Despite the issuance of the Omnibus Final Rule in 2013, HIPAA enforcement activity has remained relatively light—until recently. Indeed, compared to just a few settlements a year for the first decade that HIPAA was in force, from September 2015 through April 2016, HIPAA settlements have been coming out at a pace of more than one a month. Moreover, the dollar amounts involved are significant: $750k, $3.5M, $750k, $240k, $1.55M, $3.9M, $750k, and $2.2M. This alone should be a wake-up call for any covered entity or business associate that must comply with applicable provisions of HIPAA. But, it isn’t the only thing making HIPAA hot right now.
Indeed, the Round 2 HIPAA audits have begun. In the last several weeks, hundreds of covered entities have received surveys that request a variety of information that will be used to identify a broad cross-section of covered entities. Very significantly, this round of HIPAA audits will also include business associates. One of the questions in the surveys requires covered entities to identify their business associates.
Unlike the first round of HIPAA audits, the Round 2 audits may result in disciplinary actions. Given the results of the first round audit—that an overwhelming number of covered entities had HIPAA compliance deficiencies, primarily with respect to HIPAA’s Security Rule—we can expect a flurry of enforcement actions as a result of the latest audits.
So what is a covered entity or business associate to do? The answer is simple: take HIPAA seriously and get your HIPAA house in order—now! Then, continue to keep it tidy.
Below is a top ten list of action items to help ensure compliance:
- Update policies and procedures – both privacy and security
- Ensure that authorizations for release of health information are in plain language
- Have expressly-named privacy and security officers, which can be the same person
- Ensure that there is a sanctions policy, either referenced by or included in the HIPAA policies and procedures
- Update the entity’s security rule risk assessment – completed as a roadmap to demonstrate compliance (not just treated as a checklist)
- Refresh workforce training, with documentation of the materials and those who attended
- Ensure that business associate agreements are in place with business associates
- Create a current and comprehensive list of business associate agreements
- Ensure that notice of privacy practices are updated to meet the Omnibus Final Rule requirements, with appropriate posting/distributing, in plain language
- Develop a breach response plan if it is not otherwise addressed in the HIPAA policies and procedures
To the degree there is good news about HIPAA enforcement and the audits, it is that the Office for Civil Rights (OCR) tends to take a corrective, rather than punitive, approach to HIPAA non-compliance. As OCR officials have stated at major national meetings, such as the recent International Association of Privacy Professionals Privacy Summit, the OCR is more interested in ensuring compliance rather than specifically punishing entities.
Of course, only time will tell what will happen with the Round 2 audits, but we do know this: HIPAA isn’t going away; covered entities and business associates have since 2013 had to come into compliance with the Omnibus Final Rule revisions to HIPAA, and enforcement is almost certain to increase in the future.