OCR official: No timeframe yet for audits, but expect more in-depth reviews

BOSTON—At the HIMSS’ Privacy and Security Forum on Sept. 9, Office of Civil Rights’ (OCR) Senior Advisor of Health Information Privacy Linda Sanches declined to elaborate on a timeline for audits, noting that the agency still is entrenched in a technology upgrade that has thrown plans off schedule.

“We’ve made a decision to hold off on the start,” she told attendees. “I’m ready to go but the technology is not there yet.”

OCR originally planned to conduct 400 audits, but with recently acquired additional funding it now plans to focus on more comprehensive, on-site audits, she said. OCR soon will conduct online pre-audit survey screenings to help better facilitate the reviews, so healthcare organization or entity data are available to auditors via a portal.

Organizations chosen for audits are generated through a randomized process that ensures proper geographic distribution and a range of organization sizes, she said.

Audits should not be seen as a “punishment,” Sanches said, saying that the best bet is for organizations to ensure they are in compliance by establishing policies and procedures, as well as examples of how the policies have played out in practice.

In the realm of risk analysis, OCR is looking to ensure that organizations have considered all possibilities of data leaking out of the system—whether through mobile devices or any new technology. “We talk a lot about the culture of compliance, and making sure the staff are thinking of security and privacy while working on various tasks, like updating websites, and being comfortable bringing up concerns and mistakes,” she said.

Also, “know your business associates,” she said, adding that OCR will audit them during the next upcoming round. As for healthcare organizations, “we will be asking for a list of business associates, including contact information and services they provide to you.” This information will lead OCR to a better understanding of the diversity of business associates, and help them identify companies to audit.

Breaches increasingly are on OCR’s radar. “It’s shocking how many come in. There are thousands and thousands of breaches,” she said. While “there always will be hacks,” she said OCR investigates whether organizations have policies and procedures, including regular risk analyses, in place to prevent them.

The investigation “may finish quickly if we have that evidence,” she said.

The agency also is looking at smaller breaches, or those that affect fewer than 500 patients, and where there is a “pattern” of smaller breaches with the same root cause.

“The onus is on you to prove you had systems in place to protect against it,” she said.