Phase two of audits for the Health Insurance Portability and Accountability Act (HIPAA) are coming this year as the Office of Civil Rights looks to crack down on violations,
Phase two of audits for the Health Insurance Portability and Accountability Act (HIPAA) are coming this year as the Office of Civil Rights looks to crack down on violations.
HIPAA was signed into law in August of 1996, and the Privacy and Security Rules were both implemented over a decade ago. Moreover, the Health Information Technology for Economic and Clinical Health Act (HITECH Act), which made significant changes to a variety of facets of HIPAA, passed in 2009. Section 13411 of the HITECH Act requires the Office of Civil Rights (OCR)--which is part of the U.S. Department of Health and Human Services (HHS)--to conduct periodic HIPAA audits.
Why is there so much emphasis on meeting standards that have been required for two decades in some instances? It’s due mainly to the increased use of technology in healthcare and accompanying cybersecurity risks. The purpose of this article is to provide an overview of the OCR audit program (phase 2), identify key areas of risk and provide suggestions on how to mitigate adverse findings.
In 2011, OCR launched the requisite OCR Pilot Privacy, Security, and Breach Notification Audit Program. For the first phase, only covered entities were audited. This second phase includes business associates of covered entities.
Regardless of the type of entity, the time frames for the audit are the same. From the time the audit notification letter is sent from OCR, organizations should plan on a 30 day to 90 day process. Analogous to a Recovery Audit Contractor (RAC) audit, an entity has a certain period of time to produce the requested information. The information may be requested either on-site or as a desk audit, which is described below.
Next, OCR reviews the information provided and drafts a report. The entity then has the opportunity to review and respond to the draft report, after which OCR finalizes the report.
The scope of the phase 1 audits was limited to the federal Privacy, Security and Breach Notification Rules. This does not mean that a state law or international law provision may have been violated-it just was not addressed in the phase I audits.
Phase 2 audits will be more robust, in part due to a $4 million increase in OCR’s 2016 budget. Another area of difference will be the number of on site versus desk audits. During the phase 1 audits, covered entities were evaluated by a third party, who visited them on-site. Phase two audits will include a greater number of desk audits - entities responding to the audits from their desks by providing policies and documentation of privacy policies and procedures to HHS.
This serves as a signal -a key administrative area that will be looked at during the audits are the adequacy of policies and procedures. Therefore, the number of administrative and security violations could increase significantly.
A good place for practices to start is to look at the findings from phase 1, as well as recent penalties that were assessed by HHS for HIPAA violations. Violations occurred in the administrative, technical and physical realms. Primarily, policies and procedures were found to be inadequate; encryption of USB drives, laptops and email was found to be lacking; and inadequate employee security awareness and training were some of the major areas of vulnerability.
The most prudent approach is to be prepared ahead of time, much like an IRS or Joint Commission audit. Whatever aspect of HIPAA compliance an organization is addressing, a good vantage point from which to start is the patient information. Every action should take into account the confidentiality, integrity and availability of the information. The way to make employees and contractors aware is through training. While the required way to hold business associates and subcontractors accountable is through the contractual obligations in a business associate agreement (BAA). Moreover, an annual risk assessment is a must. And, the HHS website is the ideal place to find explanations of what is set out in the laws and regulations.
Here are some tips to make sure that the practice is HIPAA compliant and avoid an adverse audit outcome...
1/ Begin compliance efforts from the vantage point of the government, who may “review pertinent policies, procedures, or practices of the covered entity or business associate and of the circumstances regarding any alleged violation”;
2/ Read Section 164.316 for what is required in relation to policies and procedures from an administrative, technical and physical aspect;
3/ Curtail policies and procedures to your individual practice;
4/ Know where the external and internal sources of protected health information are located;
5/ Encrypt everything both at rest and in transit and make sure that the level of encryption utilized is adequate;
6/ Train employees– Trustwave is a reputable vendor that has online training or various organizations offer live courses; and
7/ Perform due diligence on various third party risk assessors for expertise, price and quality.
OCR audits and HIPAA compliance should not be taken lightly. RAC audits also started with a pilot program more than a decade ago and now generate a substantial amount of revenue for the government, as well as serving as a check on providers’ claims submissions. Those submission, by the way, are also required to be HIPAA-compliant.
The overall goal of the phase 2 audits is to raise awareness and provide the opportunity for entities to correct their practices surrounding the creation, receipt, transmission and maintenance of protected health information.
The flip side, however, is that OCR may assess a penalty. Given that there are going to be more on site and business associate audits, the findings may translate into increased scrutiny by OCR on other fronts. Therefore, organizations of all types should look at the OCR audit like an IRS audit: a practice should be prepared for an audit. Failure to do so could be costly.