The results of the U.S. Department of Health and Human Services’ (HHS) Office of Civil Rights (OCR) health information audit pilot program may be alarming to many health care providers, health insurers, and their business associates. OCR Senior Adviser Linda Sanches recently reported the results from the audits, which were conducted by HHS-contracted KPMG, at the Health Care Compliance Association’s 17th Annual Compliance Institute. The vast majority of the audited organizations failed to comply with mandatory requirements.
What was perhaps more concerning, Sanches explained, was that the most common cause of non-compliance across all entities was a lack of awareness of privacy and security requirements. “You probably don’t know what you don’t know,” she advised conference attendees. Other causes of non-compliance included lack of sufficient resources, incomplete implementation, and complete disregard for the rules. Small healthcare providers, in particular, struggled with compliance across the board.
The audit pilot program, conducted pursuant to the federal Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009, involved audits of 115 HIPAA covered entities—including 61 healthcare providers, 47 health insurers, and 7 healthcare clearinghouses—from November 2011 through December 2012. As noted in a recent Modern Healthcare article, the findings show that many healthcare companies are unaware of the HITECH Act’s requirements, which “widen HIPAA privacy and data-security protections on patients’ protected health information.” Sanches explained that “security was overwhelmingly an area of concern,” noting that most of the healthcare providers had not done a complete and accurate risk assessment.
Sanches also said that many organizations did not have the required policies in place and had made misrepresentations about their policies and practices, and commented that OCR was “not happy about that.” The negative findings have been forwarded to OCR investigators for consideration. OCR is also currently planning audits of business associates with whom HIPAA-covered entities share protected health information and who provide a service to those entities, such as medical billing companies, medical transcription companies, cloud service providers, and accounting, law, and consulting firms providing services to health care providers.
The audit pilot program findings highlight a common problem among healthcare organizations and their business associates: a lack of understanding of data privacy and security laws. The findings also underscore the importance of employee training and breach response preparation.
Many incidents arise from the more mundane aspects of data security, including negligently lost laptops or portable electronic devices, and failure to properly destroy documents containing personal information. But data security is a multidimensional responsibility, particularly in the health care field. As technology has become ubiquitous, properly managing data can be challenging due to the complexity of the regulatory schemes, the broad range of employees involved and their varied responsibilities, and the difficulty in monitoring dozens of business associates.
Attorney-directed data risk assessments, conducted by outside counsel to retain applicable privileges, are recommended to identify problems and reduce risks. Data security in the health care setting is in some ways like infection control—while it is virtually impossible to eliminate the inherent risks, it is absolutely necessary to take all reasonable steps to mitigate them.