vice president of compliance strategies at Cynergis Tek. See the
sidebar above for more information about audit results.
“OCR focused on issues that represented a very restrictive view,
especially in its reviews of the security rule that allows covered
entities a lot of flexibility in their approach to compliance based
on the size and complexity of the organization,” says Holtzman,
who has personally seen several audit reports from organiza-
tions that have gone through an OCR Phase 2 HIPAA desk audit.
“None of that flexibility was reflected in the analysis by OCR.”
Carlson agrees that OCR seemed to go beyond what HIPAA re-
quires. For example, although Mayo Clinic provides patients the
right to access information in the format of their choice, OCR
pointed out that they didn’t spell out each option (i.e., encrypted
email, print/mail, patient portal, or encrypted CD) on their au-
thorization form. The organization is now in the process of adding
check boxes on its release of information (ROI) form so patients
can designate specifically how they want to receive information. If
patients don’t check a box, Mayo Clinic will default to paper mail.
Audit findings related to the content of breach notifications
also seemed to go beyond what HIPAA requires, Carlson says.
She provides the example of notifications specifying that demographic information was breached. OCR said these notifications
weren’t specific because they didn’t describe the specific type
of demographic information that was breached (i.e., name, address, or date of birth). “I think they expect to see more detail for
the affected patient in terms of what was accessed or disclosed
rather than being general,” she says.
Streamlining Internal Audits, Coder Education
Although it creates more work for HIM, experts agree that internal
coding audits may ultimately help reduce the external ones. At a
minimum, organizations should plan and budget for quarterly
internal audits—particularly if they’re not already performing
pre-bill DRG validation audits, says Kelly M. Carovillano, RHIA,
vice president of client operations at Pena4.
Quarterly audits are important because coding guidance is
Results of OCR’s HIPAA Phase 2 Desk Audits
THE OFFICE FOR CIVIL RIGHTS’S (OCR’s) overarching goal in
conducting Phase 2 desk audits was to uncover vulnerabilities
and detect areas for technical assistance—not penalize covered entities (CE) and business associates (BA), says Zinethia
Clemmons, MBA, MHA, RHIA, PMP, HIPAA compliance audit
program director at OCR. The Phase 2 audits concluded in
December 2017, and Phase 3 is still in development, she says.
“As a result of Phase 2, we are going to publish a public
report to share our findings and provide the industry with best
practices,” Clemmons says. The report will also go into more
detail regarding the scope and methodology of the audits,
including types of providers audited (i.e., labs, hospitals, or
solo practitioners). OCR hopes to finalize and disseminate
the document sometime this year.
Drawing from its own breach database and other sources,
OCR used random sampling to audit a total of 207 CEs and
BAs. Using a five-point rating scale, entities were assessed
to determine whether their documentation—policies, procedures, sample notices, and breach notification letters—
demonstrated compliance in seven categories:
Content of breach notification
Content of the Notice of Privacy Practices
Provision of the Notice of Privacy Practices
Right to access protected health information
Security risk management
Security risk analysis
Timeliness of breach notification
Some notable preliminary results specifically for CEs as of
press time include:
Sixty-five percent of CEs had documentation indicat-
ing timely procedures for breach notifications (scored a
1); however, overall, the actual content of breach noti-
fications required improvement 60 percent of the time
(scored a rating of 2, 3, 4, or 5).
Nearly all CEs (98 percent) needed to improve the content
of their Notice of Privacy Practices (scored a 2, 3, 4, or 5).
Nearly all (99 percent) of CEs needed to improve their
documentation of processes for patient right to access
(scored a 2, 3, 4, or 5).
No CEs had policies and procedures of a risk analysis
process that completely met the goals and objectives of
selected standards and implementation specifications.
It’s important to point out that the desk audits provide one
view of compliance, Clemmons says. In some cases, policies
may exist, but entities may not be following them. In others,
compliant staff procedures might not be formalized through
policy. “With an onsite audit, we’re able to see whether entities are really doing what they say they are doing,” she says.
April Carlson, MBA, HCISPP, CFE, privacy officer at Mayo
Clinic in Rochester, MN, provides the following lessons
learned after having been through a Phase 2 desk audit:
1. Use the Notice of Privacy Practices template and security risk assessment tool that HHS provides.
2. Ensure that the link to the Notice of Privacy Practices is
visible. For example, consider enlarging it and making it
bold on your organization’s homepage.
3. Provide patients with specific options on the release of
information form (i.e., email, print/mail, patient portal, or
4. Think “specificity” when notifying patients of a breach.
“Clinical information” is too vague. Include “lab results”
or “surgical notes” instead.
To view the results and learn more about the OCR audit rating scale, visit www.nist.gov/sites/default/files/documents/