7 steps to pass, or completely avoid, an OCR security audit
An OCR audit is usually triggered by one of two events: A complaint was filed by a patient against a medical practice or one was filed by an internal whistleblower by reporting a breach to OCR.
“Breaches affecting 500 individuals, or more must be reported to OCR, in addition to other reporting requirements,” explained Troy Young, Chief Technology Officer at AdvancedMD, who recently completed a master’s degree in cybersecurity from Utah Valley University. “However, there’s no direct correlation between the magnitude of a breach and OCR’s fine.”
Large fines, no matter the discrepancy size
A healthcare organization can be penalized with a large fine for even minor breaches if they make no effort to comply. The Department of Health and Human Services sets the annual limits based on the organization’s “level of culpability” for the violation.
“Between April 2003 and July 2018, more than 180,000 complaints were investigated by OCR,” Young reported. “Of those, more than 37,500 were what I would consider ‘audited,’ but only 55 resulted in financial penalties. The objective is not really to avoid penalties; it is to avoid the audit or make it as painless as possible.”
There are seven steps organizations should take to avoid or pass an OCR audit, according to Young.
Step 1: Educate, educate, educate
“As a first step, the organization must educate all staff members on requirements within the Office of the National Coordinator for Health IT Guide to Privacy and Security of Electronic Health Information,” he advised. “The guide discusses providers’ responsibilities under HIPAA; the privacy and security requirements of the Meaningful Use Programs; and approaches for implementing a security management process.” The remaining six steps are best practices and recommendations covered in the ONC Guide to Privacy and Security, Young said.
Step 2: Hire a security officer
“Designate a security officer to safeguard the patients’ electronic protected health information from unauthorized access by implementing cybersecurity best practices and coordinating efforts.” Young advised.
Step 3: Policies and procedures
Next, review documentation of policies and procedures, since every organization is required to adopt reasonable and appropriate policies and procedures to comply with the security regulations, Young says.
Step 4: Performing a security risk analysis
A security risk analysis is another key step healthcare provider organizations should take in order to avoid or pass an OCR audit, Young said. “By performing a risk assessment, an organization can identify compliance gaps and put a plan in place to correct the issues and pass the audit,” he said. “The annual assessment covers physical, administrative, technical and organizational components.”
Step 5: Vendors & contractors
A security officer should review EHR and other software packages, discussing data protection with the vendor, Young adds. Organizations using on-premise EHRs need onsite staff to maintain and oversee the hardware and software, with regular anti-virus and anti-malware software installations on all computers, daily data back-up, and regular data back-up tests, he advised.
Step 6: Review vendor & contractor agreements
Also, healthcare organizations should review business associate agreements with all vendors/contractors who have access to PHI, Young said.
“A business associate is any person or organization that interacts with the organization’s PHI,” he explained. “The organization must make sure all business associates perform risk assessments annually. Whether it’s a referring physician, software vendor, laboratory, or medical imaging group who’s handling the records, their breach will also affect the organization.”
Step 7: Phishing, passwords and unencrypted PHI
In addition to regular educational sessions on the ONC’s Guide to Privacy and Security, this includes being alert to phishing emails, setting strong passwords and regularly updating them, ensuring information is sent to the correct recipients, and carefully handling unencrypted PHI, he said.
The full article includes more in-depth information you need to do in order to avoid an audit.
Troy Young, AdvancedMD CTO
Article courtesy of Bill Siwicki of Healthcare IT News, a HIMSS Media publication.
See these additional free eGuides that are sure to help you stay up-to-date on security issues within your EHR: