The long-awaited next round of HIPAA audits has started, and providers may face a host of compliance and enforcement challenges, say health-care attorneys.
For example, the Health and Human Services Office for Civil
Rights said it may conduct additional compliance reviews if an audit
uncovers “serious issues,”
which could lead to civil monetary penalties, Daniel Gottlieb, an
attorney with McDermott Will & Emery in Chicago, told Bloomberg BNA on March 23, 2016.
Gottlieb said it's unclear how the OCR will define what constitutes a “serious issue,”
and that uncertainty will be a burden to providers.
Certain policies that haven't been updated recently could become
the grounds for additional compliance reviews outside the audit process,
depending on the OCR's definition of a serious issue, Gottlieb said.
OCR Director Jocelyn Samuels announced the start of the phase two audits at a March 21 conference.
The compliance audits are intended to determine if health-care organizations and their contractors are complying with the Health Insurance Portability and Accountability Act's Privacy, Security and Breach Notification rules.
While the first round of audits focused solely on covered
entities, phase two will address covered entities and business
associates.
The audits are being conducted by FCi Federal, a government
services provider in Ashburn, Va., that was awarded the contract in
October 2015 .
Gottlieb said some covered entities, such as small physician
practices, might have some HIPAA compliance issues involving their
comprehensive risk assessments, which can be very data intensive and
complicated for organizations with limited resources.
However, Gottlieb said he expected larger covered entities and business associates would be up-to-speed on HIPAA compliance.
“Organizations that prioritize HIPAA compliance should do pretty well, but no one is perfect,” Gottlieb said.
Data security is an ongoing process, Gottlieb said, and
organizations should continuously make changes to their policies to meet
a changing threat environment, including hacking attempts and patient
data shared via social media channels.
Justified Enforcement
The next round of audits has been characterized by the OCR as a
compliance improvement exercise, but covered entities and business
associates may be in store for more enforcement actions as the OCR
uncovers serious issues, Eric Fader, an attorney with Day Pitney LLP in
New York, told Bloomberg BNA March 24, 2016.
“At this point, the OCR could be excused for calling almost any HIPAA violation a serious issue,” Fader said.
HIPAA has been around a long time and the OCR has provided plenty of warnings over the last few years, Fader said.
James Bowers, an attorney with Day Pitney in Hartford, Conn.,
said the OCR is likely to ramp up HIPAA enforcement after the criticism
it received from the HHS Office of Inspector General in a September 2015
report (pdf).
The OIG said in the report that the OCR wasn't investigating
enough small data breaches or keeping track of all health-care
organizations it finds in violation of federal privacy laws.
“OCR's knuckles were rapped pretty hard, so going forward there's
going to be a no-nonsense enforcement policy,” Bowers told Bloomberg
BNA March 24.
Bowers said he expected to see steeper fines and more corrective action plans.
Audit Priority Items
Gottlieb said the OCR's phase one audits, which were conducted in
2011 and 2012, identified several areas of concerns regarding HIPAA
compliance, and he said the upcoming phase two audits are likely to
focus on them.
For example, a significant portion of audit subjects from phase
one hadn't performed a comprehensive security risk assessment, Gottlieb
said.
“Organizations should review their risk assessments and see if
they comply with the HIPAA Security rule as well as OCR guidance,”
Gottlieb said.
Gottlieb said he expected the second round of audits will also
focus on the HIPAA Security rule's provisions concerning the secure
disposal of electronic devices and encryption of data in transit and at
rest.
“A lot of recent OCR enforcement has focused on stolen unencrypted laptops,”
Gottlieb said.
The OCR reached two multimillion-dollar settlements in March 2016 with providers over stolen unencrypted laptops .
Audit Preparation
Also See: What to Expect in a HIPAA Audit for 2016 (Webinar Video)
In preparation for a potential HIPAA audit, organizations should identify and gather all of their documentation related to the OCR's phase one-identified priority areas and should ensure their security policies are reasonable and updated, Gottlieb said.
In preparation for a potential HIPAA audit, organizations should identify and gather all of their documentation related to the OCR's phase one-identified priority areas and should ensure their security policies are reasonable and updated, Gottlieb said.
Kevin Page, an attorney with Waller Lansden Dortch & Davis,
LLP in Nashville, told Bloomberg BNA March 23, 2016 that covered entities
should maintain a list of all their business associates as well as have
written HIPAA compliance policies and procedures in place.
Page said the audits will likely look to see if organizations
have conducted a comprehensive, enterprisewide security risk analysis
and if they've implemented a risk management plan based on the results
of the analysis.
“I suspect we'll be seeing more audits, and what they learn from these current audits will inform future audits,” Page said.
Page said it would be smart for business associates to be make
sure they're up to speed on the HIPAA Privacy and Security rules, as
this will be the first time they're having to open their books to the
OCR and demonstrate compliance.
Day Pitney's Bowers said business associates are increasingly
holding large amounts of patient data either in electronic health
records or in cloud storage.
“These vendors have to make certain the data is secured six ways to Sunday,”
Bowers said.
Little Cause for Alarm
While the upcoming phase two audits may be inconvenient for
organizations as they gather their HIPAA policies and procedures,
there's little cause for alarm, Colin Zick, an attorney with Foley Hoag
LLP in Boston, told Bloomberg BNA March 24, 2016.
Zick said the audits are trying to encourage good compliance and aren't designed to be punitive.
If you haven't pulled the HIPAA compliance binder off the shelf in a while, this would be a good time to start!
When it comes to HIPAA compliance, no one's perfect and breaches will happen, Zick said.
Organizations with strong underlying HIPAA compliance policies
and procedures are less likely to face enforcement action if compliance
problems are found, Zick said.
Zick also said covered entities are likely to fare better in
HIPAA audits than business associates, which are organizations that
contract with health-care organizations.
“There's such a variety of business associates, it's a much greater challenge for them to stay in compliance,” Zick said.
Looking to the future, a big question is what the next phase of audits will look like, Zick said.
“Will they decide not to do any more because the results show
everyone's OK with compliance, or will they will ratchet up
enforcement?” Zick said.
Planning Ahead
Before any potential HIPAA audit, covered entities and business associates should:
Organizations need to cooperate completely with an audit request.
Reece Hirsch, an attorney with Morgan, Lewis & Bockius LLP in
San Francisco, echoed Zick's comments and said it's crucial for audit
subjects to respond within the mandated 10-day period.
“Make sure the audit-related address verification letter doesn't
end up in your spam folder,” Hirsch told Bloomberg BNA March 24, 2016.
Organizations should create audit response teams to ensure they
meet the response deadline, and should perform document-gathering dry
runs to determine how fast the process is, Hirsch said.
Hirsch said it's important that an organization's HIPAA compliance policies and procedures are updated.
“If you've done your updating prior to the audit start, you're
OK, but if you do your updating after you receive an audit request,
that's a different story,”
Hirsch said.