On October 27, 2015, a U.S. Department of Health and Human Services (“HHS”) official stated that the agency has hired FCi Federal, a provider of management and professional services to government agencies in Ashburn, VA, to conduct the second round of Health Insurance Portability and Accountability Act (“HIPAA”) data security audits. Similar to the Phase One HIPAA audits conducted as a pilot program in 2011 and 2012, these audits are used to determine if covered entities and business associates are complying with the Privacy and Security Rules. Office for Civil Rights (“OCR”) Director Jocelyn Samuels generally stated that the audits will begin “shortly” but that OCR is currently “verifying contact information for the business associates and covered entities that will be included in the Phase Two audit.” This is aligned with OCR Deputy Director Devin McGraw’s announcement last month that OCR will begin the next round of audits after it submits information about its plan for public comment in late 2015 or early 2016. Ms. Samuels also provided additional information on the format of the audits stating that Phase Two will consist primarily of desk audits with some on-site audits but that OCR will release an audit protocol as the audits draw closer.
In addition to discussing the impending HIPAA audits, Ms. Samuels provided an update on the number of data breach reports received by OCR between September 2009 and October 9, 2015: about 1,355 reports for breaches affecting more than 500 individuals and over 181,000 reports of breaches affecting less than 500 people. She also noted that OCR has noticed several common issues in organizations with data breaches, including that these entities (1) do not have business associate agreements, auditing procedures and mechanisms, or data transmission security; (2) have insufficient data backup; (3) do not perform enterprise-wide risk analysis or properly manage identified risks; and (4) have improper data disposal.
Further, OCR has received 34,613 complaints alleging violations of the Security, Privacy, and Breach Notification Rules between April 14, 2003 and August 31, 2015 which resulted in corrective action plans for 69 percent of these complaints. Ms. Samuels stated that OCR “likes to informally resolve complaints” but OCR will proceed with more formal resolutions of disputes, as necessary. This was most recently seen with the settlements and corrective action plans for Cancer Care Group, P.C. and St. Elizabeth’s Medical Center. Therefore, in light of these imminent, random Phase Two audits and the significant number of complaints and data breach reports, HIPAA-regulated entities should take this time to ensure their compliance with the Privacy, Security, and Breach Notification Rules.