This week’s HIMSS Privacy & Security Forum provided another opportunity for us to hear from the OCR re: Phase 2 of the HIPAA Audit Program. OCR’s Linda Sanches kicked off Day 2 of the Forum with an update on the OCR’s audit, investigation and enforcement activities.
What’s newsworthy? A couple of things:
1. There will be more on-site audits. We heard this message the first time from OCR’s Iliana Peters at the West Coast Privacy & Security Forum in June. Linda Sanches’s presentation reinforces this message and even sets the expectation that there will be more on-site audits than even first thought earlier in the summer. As a self-funding, self-sustaining operation, the industry is making it easy for the OCR to expand. The breaches are more significant, the findings closer to “willful neglect” than not after 10 years of having the opportunity, the responsibility, to “get it right.” This is reflected in the fines.
2. OCR is automating data collection with the launch of a portal to support audits and investigations going forward.
We have been hearing about this portal for months, but no one has really examined or explored the impact to the industry that this automation may bring. Let’s think this one through. With automation will come scale – the ability for OCR to audit more organizations and to dig deeper in its data collection. With automation SHOULD come efficiency, but there is still a human process at work here. But let’s just say, in the best case, efficiencies are realized. Audits and investigations should be completed in shorter timelines translating into swifter action on the part of OCR to render its findings.
If organizations want to ready themselves by adopting the posture “it won’t happen to us” based on the number of surveys that OCR says it will send to trigger Phase 2, that is certainly one way to play. But the portal, provided it performs to expectations, could allow OCR to scale quickly and increase the number of audits it can initiate substantially. Hiding behind the probabilities of non-selection is a probably not a good strategy, and thankfully, we hear this less and less through our travels and conversations. The appetite and commitment to vigilance, to a security posture and practices that truly support data protection in the context of healthcare operations, is much more prevalent.
The point here, and the seed that we want to plant, is that with automation, OCR will likely have the means to do more – accomplish more – with its enforcement agenda and mandate. And what of the ONC and OIG with respect to the Meaningful Use Audit Program? Is it reasonable to assume that we can expect to see the same path pursued?
For risk managers, audit executives, compliance leaders, and privacy/security stewards – continue to connect the dots between this expanding enforcement agenda and your enterprise’s performance for your executive leadership and boards. Continue to raise the bar on data protection program performance and the culture of compliance that we know we need to have in place. Examine what the potential impact of a more far-reaching enforcement program means and how it can compel action in your organization to move the needle on your data protection, risk management and compliance programs.