The US Department of Health and Human Services Office for Civil Rights (OCR) will soon begin a second phase of audits for compliance with HIPAA privacy, security and breach notification standards as required by the HITECH Act. In this second phase, OCR will audit both covered entities and their business associates, unlike the pilot audits of 2011 and 2012, which focused on covered entities alone. This On the Subject details practical steps that covered entities, including employer-sponsored group health plans, and their business associates can take to prepare for a potential audit.
The US Department of Health and Human Services Office for Civil Rights (OCR) announced on March 21, 2016, that it would soon begin a second phase of audits (Phase 2 Audits) of compliance with Health Insurance Portability and Accountability Act of 1996 (HIPAA) privacy, security and breach notification standards (HIPAA Standards) as required by the Health Information Technology for Economic and Clinical Health (HITECH) Act. OCR will conduct Phase 2 Audits of both covered entities and their business associates, unlike the pilot audits of 2011 and 2012 (Phase 1 Audits), which focused on covered entities alone.
The HIPAA Standards define “covered entities” as follows:
- Health plans, including individual health plans, employer-sponsored group health plans, health insurers and health maintenance organizations
- Health care clearinghouses that process and reformat health information
- Health care providers that transmit protected health information (PHI) electronically in financial or administrative transactions covered by HIPAA’s administrative requirements
Under ERISA, a group health plan and the employer that sponsors the plan are separate legal entities. The employer sponsor of the group health plan is not a covered entity, but the group health plan that the employer sponsors is a covered entity. The HIPAA Standards cover many types of group health plans, including medical, dental, vision, prescription drug, health care flexible spending account plans, and certain wellness and employee assistance programs. An employer often relies on third parties (business associates) to perform many of the health plan’s functions, such as recordkeeping, claims processing, utilization review and case management. A covered entity group health plan is required to enter into a business associate agreement with its service providers before disclosing plan participants’ PHI, and these service providers also have obligations under the HIPAA Standards.
Phase 2 Audit Process
The Phase 2 Audits are intended to identify best practices and uncover risks and vulnerabilities that OCR has not identified through other enforcement activities. OCR will use the Phase 2 Audit findings to identify technical assistance that it should develop for covered entities and business associates, and to build a permanent HIPAA audit program. In circumstances where an audit reveals a serious compliance concern, OCR may initiate a compliance review of the audited organization that could lead to civil money penalties. OCR’s enforcement activities have resulted in $11 million in settlements since fall 2015.
OCR has randomly selected a pool of covered entities and business associates for Phase 2 Audits, and emails have already been issued to potential audit targets with a pre-screening questionnaire to collect demographic and business associate information. OCR will use this information to select approximately 200 targets on which to perform desk audits, which it intends to complete by the end of 2016.
Covered entities and business associates will have a short timeframe (approximately 10 days) to respond to OCR’s audit request, submit requested documentation to an online portal and identify business associates. Audited entities will have the opportunity to review findings and provide written comments to the auditor before the audit report is finalized. OCR will take into account management’s response and issue a final report of its findings. Failure to respond to a request could lead to a referral to the applicable OCR Regional Office for a compliance review. In addition, certain desk audits may evolve into onsite audits.
The Phase 2 Audits will target HIPAA Standards with high occurrences of non-compliance in the Phase 1 Audits, including risk analysis and risk management; content and timeliness of breach notifications; notice of privacy practices; individual access; the Privacy Standards’ reasonable safeguards requirement; training on policies and procedures; device and media controls; transmission security; and cybersecurity. In connection with the Phase 2 audits, OCR issued a revised HIPAA Audit Protocol, which will be useful to covered entities and business associates in assessing compliance with the HIPAA Standards.
How to Prepare for Phase 2 Audits and OCR Enforcement
Covered entities, including employers that sponsor group health plans, and their business associates should take the following steps to ensure that they are prepared for a potential Phase 2 Audit:
- Confirm that the organization has recently completed a comprehensive assessment of potential security risks and vulnerabilities to the organization (the Risk Assessment).
- Confirm that all action items identified in the Risk Assessment have been completed or are on a reasonable timeline to completion.
- Use the results of the Risk Assessment to implement a robust risk management program.
- Ensure that the organization has a complete inventory of business associates for purposes of the Phase 2 Audit data requests, and that business associate agreements (i) have been updated to comply with the most recent requirements and (ii) have been executed.
- Confirm that all required HIPAA privacy and security policies are in place and up to date.
- Confirm that the entity’s Notice of Privacy Practices is up to date and that procedures are in place for providing the Notice to plan participants and other individuals.
- Document training of work force members.
- Ensure that plan documents have been amended to incorporate HIPAA-required provisions, and that the plan sponsor has certified to the plan that the proper amendments have been made.
- Conduct and document an updated security risk analysis; if deficiencies exist, correct them and document.
- If the organization has not implemented certain of the Security Standards’ addressable implementation standards for any of its information systems, confirm that the organization has documented (i) the reason for its conclusion that the standard was not reasonable and appropriate, and (ii) all alternative security measures that were implemented.
- Ensure that the organization has implemented a breach notification policy that accurately reflects the content and deadline requirements for breach notification under the Breach Notification Standards, and that breach notification procedures are in place with business associates.
- Ensure that the organization has reasonable and appropriate safeguards in place for PHI that exists in any form, including paper and verbal PHI.
- Confirm that the organization maintains an inventory of information system assets, including mobile devices (even in a bring-your-own device environment).
- Confirm that all systems and software that transmit electronic PHI employ encryption technology, or that the organization has documented the risk analysis supporting the decision not to employ encryption.
- Confirm that the organization has adopted a facility security plan for each physical location that stores or otherwise has access to PHI, in addition to a security policy that requires a physical security plan.
- Review the organization’s HIPAA security policies to identify any actions that have not been completed as required (e.g., physical security plans, disaster recovery plan, emergency access procedures).