Audit , Breach Notification , Governance & Risk Management
HIPAA Audits: The Heavy Documentation DemandsNew OCR Guidance Aims to Clear Up Confusion
This article has been updated.
New federal guidance designed to describe the processes in the current round of HIPAA compliance audits - which could lay the groundwork for future rounds of audits - illustrates the massive amount of documentation demanded for these "desk audits."
In addition to the audit-related guidance, the Department of Health and Human Services' Office for Civil Rights on July 27 also issued guidance on the inclusion of medical device identifiers in patient records.
Privacy attorney Kirk Nahra of the law firm Wiley Rein questions the timing of the audit-related guidance.
OCR on July 11 sent HIPAA audit notification letters to 167 covered entities, giving the organizations 10 days to electronically submit to OCR requested compliance documentation for the desk audits (see Organizations Facing HIPAA Audits Notified). So, the HIPAA audit guidance has been issued after that deadline already has passed, Nahra notes. "Somewhat weird timing, but presumably the target audience for this information is 'everyone else,' rather than the entities being audited."
In fact, OCR notes in announcing the audit-related material: "The guidance should be helpful to audited entities as well as other covered entities and business associates seeking assistance with improving their compliance with these important requirements of the HIPAA Rules."
In a statement provided to Information Security Media Group, an OCR spokeswoman says audited entities received the guidance before the deadline to respond. "OCR then posted the guidance on our website to help other covered entities and business associates in their efforts to comply with the audited provisions," she says. Audits of covered entities are underway now, and auditors are preparing for business associate audits later, she adds. "OCR anticipates providing a report that synthesizes the findings of the Phase 2 audits after they are completed in 2017."
Some regulatory experts say the guidance illustrates just how demanding HIPAA compliance audit documentation requirements really are.
The documents "show how intricate the audit requests are and how complicated it may be to provide everything that OCR thinks [organizations] should have," Nahra says.
The biggest message that OCR is sending through the new audit guidance materials - plus the "incredibly complicated audit protocol" - is that OCR "really expect[s] a ton of documentation of these activities, at very detailed levels," Nahra contends.
"Many organizations - particularly when the audits turn to business associates - will not have this kind of documentation at this kind of detailed level," he says. "I hope that OCR learns that its expectations about documentation may exceed the capacity of the healthcare industry and its contractors to prepare this kind of documentation. This level of detail also makes me wonder why OCR is giving companies only 10 days to respond. I understand the need to keep these moving, but that seems like a harsh and unforgiving deadline."
Privacy attorney Adam Greene of the law firm Davis Wright Tremaine, also questions whether all of OCR's expectations are realistic.
"One of the areas that has caused a lot of confusion is the requested list of business associates," that OCR is asking audited covered entities to produce, Greene says. "I do not expect that many entities have ... a second point of contact for each of their business associates. The guidance indicates that covered entities are encouraged to obtain this information, but does not indicate that it is required if unavailable."
OCR officials have previously indicated that the business associates chosen for audits this fall will be selected from the list of business associates that each of the audited covered entities provide the HIPAA enforcement agency (see OCR's Deven McGraw on HIPAA Audit Preparation).
Greene also notes that the audit guidance material only partially addresses uncertainty related to audit questions about compliance with the HIPAA Breach Notification Rule.
"I have seen confusion in response to the breach notification questions," Greene says. "For example, it's unclear which [audit] question is seeking information about only certain types of breaches - such as those involving 500 or more individuals - and which questions seek information about all breaches, regardless of size. The guidance answers some questions in this area, but still leaves some confusion."
The OCR guidance includes slides from an informational webinar it held July 13 for organizations selected for desk audits, as well as responses to questions it received after that event.
Other guidance material includes a long list of questions and answers addressing audit documentation requirements and a chart detailing specific audit document submission requests in the context of HIPAA rule requirements and associated protocol audit inquiries.
In addition to the audits of covered entities now underway, desk audits of a yet-unspecified number of business associates will take place in the fall, OCR says.
In addition to the audit-related guidance, OCR issued a "frequently asked questions" document aiming to help explain the do's and don'ts related to healthcare entities entering the Food and Drug Administration's "unique device identifiers" into patient records.
The FDA says its Unique Device Identification System, which is in the midst of a seven-year phase-in, is intended to "adequately identify" medical devices through their distribution and use. Goals for FDA's UDI implementation is to improve patient safety, modernize device post-market surveillance and facilitate medical device innovation.
The topic of UDIs has fueled some confusion among healthcare entities because the HIPAA Privacy Rule prohibits the inclusion of certain device identification information in patient record sets.
"In conjunction with some separate guidance that FDA is giving about these identifiers, OCR is simply clarifying what the 'old language' about identifiers from the original HIPAA Privacy Rule on de-identification means now, when the same/similar term is used to mean something else," Nahra says.
OCR explains in the guidance what parts of the FDA UDI are acceptable under the HIPAA Privacy Rule to include in certain patient record data sets.
"It is useful and helpful guidance in the context where it could arise - presumably mainly for certain kinds of research where the impact of a particular device is being analyzed," Nahra says.
OCR did not immediately respond to an Information Security Media Group request for comment on the new guidance.