Healthcare News & Insights

It’s OCR audit time: How to get ready

GettyImages-508449416Nowadays it’s clear that when hospitals prepare for audits manual processes are insufficient. In this guest post, Sam Abadir, director of product management at a provider of governance, risk management and compliance (GRC) solutions, presents what GRC solutions can offer facilities – operational efficiency, fundamental security and organizational resilience.


Modern medicine requires modern risk management solutions. In a hyper-connected world where drug infusion pumps, defibrillators, hospital refrigerators and even pacemakers can be hacked remotely, risk management in the healthcare industry should be much more than checking boxes on a form.

These dangers top a list of more commonly realized threats – ransomware, mass identity theft, insurance fraud and prescription drug fraud. According to IBM’s 2016 Cyber Security Intelligence Index, the healthcare industry is the most frequently targeted by cybercriminals, surpassing financial services, government and manufacturing.

OCR stepping up audits

Given the widespread scourge of costly data breaches, it’s not surprising that the Office of Civil Rights (OCR) is stepping up audits as it rolls out Phase 2 of the HIPAA Audit Program. On March 21, the OCR announced that data gathering exercises and desk audits have begun, and will be followed by comprehensive on-site audits in 2017. The desk audits will focus on privacy, security or breach notification rules, and will include entities that fall under HIPAA, as well as their business associates.

The audit announcement combined with news of OCR’s recent multi-million dollar settlements over HIPAA violations is evidence of a significant increase in enforcement efforts. As the National Law Review points out, these efforts “serve as a reminder of the importance of maintaining a culture of compliance and having the architecture in place to efficiently respond to more proactive and searching enforcement activity.”

What does it mean to have the “architecture in place to efficiently respond”? Per the OCR, you must prove your practices constitute a “permanent and robust program” – policies, procedures, training and review processes in place, and functioning as intended regarding security, privacy, operations risk management and information governance. You need documentation of all related activities in order to prove that policies and procedures have been communicated to relevant employees, business associates and third parties. And you need to have all this data, and more, at your fingertips.

Upon receiving draft findings from the OCR after a desk or on-site audit, auditees will have 10 business days to respond. This leaves very little time for reactive scrambling or manual data gathering. Due to the complexity and scope of compliance requirements (HIPAA and beyond), healthcare organizations need better tools: centralized data repositories, information security integration, remediation workflow, advanced data analysis and visual reporting.

Automated solutions

GRC platforms provide automated solutions to replace error-prone outdated manual processes while reinforcing cyber security, vendor risk assessments, operational efficiency, business continuity planning and compliance programs.

When considering everything that goes into preparing a healthcare organization for a successful audit, it becomes clear that manual processes are woefully insufficient. Audit management reliant on spreadsheets, email collaboration, and multiple assessment tools will be characterized by data stuck in organizational silos, duplicated efforts, tedious case-by-case problem-solving, undetected gaps in coverage, disorganized documentation and stressed out staff. It’s a recipe for disaster, not only for audits, but also for disruptive incidents like cyber attacks, natural disasters, mergers, lawsuits and legislative reforms.

Imagine instead the operational efficiency, fundamental security, and organizational resilience that could be built with the right toolset. GRC solutions can prepare facilities for audits – and more – by automating, integrating and documenting the following types of activities:

  • Managing policy and procedure lifecycle:
    • Centralize all documentation, track the review cycle and compare revision histories
    • Manage rules and regulations in one central repository, and map them to risk, activities and assets
    • Easily identify gaps between your compliance documents and the standards, and
    • Document end-user attestations, including policies received and training completed.
  • Documenting and mitigating risks
    • Identify, categorize, correlate and assess risks including business associates and third parties
    • Automate workflows to move risks from identification to analysis to remediation with visibility into the entire process
    • Integrate with IT solutions (vulnerability, web application and configuration scanners)
    • Prioritize remediation by identifying and ranking all assets and data stores, and
    • Enhance executive oversight through dashboards and visual data analyses.
  • Showing breach prevention and remediation efforts:
    • Track and manage prevention and remediation activities with documented workflows
    • Centralize incident reporting, including HR, infosec, client, vendor and anonymous reports
    • Determine when notification is necessary through risk assessments, and
    • Link incidents to related risks, compliance requirements and continuity plans.
  • Reporting on all compliance efforts – to internal stakeholders and auditors:
    • Capture and communicate metrics via data visualization tools
    • Create customized reports and dashboards without coding, and
    • Bring data from all security, risk and compliance activities into a unified view.

Requirements don’t fall through cracks

The interconnection of people, processes and content on a comprehensive technology platform weaves a tighter web, ensuring that serious incidents or important requirements don’t fall through the cracks.

Tracking, capturing and standardizing workflows and behind-the-scenes activity helps to effectively communicate the depth of your organization’s security and information governance programs. The ability to pull up reports and visualize data means that progress and priorities can be shared more readily across the organization, fostering a culture of accountability. Knowing that the reports are developed from verifiable, common data builds trust and eases decision-making processes. Those tasked with GRC activities can get more done, take on more responsibility, and be more proactive in shaping the business – with the same amount of staff.

When you look at compliance as an integral part of mitigating risks to your company and those you ultimately serve – patients and their families – it becomes more than required busywork. Done right, GRC imbues healthcare organizations with the strength and resilience they need to deliver their life-saving services – not to mention sustaining a competitive edge in a challenging marketplace.

Sam Abadir is the director of product management at LockPath, a provider of governance, risk management and compliance (GRC) solutions.


Subscribe Today

Get the latest and greatest healthcare news and insights delivered to your inbox.

Speak Your Mind