the rule but sanctions were issued nonetheless.

One organization did provide the HIPAA-related documents that OCR requested, but the documentation did not prove that they had safeguards to adequately protect PHI.

OCR presented the following after reviewing this practice’s documentation:

  • Did not provide an analysis of currently implemented security measures.
  • Did not provide adequate evidence that it has conducted accurate and thorough
    assessments of the potential risks and vulnerabilities to PHI.
  • Did not demonstrate that the results were made available to those individuals with Risk Analysis responsibilities.
  • Did not provide policies and procedures that demonstrate it has a Risk Management process sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.
  • Did not identify what is considered an acceptable level of risk based on management approval.
  • Does not specifically address the workforce members’ roles in the Risk Management process.
  • Did not provide evidence that its policies were in place and enforced six years ago.

In summary, the OCR stated:

“Failure to fully implement security measures that reduce risks and vulnerabilities to a reasonable and appropriate level could leave electronic protected health information susceptible to unauthorized use and/or disclosure.”

For more information on HIPAA audits, contact Linda at 781-272-8001.