The document discusses an upcoming audit of healthcare organizations by the Office of Civil Rights (OCR) to ensure compliance with HIPAA regulations. It notes that enforcement is increasing, with recent settlements ranging from $25,000 to $3.9 million. The audit will have two phases, with the initial phase focusing on document requests and the potential for on-site visits. Organizations are advised to ensure their security risk analysis, policies and procedures are up to date and organized in an "audit binder" to facilitate document production for the audit. Proper preparation is important to avoid noncompliance findings or further enforcement action from OCR.

1. OCR Audits Are Coming—
Is Your Organization Prepared?
Presented by: Jason T. Lundy, Lisa J. Acevedo,
Kathleen D. Kenney

2. Agenda
 Current HIPAA Enforcement Landscape
 Brief Overview of Phase I Audits
 What to Expect in Phase 2
 The Importance of Up-To-Date Security Risk
Analysis and Policy/Procedure Documentation
 How to Build Your “HIPAA Audit Binder”
 Key Recommendations

3. Current Government Enforcement
Landscape
 Enforcement is on the rise!!
– In 2015, OCR settled 6 cases ranging from $125,000 to $3.5
million per settlement
– In 2016, OCR has already settled 5 cases and successfully
imposed civil monetary penalties in 1 case ranging from
$25,000 to $3.9 million
 OCR has taken heat in the past for its “toothless” enforcement
efforts, but a whole new era has clearly arrived

4. Importance of Enforcement
Actions to Audit Process
 There are themes and trends in the
underlying conduct
– OCR will be looking for these vulnerabilities
when reviewing your documents
– Even if you are not selected for a Phase 2 audit,
the lessons learned from these settlements are
invaluable
• For future breach avoidance
• For future audit preparation

5. Recent Settlements/Enforcement
Actions
 Feinstein Institute for Medical Research (March 2016)
– Notified OCR of the theft of an unencrypted laptop from an
employee’s car – laptop contained ePHI of approximately
13,000 patients and research participants
– Agreed to pay $3.9 million and adopt a corrective action
plan (CAP)
– Key compliance issues included: insufficient security
management process; insufficient policies and procedures;
and failure to implement safeguards to restrict access to
unauthorized users

6. Recent Settlements/Enforcement
Actions
 Lahey Hospital and Medical Center (Nov. 2015)
– Notified OCR of the theft of an unencrypted laptop that was
connected to a portable CT scanner; hard drive contained PHI of
599 individuals
– Lahey agreed to pay $850,000 and adopt a corrective action plan
(CAP) to correct deficiencies in its HIPAA compliance program
– Key compliance issues included: failure to conduct risk analysis;
failure to physically safeguard ePHI; lack of unique user name;
failure to implement policies and procedures

7. Recent Settlements/Enforcement
Actions
 Triple-S Management Company
(Nov 2015)
– Insurance holding company
– Agreed to pay $3.5 million and adopt a corrective action plan
(CAP) to correct deficiencies in its HIPAA compliance program
– Deficiencies included failure to conduct risk analysis; failure to
implement sufficient security measures; disclosure of more PHI
than was necessary to carry out mailings

8. Recent Settlements/Enforcement
Actions
 Raleigh Orthopedic Clinic, PA (Apr 2016)
– Notified OCR of a breach after releasing x-ray films and
related PHI of 17,300 patients to a vendor to transfer the
images to electronic media in exchange for harvesting the
silver from the x-ray film
– OCR found that Raleigh Orthopedic Clinic failed to execute a
business associate agreement with the vendor prior to
turning over PHI
– agreed to pay $750,000 and adopt a corrective action plan
(CAP) to correct deficiencies in its HIPAA compliance
program

9. Breaches Involving Hacking
Incidents
 Anthem
– Almost 80 million individuals affected
– Cyber-attackers accessed social security numbers, medical ID numbers,
names, addresses and birth dates
 Premera Blue Cross
– 11 million individuals affected
– Discovered in January 2015 that hackers had been accessing PHI since
May 2014
 Community Health Systems
– Estimated 4.5 million individuals affected
– Hacker in China bypassed CHS’ security measures and accessed patient
names, addresses, birthdates, telephone numbers and social security
numbers

10. Overview of Phase 1 Audits
 OCR contracted with KPMG to conduct
audits ($9.2 million dollar contract)
 OCR stratified CEs into 4 tiers – sought wide
range of types and sizes
 Phase 1 audits  kitchen sink approach
 115 audits conducted (47 health plans; 61
providers; 7 clearinghouses)  all audits
included on-site visits

11. Phase 1 Lessons Learned
 Improve document collection process (from
notification to document collection
throughout audit)
 Address timing and staffing issues (on-site
audits ranged from 3-10 days)
 Use representative sampling method
 Prioritize  focus on high risk areas
identified

12. Phase 1 Audit Results
60%30%
Phase 1 Results:
Areas of Noncompliance
The most common cause of noncompliance =
covered entity was unaware of the requirement.

13. Phase I versus Phase II
 Fci Federal contract awarded - $1million
dollars
 Verifying contact information and learning
more about the CE on the front end
 Desk audits prior to on-site audits
 Phase 2 desk audits focus on specific areas
identified as high risk in Phase 1
 Likely less leniency with respect to
extensions, etc.

14. Status of HIPAA Audit Program
 Phase 2 Audits:
– Notification of potential selection has begun
• Contact verification notification emails have been sent
• Audit pre-screening questionnaire will follow
– Questions intended to identify whether the entity is a
Covered Entity Health Care Provider, Health Plan or
Health Care Clearinghouse or a Business Associate.
• Purpose of these communications is to create a diverse
audit pool

15. Can I Avoid Being Chosen?
 Entities that Fail to Respond May Still be
Selected
• Failing to respond could create the opposite effect!
 Entities with Open Investigations Should not
be Selected
• Note: we are aware of such entities receiving the initial
notification communications

16. Past Compliance History
 Impact of Past Compliance History
– Unclear if/when/how OCR will take this into
account
• Should not impact desk audit selection process
• May impact whether an organization is selected for
an onsite audit
– The under 500 breach report logs can be a source
of systemic compliance issues

17. Audit Structure
 Scope of Auditees
• Covered Entities and Business Associates
 Type of Audit
• “Desk” audits first
» Conducted via document requests
• Onsite audits to follow

18. Focus of Phase 2 Audits
 Areas of focus for desk audits
• Likely to focus on…
1. Security risk analysis and risk management
2. Notice of Privacy Practices
3. Breach Notification letters-content and timeliness
4. Individual’s Right to Access PHI
– OCR Audit Protocol
• Updated protocol published on OCR’s website
 Areas of focus for onsite audits
• Intended to be more comprehensive than desk audit

19. Audit Timeline
 Phase 2 Audits:
– Timeline
• Desk audits  10 Days to Respond!
– Responsive documents must be submitted
electronically via OCR secure portal
– Auditors will send draft findings and you have 10 days
to provide written comments to the draft report
– Final report due back from auditors within 30 business
days
– All Phase 2 desk audits are scheduled to be concluded
by December 2016

20. Onsite Audit Timeline and Impact
 To be Conducted Onsite over 3 to 5
Business Days
– Auditors will send draft findings and you have 10 days to
provide written comments to the draft report
• Final report due back from auditors within 30
business days
 Impact
– OCR has reserved the right to initiate a compliance
review against an audited entity if the audit uncovers a
serious compliance issue

21. Key Desk Audit Documents
 Up-to-Date Security Risk Analysis
– This is the foundation of your HIPAA Security Rule
program
• Phase 1 identified significant non-compliance
• Failure to do so was key contributing factor to many of
the large breaches and enforcement actions
– Be prepared to demonstrate that risk analysis is
current – also possible that OCR will ask for
documentation from years past

22. Key Desk Audit Documents
 Risk Management Plan
– Plan to address vulnerabilities found in risk
analysis
– Review status of commitments made in this
plan
– Ensure all mitigation efforts have been
documented in a form/format that can be easily
produced

23. Risk Analysis Documentation Tool
 Critical to Review Your Documentation!
– Ideally, the documentation should be easy for
an auditor to review, understand and map to
the Security Rule requirements
• Examples of less effective documentation
• Double check focus of reports created by third
parties
 We can Help!
– Polsinelli’s Risk Analysis tool

24. Key Desk Audit Documents
 Policies, Procedures, Compliance Documents
– Patient Right to Access
• Can you demonstrate timeliness?
• Review recent OCR guidance
– If you are using HIPAA authorization forms for access
requests, need to change that process
– Check your NPPs!

25. Key Desk Audit Documents
 Breach Notification letters – ensure letters
to affected individuals meet the content and
timeliness requirements
– Be prepared to submit samples
 If you have not had an incident rise to the
level of a reportable breach, you may want
to be prepared to produce your 4 factor risk
assessments for such incidents

26. Preparing for an Onsite Audit
 More Comprehensive
– Review the OCR Audit Protocol – be prepared to
produce representative samples to demonstrate
compliance
– Prepare as if you will be selected for an onsite audit
• Preparation is time-consuming
• You do not want to have staff running around looking
for documents while the auditors are onsite
• Build your HIPAA Audit Binder!

27. Building Your HIPAA Audit Binder
 Organization is key – make it as easy as
possible for OCR/contractor to review your
documentation
 Be prepared to produce policies and
procedures but also key forms and possibly
representative samples
 Ensure updates to documentation are
apparent (particularly with regard to risk
analysis)

28. Key Takeaways/Recommendations
• Confirm with IT that you have recently performed and
documented an accurate and thorough risk analysis and risk
mitigation plan
• Encrypt!! Especially mobile devices!! If PHI is not encrypted, ensure you
have the appropriate documentation in place specifying equivalent
alternative measures in place.
• Review and organize your policies and procedures, BAAs, and
other key documentation
• Train and re-train your employees  Prepare for an onsite audit.
• Valuable even if your organization is never selected. Will help decrease
risk of breaches and complaints
• Learn from mistakes of other organizations and use as teaching
opportunities

29. Key Takeaways/Recommendations
 ***Keep in mind OCR Audit Program is a Permanent
Program
• If you are not selected for a Phase 2 audit, you should
still be evaluating your organization’s HIPAA compliance
program to prepare for the next round of audits
• Preparation is ultimately worthwhile and cost effective
because it will help improve your compliance program
and decrease risk of costly breaches

30. We Can Help!
 Polsinelli’s Audit Preparation Tool and Services
– Phase 1:
• Off-site: Review of your organization’s HIPAA privacy
and security materials (BAAs (for those that are
business associates, your sub-contractor BAAs),
NPPs, privacy and security policies and procedures,
key forms, risk analyses, risk management plan, etc.)
• On-site: Mock OCR audit at your organization;
interview employees and collect representative
samples

31. Polsinelli’s Audit Preparation
Services
 Phase 2:
– Analysis and findings from Phase 1
• We will identify any deficiencies, best practices,
areas of risk, and make recommendations for
changes and improvement
– Conference call with your compliance or legal
team to discuss findings, recommendations, and
to prepare for Phase 3

32. Polsinelli’s Audit Preparation
Services
 Phase 3:
– Provide a formal report of audit findings and
recommendations.
– Provide an educational in-service to your
compliance team relating to the audit, areas of
risk, recommendations for improvement, etc.
• The educational in-service may be presented in
person or as a webinar.

33. Questions?
 Feel free to contact us for more information:
– Jason Lundy jlundy@polsinelli.com
– Lisa Acevedo lacevedo@polsinelli.com
– Katie Kenney: kdkenney@polsinelli.com

34. real challenges. real answers. sm
Polsinelli provides this material for informational purposes only. The material
provided herein is general and is not intended to be legal advice. Nothing herein
should be relied upon or used without consulting a lawyer to consider your specific
circumstances, possible changes to applicable laws, rules and regulations and other
legal issues. Receipt of this material does not establish an attorney-client
relationship.
Polsinelli is very proud of the results we obtain for our clients, but you should know
that past results do not guarantee future results; that every case is different and
must be judged on its own merits; and that the choice of a lawyer is an important
decision and should not be based solely upon advertisements.
© 2016 Polsinelli PC. In California, Polsinelli LLP.
Polsinelli is a registered mark of Polsinelli PC