My OCR Audit, and How I Survived: a HIPAA Audit Checklist
An interview with Doreen Espinoza of UHIN.
Our hopes are that this interview gives you better insight on what to expect from any OCR audits in the future. This is her experience, from start to finish.
How did your audit with the OCR begin?ESPINOZA: We received the letter from Leon Rodriguez (former OCR director) in May of 2012. The letter asked us to put together our documents in two weeks. At the time, we were already going through an EHNAC (Electronic Healthcare Network Accreditation Commission) audit.
I told the OCR, “Sorry, but two weeks isn’t going to happen. I can’t do two audits at once, not of this magnitude.” Luckily, they worked with me and we negotiated a new date. After we finished our EHNAC audit, (a month after I received the letter from the OCR) I was then able to focus on the OCR audit.
The amount of time the OCR gives you to prepare for the audit is interesting. Whether you have a really solid program, (which we do) or if you’re new to the program, it takes a lot of time. I ultimately spent 180 hours on the audit, even working nights and weekends. 160 hours were spent merely gathering documentation. It took about a month to get all our documents ready to turn in.
Explain your feelings before the audit.ESPINOZA: Because we were one of the first to be audited, I wasn’t afraid our documentation would be lacking. As I explained, this wasn’t our first audit. However, if I had been a provider with little to no understanding, I would have been scared.
I did have one concern: Would the OCR auditors understand what they were auditing? The auditing firm, McKesson, is basically an accounting firm and new to HIPAA audits. Since I hold an accounting degree, I understand how they think and what they’re trained to do. The problem is, privacy and security is not the same as a financial audit.
These were my thoughts before the audit: Do they have any healthcare knowledge? Do they know how to interpret HIPAA rules? Do they have sufficient knowledge to understand our documentation?
When I asked the auditors who had audited a clearinghouse, only one hand of four went up. I think they understood, generally. But I did have to push back on one of the audit points.
Requirement 164.520 requires a notice of privacy practices, but because UHIN is a clearinghouse, it doesn’t make sense for us to have one. We are technically a covered entity, but we don’t have patients. After a fair amount of explaining, I was able to convince them we were compliant without one.
How intrusive was the onsite audit?ESPINOZA: Most of the interaction was with me, though our security officer was a part of some conversations as well.
Besides the thorough examination of our documentation, the auditors went through our office looking at basic facility security, checking to see if doors were locked and where workstations were located.
I walked them through the building and explained our workflows. I also gave them an explanation of our data center.
The first 70 documents I submitted to them, they reviewed as a part of their pre-audit evaluation. When the auditors came onsite, they asked for an additional 55 documents. The onsite visit is truly to ask you additional questions and get additional documentation.
They were there for three days, and those three days were really intense. It felt like an interrogation. They asked a question, I answered it, then they moved to the next question.
The main focus of the audit was all about privacy and documentation, which was a little disappointing to me. I thought the audit would also focus on them testing security, like passwords and such. I am very proud of our data center and offered to take them, but they didn’t take me up on the offer.
They did a really good job of asking a million documentation questions. They just didn’t take it any further than that.That’s why I think companies like SecurityMetrics are great. After our OCR audit, we used SecurityMetrics to look at our security and it was a great security review. Honestly, I wish I had SecurityMetrics at that time. If nothing else, just to prove our security to the OCR. I can write policy all day and night. But to show compliance? Security is the tangible way to support privacy.
SEE ALSO: What to expect with an HHS audit
What was the impact of your organization on this audit?ESPINOZA: Since privacy is my job, I was probably the most impacted by the audit. Another thing that made this audit so intense was, in 2012, HIPAA 5010 was rolled out. So I didn’t have a whole lot of help preparing for the audit. Everyone else was busy implementing HIPAA 5010.
What are the differences between an EHNAC and OCR audit?ESPINOZA: EHNAC is a non-profit organization that accredits large organizations like clearinghouses and clinical health exchanges. We've held our EHNAC accreditation since 2004. To be accredited, we have to undergo an audit.
The difference between an OCR and EHNAC audit is, OCR auditors wanted you to prove you were compliant with the rule, but didn’t provide examples of acceptable evidentiary documentation. I don’t know that the OCR auditors really knew what to look for, but remember, we were in the pilot audits. EHNAC specifically states which parts of HIPAA you must be compliant with, and gives examples on how to show that compliance.
What information and documentation did the OCR request?ESPINOZA: All in all, 127 documents. Here are some specific examples:
- Work desk procedures (e.g., thou shalt have a password, thou shalt change that password every 90 days, etc.)
- Risk analysis
- Contracts. We don’t do business associate agreements (BAA), but we do enforceable consent agreements (ECA) which incorporate BAA language
- Training logs
- Incident management
- Complaint processes and procedures
- Password policies
- Electronic commerce agreement
- EHNAC Self-Assessment
- Trading partner security requirements
- Lists of vendors
- Lists of employees and their access to the system
- Diagram of what our office looks like and where the exits are
- Disaster recovery book
- Employee handbook
- Breach processes
- Policies and procedures for security and privacy
- …… lots more.
How did you feel after the audit?ESPINOZA: I was ecstatic. It was a sigh of relief to know it was over. Remember, I had already gone through the stress of our EHNAC audit. I was so proud and excited to see that we had completed our audit with no findings.
What do you wish you had known about your audit?ESPINOZA: If you get a letter and expect to have a good outcome, and don’t have everything prepared now, you’re not going to have time to do proper preparation. Your audit will fail.
In retrospect, I wish I had known there were companies in addition to EHNAC that could have prepared us for the audit. My advice to anyone out there preparing for an audit is: investigate other organizations that could help you pass your audit. Nobody should have to go through an audit alone. Reach out to organizations like SecurityMetrics and EHNAC now to help you with your data security!
SEE ALSO: You may not be done with your HIPAA requirements
How should organizations prepare for an audit now?ESPINOZA:
- Gather your documentation now. Organize it.
- Conduct an annual risk analysis. Not only is it HIPAA required, it makes sense.
- Do periodic mini-audits internally. One day, go through your facility. Are your doors and filing cabinets locked? It doesn’t seem like a big deal, but I promise you’ll find a lot.
- Make sure your company is committed. Make it a priority in your organization. Had UHIN not been committed to privacy and security all along, we would have never passed our audit. It’s all about the commitment of the organization. It really does take the entire group to make this stuff work.