Have you conducted a comprehensive risk assessment?
The Office for Civil Rights ("OCR") has been promising a second phase of audits since the first phase was completed in early 2012. But this time there is pressure on the OCR to perform. Audits of covered entities and business associates will begin in early 2016. Covered entities and business associates should take proactive steps now to ensure they withstand OCR scrutiny in 2016 and avoid penalties for HIPAA violations.
The OIG’s Assessment of OCR’s Prior Audits
In September, the Office of Inspector General for the Department of Health and Human Services ("OIG") issued two reports criticizing the OCR for failing to adequately follow up breaches of protected health information ("PHI") and failing to provide sufficient oversight of compliance with the HIPAA Privacy Standards.
A review was performed of privacy violations from September 2009 to March 2011 to determine how the OCR resolved them and the extent to which corrective action plans were documented. The findings were as follows:
- OCR failed to fully implement the required audit program to proactively identify non-compliance. The privacy violations investigated were in response to complaints.
- Of the violations investigated, 54% of the cases demonstrated non-compliance with at least one Privacy Standard. The two most common violations related to (a) restricting uses and disclosures of PHI and (b) implementing adequate safeguards to protect the privacy of PHI.
- Corrective actions plans were documented in only 74% of the cases.
- 21% of the OCR staff reported that they rarely or never checked whether the covered entity had previously been investigated by the OCR when in fact 23 of the covered entities had previously been investigated at least five times each.
In its report, the OIG issued the following recommendations to the OCR:
- Fully implement a permanent audit program.
- Maintain complete documentation of all corrective action plans.
- Develop an efficient method to search for and track investigations of covered entities.
- Require staff to check for prior investigations of covered entities.
The findings were similar regarding follow up of breaches of PHI. Although all large breaches (involving 500 or more individuals) were investigated, less than 2% of reported small breaches were investigated. Of the breaches, 93% of the covered entities had violated at least one HIPAA Standard which typically involved failing to implement safeguards for privacy and/or security of the PHI. Documentation of corrective action plans was incomplete and there was failure to determine prior histories of HIPAA violations.
Anticipation of a Significant Change in Direction in 2016
The OIG Work Plan for fiscal year 2016 includes the new project of determining the adequacy of the OCR’s oversight for the security of electronic PHI. So the OCR is under extreme scrutiny from the OIG to perform.
The OCR Director, Jocelyn Samuels, has repeatedly stated in the past few months that the Phase 2 audits will begin in early 2016. A third-party vendor will conduct the audits that will include both covered entities and business associates. It is projected that 200 desk audits and 24 on-site audits will be completed by the end of 2016. An update to the audit protocol from 2011-2012 has been promised but has yet to be published. However, it is expected to include the HITECH laws and emphasize breach notification, patient access to ePHI, and compliance with other patient rights. When an entity receives an audit request, it will have only 10 business days to respond.
It is also expected that many business associates will be included in the audit. The OCR has identified business associates as one of its top three enforcement priorities in 2016. Business associates are now subject to the same penalties as covered entities which range from $100 - $1.5 million per identical violations in a calendar year.
The OCR has become more aggressive in imposing penalties for HIPAA violations. The first penalty wasn’t imposed until 2008, and only seven penalties were imposed through 2011. From 2012-2015, twenty-one penalties were imposed ranging from $50,000 to $3.5 million, with seven penalties greater than $1 million. Such penalties are not typically covered by insurance unless a cyber-insurance policy has been purchased that specifically covers these penalties.
- Prepare now – covered entities and business associates should begin preparing for the early-2016 audits by performing security risk self-assessments (under attorney-client privilege) and addressing areas of vulnerability.
- Review and be familiar with HIPAA polices, including, privacy practices and training, appropriate utilization and disclosure of PHI, technical and physical security safeguards and the processing of complaints.
- Aggregate copies of previous audit reports and risk assessments related to your organization’s implementation of the requisite security, privacy and breach notification requirements as well as copies of all executed business associate agreements and related subcontractor agreements.
- Involve legal counsel early – proactively prepare an audit response plan and take corrective action needed to resolve vulnerabilities identified during a risk assessment.