What auditors are focusing on: Desk Audits

HHS Office of Civil Rights (OCR) is now completing reports of audits performed in 2016 and distributing reports. Once the report is received, organizations have 10 days to respond.

The following is an overview of a small clinic that was subject to a Privacy Audit by the OCR. This was a desk audit, meaning that the auditors did not come on-site and all information was provided to the OCR by uploading documents to a portal. While a desk audit sounds less stressful than having auditors on-site, it is often more difficult. The reason is the process for selecting and providing documentation must be done carefully so that the request is directly responded to without requiring the auditors to sift through lots of documents to find answers. Compliance with audit objectives is rated on a scale of 1 to 5 with 1 being the best.

Following are specific comments received by the clinic:

  1. Breach Notification Rule: BNR12 §164.404(b) Timeliness of Notification
    1. It is important to remember that a patient must be notified of an impermissible disclosure of his or her PHI within 60 days. The organization may have up to one year to report a breach to the Secretary of HHS, but notification to the individual is always to occur as-soon-as-possible and in never more than 60 days. Notification to the individual is required for impermissible disclosures whether related to privacy or security breaches.
  2. Breach Notification Rule: BNR13 §164.404(c)(1) Content of Notification
    1. Notification (letter) to individuals must include several ways the individual may contact the organization to ask questions. In the instance reviewed the notification contained a telephone number to reach the clinic but did not include a toll-free number. The auditor noted that not having an “800” number “could adversely impact the rights of the individuals who are subject to the breach…”
  3. Privacy Rule: P65 §164.524(a)(1), (b)(1), (b)(2), (c)(2), (c)(3), (c)(4), (d)(1), (d)(3) Right to Access
    1. The Notice of Privacy Practices did not include the patient’s right to timely access their records within 30 days of the request. The authorization form did not provide a place to request access in a specific form or format.
  4. Privacy Rule: P55 §164.520(a)(1) & (b)(1) Notice of Privacy Practices Content requirements
    1. The Notice of Privacy Practices did not include the following elements:
      1. Statement that the entity is required, upon the request of the individual to disclose PHI.
      2. Statement that the use or disclosure for psychotherapy notes requires individual authorization. (My note – I believe HIV positive and behavioral health/substance abuse also require this.)
  • Statement that use or disclosure for marketing requires individual authorization.
  1. Statement that the use or disclosure for sale of information requires individual authorization.
  2. Does not contain a statement of the individual’s rights and a description of how the individual may exercise the right to limit what information the entity uses or shares and that the entity must agree only if an individual request is to limit sharing with a health plan when the care is already paid in full.
  3. Description of how the individual may exercise the right to obtain a copy of records.
  • Notice that the entity has a legal duty to notify affected individuals of a breach that compromises the privacy or security of their PHI.

The OCR will be coming on-site at this organization sometime during 2017 to follow up on these findings.

Every healthcare organization needs to be sure that they regularly review their privacy practices and update them as needed. It’s vital to protect your patients’ information and rights as well as your practice. Every organization needs to be cognizant of the fact that more audits are coming and the HHS will be examining the details of policy and procedure.

If you have any questions about whether your organization is prepared, call ITPAC today.