Click here for more sample CPC practice exam questions with Full Rationale Answers

Practice Exam

Click here for more sample CPC practice exam questions and answers with full rationale

Practice Exam

CPC Practice Exam and Study Guide Package

Practice Exam

What makes a good CPC Practice Exam? Questions and Answers with Full Rationale

CPC Exam Review Video

Laureen shows you her proprietary “Bubbling and Highlighting Technique”

Download your Free copy of my "Medical Coding From Home Ebook" at the top right corner of this page

Practice Exam

2018 CPC Practice Exam Answer Key 150 Questions With Full Rationale (HCPCS, ICD-9-CM, ICD-10, CPT Codes) Click here for more sample CPC practice exam questions with Full Rationale Answers

Practice Exam

Click here for more sample CPC practice exam questions and answers with full rationale

Conducting a phase two audit self-review

HIPAA audits

Conducting a phase two audit self-review

As OCR’s auditors wrap up the final desk audit reports for phase two of the HIPAA audit program, many covered entities (CE) are breathing a little easier. Only 167 CEs were selected for desk audits in July. Audited CEs can expect to wait several months to see the final audit reports, although they will have the opportunity to review a draft version and submit comments that will be attached to the final report.

But phase two is far from over. Business associates (BA) will be selected for desk audits this fall—the first time these entities will be subject to OCR’s HIPAA audits. And early next year, OCR will launch comprehensive on-site audits of both CEs and BAs.

Desk audits look at specific sections of HIPAA. A BA might be asked to produce documentation supporting compliance with only two aspects of the Security Rule: risk analysis and risk management. The BA could look to the audit protocol to learn what documentation auditors expect to see.

However, comprehensive on-site audits will be exactly what they sound like: a comprehensive snapshot of a CE’s or BA’s compliance with every part of HIPAA.

Both BAs and CEs must be ready to submit all documentation requested by auditors within a limited window of time. CEs had only 11 days to submit documents in response to desk audits, and the clock starts ticking when OCR sends the audit notification email, not when the email is opened. BAs will likely also have 11 days to submit desk audit responses. Although some BAs and CEs may decide to test their luck and hope the audits pass them by, there will be little time to prepare if they are selected.

Conducting a self-review based on the audit protocols can help BAs prepare for desk audits; it can also help BAs and CEs get ready for the more exhaustive on-site audits. And as OCR steps up investigations of breaches large and small—while cyberthreats continue to mount—the audit protocols offer a blueprint that can help an organization identify and address risks.

 

Following protocols

The phase two audit protocols were built on the phase one protocols and updated to include changes made by the 2013 HIPAA omnibus final rule. (For more information on the phase two audit protocols, see the July issue of BOH.) The updates also include information specifically for BAs. But the protocols are useful beyond simply checking boxes for audited organizations: Any CE or BA can use them to evaluate compliance.

"Every affected organization should be routinely conducting reviews of its regulatory compliance," says Kate Borten, CISSP, CISM, HCISSP, founder of The Marblehead Group in Marblehead, Massachusetts. "Not only is this a good business practice, but it is explicitly required in the HIPAA Security Rule evaluation standard."

Some organizations may have put off these evaluations to deal with other compliance or business concerns, but privacy and security officers might see the tide finally turn in their favor. OCR’s increased activity, as well as the rise in frequency and cost of data breaches, may put HIPAA compliance back in the spotlight. Privacy and security officers should revitalize efforts to conduct the gap analyses and mock audits CEs and BAs may have postponed, advises Frank Ruelas, MBA, principal of HIPAA College in Casa Grande, Arizona.

"Now may be a good time to bring a review of the audit protocol, which essentially helps provide an overall indication of one’s state of compliance with many of the key areas within the HIPAA privacy, security, and breach regulations, from the drawing board to the to-do list," he says.

The phase two protocols may seem overwhelming at first glance. They’re extensive and detailed, covering the Privacy, Security, and Breach Notification rules. Each of these is broken down by section and specific compliance actions, with documents mapped to each section.

The level of detail is what makes the protocols useful, Ruelas says. "The audit protocol is much like an open-book test that not only comes with the questions, but also with many of the answers that auditors are looking for," he says.

With on-site audits not scheduled until early 2017, CEs and BAs should have plenty of time to prepare.

 

Road map to compliance

The audit protocols can be looked at as a road map to HIPAA compliance, says Reece Hirsch, Esq., a partner at Morgan and Lewis in San Francisco. CEs conducting self-reviews and BAs prepping for desk audits can look to the audit protocols, and OCR’s recent enforcement actions, to see where they fall regarding compliance with specific HIPAA areas.

BAs may not be direct healthcare providers and may deal with HIPAA in very different ways than CEs typically do. However, most of the audit targets, such as security risk management, still apply to BAs and are a common pain point for all organizations.

"The questions relating to timeliness of breach notification, security risk analysis, and security risk management are all areas that will almost certainly be focused on for BAs," Hirsch says. "In earlier statements, OCR highlighted just those areas when they were talking about areas that might be audited for BAs."

BAs may not be audited on targets that don’t apply to them, he says. However, some audit targets will contain elements that don’t apply to specific BAs. A BA may be asked to produce documentation for a compliance area it doesn’t engage in, such as the right of patients to access their PHI. In such a case, the BA will nevertheless be expected to produce official policies and documents stating it does not engage in these activities.

Conducting a self-review can help a BA identify what documents it is missing before an audit letter arrives. After that letter lands in a BA’s inbox, it’s too late to create missing policies or enforce them.

"This is the time to make any corrections that are possible," Hirsch says. "Once you receive the audit request, you have to respond with the policies that are in effect as of that date. It has to be a snapshot of compliance. You can’t correct things between the time you get the audit letter and the time you respond."

Both CEs and BAs should keep that mind when looking ahead to the next round of audits.

 

Team review

Conducting a self-review based on the protocols doesn’t need to be a complicated process, Ruelas says. Generally, it can be completed by the staff who routinely handle HIPAA compliance. For CEs, this could be the privacy and security officer or the compliance officer. BAs aren’t required to have a staff member dedicated to overseeing compliance with the Privacy Rule, so the individual best suited to this task will likely be the security officer. Whoever leads the review should be the individual most familiar with the organization’s HIPAA policies and procedures. That will make it quicker and easier to gather the documentation and leave more time to evaluate it.

It may be helpful to pull other staff into the review, Ruelas says. Human resources staff might be called on to provide a list of staff who have been sanctioned for violating the organization’s HIPAA policies.

Staff outside the privacy and security or compliance departments will have a different and valuable perspective on the organization’s HIPAA policies and procedures, Hirsch says. Any review should look at whether the items on paper are translating into practice.

"For example, when looking at patient access, it’s one thing to look at the policy, and it’s another thing to actually speak with the personnel who are receiving those requests and responding in a manner that’s consistent with the organization’s PHI access policies," he says. "You won’t know that unless you’re out there in the field talking to the people who are getting those requests day to day."

Auditors want to see more than simply a written policy. As privacy and security officers know, policies and procedures aren’t worth anything if no one knows they exist or they aren’t updated and modified to reflect changes in the organization. Risk analyses in particular must be living documents, Hirsch says. The organization must be able to show that information collected during a risk analysis is shared with the appropriate individuals, and there must be documented proof of actions taken and decisions made. This will also apply in cases where no action is taken on an identified risk. If a risk is determined to be low-level and triaged below more serious vulnerabilities, the organization should be able to produce documentation explaining why and how that decision was reached. (For more information on risk analyses, see the June and July issues of BOH.)

If a privacy or security officer runs into resistance while conducting the self-review, it can be an indication of larger problems, Borten says. Senior management should be willing to offer support as needed and provide documentation of HIPAA-related processes. If this support is lacking, it may mean privacy and security programs and policies aren’t being followed or managed.

Privacy and security officers should check with their organization’s legal counsel if they have questions about how to interpret the audit protocols, Hirsch says. During an actual audit, it may be difficult to get this guidance on time. Having these answers in advance will be invaluable in the event of an audit.

"There are some areas [of the protocols] that are open to interpretation, but I think if you’ve made a reasonable good faith effort to comply with the HIPAA standards, you’re probably going to be on solid footing," he says.

 

Taking the test

The self-review should have a clear goal and purpose, like any other evaluation. Start by defining its scope and methodology, Borten says. Determine what elements will be reviewed, what level of compliance the organization must achieve, and, perhaps most importantly, what will be done with the results. Have a plan and process in place to take action on any compliance gaps identified during the self-review.

Review by section rather than trying to tackle all 180 elements at once, Ruelas advises. He suggests starting a review with the breach notification targets (elements 162?180 in the audit protocols). Organizations can rank their compliance with each element and make note of those that don’t apply. Audit tools can help reviewers track and analyze data. A free audit tool is available at www.hipaacollege.com/tools.html.

Pay particular attention to standards that organizations have struggled with in prior audits or that are cited most often in OCR’s enforcement actions, Borten says.

The review itself can take as little as two days, Ruelas says. However, this may not be practical. Staff conducting the review will likely have other work to complete and may choose to break the review up over several weeks. But the review often goes quicker than anticipated, he says.

"Reviewers may be surprised that once they roll up their sleeves and dive into the review, it is not uncommon [they] may decide to assess more elements than originally planned," he says.

Minimize distractions when reviewing documents. Workflow can easily be interrupted if staff involved in the review are sidetracked by emails and phone calls, he says.

 

Time well-spent

Getting the time and resources to perform a review may be the most difficult part. Staff may already be filling multiple roles, and it might be difficult to convince leadership that a self-review is necessary if the organization wasn’t selected for a desk audit. A glance at OCR’s recent enforcement actions shows that some CEs and BAs already put off risk analyses.

"Unfortunately, the biggest hurdle in many provider organizations may be lack of knowledgeable resources and sufficient commitment," Borten says.

Motivation can be another stumbling block to a self-review. CEs that dodged desk audits may have breathed a sigh of relief and moved on. BAs might do the same after their audits launch.

"We must remember, everyone in the selection pool may also be selected for an on-site audit," Ruelas says.

In a July 13 webinar for CEs selected for desk audits, OCR representatives emphasized that the 2017 on-site audits would be comprehensive. An organization that hasn’t taken the time to prepare in advance could easily find itself falling short on some elements. It’s better to discover and address compliance gaps before an auditor does. Phase two audits aren’t meant to be punitive, but if auditors feel a compliance miss is significant, they can open an investigation, Hirsch says. A formal OCR investigation will take up far more time and resources?and potentially money?than a self-review of the audit protocols.

 

Interpretation

The audit protocols are detailed, but there is still room for interpretation, particularly when looking at the audit elements for the Security Rule. The unknowns in the audit protocols can leave privacy or security officers wondering if they’re making the correct call during a self-review.

"We may think we understand them or are interpreting them accurately, but we won’t know how our position compares with how they are interpreted by the auditors until the audits actually begin," Ruelas says. "I think people should simply try to understand and interpret them as best as they can, understanding that clarification may be coming later once the on-site audits get underway."

A self-review can also help an organization gauge how thoroughly it understands HIPAA compliance to begin with. If those involved in the review are struggling to understand and apply the audit protocols, it could be a sign that a little assistance is needed.

"True compliance requires that an organization fully understand what each requirement means and how to achieve it," Borten says.

HCPro.com – Briefings on HIPAA