Work in the Time of COVID-19: FAQs for Employers

Sign Up Created with Sketch. Want to receive our thought leadership?     Sign Up

The Office of Civil Rights (OCR) recently announced plans to begin the next round of its HIPAA audit program in early 2016. In comments responding to two reports issued by the Office of Inspector General (OIG) of the U.S. Department of Health and Human Services on September 29, 2015, OCR announced that it will begin Phase 2 of the HIPAA audits early next year. Consistent with prior descriptions of the Phase 2 audits, OCR stated in its recent response to OIG that the audits would include a combination of desk audits and on-site audits, will involve both covered entities and business associates, and will target specific common areas of noncompliance. OCR Director Jocelyn Samuels previously indicated that in the Phase 2 desk audits, covered entities and business associates will have two weeks to upload applicable HIPAA policies and procedures to a portal for OCR auditors to review. This remote audit approach will not allow for additional clarifications or discussion between the auditor and entity; therefore, policies and procedures must be accurate and complete and ready to upload.

In addition to being prepared for the Phase 2 audits, privacy and information security requirements impact the entire scope of a provider’s operations and are key components of a comprehensive compliance strategy. Ensuring the privacy and security of patients’ Protected Health Information (PHI) is especially important as regulatory oversight increases for hospice providers with efforts to hold those providers more accountable for their quality of care.

Trends from past HIPAA enforcement actions by OCR can help providers focus their compliance planning, identify potential vulnerabilities and be best prepared should they be the subject of an OCR audit. Reviewing the root causes of these enforcement actions can point to valuable lessons learned. The most common root cause for enforcement actions from 2008-2014 related to stolen, unencrypted media such as laptops or USB drives. This category was followed by a number of enforcement actions stemming from technical issues or implementation errors that made Electronic Protected Health Information (ePHI) accessible to the public on the internet or subject to other unauthorized access. There were also several actions related to the improper disposal of hard copy PHI and failure to comply with requirements of the Privacy Rule, such as providing patients a right to access their PHI or inappropriate uses and disclosures by staff or other authorized users.

Most of these enforcement actions resulted from investigations following breach notification by the covered entity or individual complaints to OCR. Therefore, in addition to the high costs of settlement amounts and required corrective action plans that result from regulatory enforcement actions such as these, providers must also consider the costs associated with a breach, including: expenses involved in actual breach notification, investigation and cyber forensics costs, legal fees, and reputational damage when planning a risk management strategy. It is also notable that enforcement actions span across various types of entities including non-profits, large retail pharmacies, regional medical centers, large health systems, government agencies, and at least one hospice provider. Surprisingly, although different entities may share the same root cause for the incident that triggered investigation and enforcement, there seems to be a correlation between the entity’s ability to pay and the size of the settlement. For example, a retail pharmacy paid $2.25 million for inappropriate disposal of PHI in a store dumpster while a smaller health system paid $800,000 for leaving 71 boxes of paper medical records in a physician’s driveway accessible to the public. The risks to the hard copy PHI were very similar, but the settlement amounts reflect on the size and capabilities of the different entities. Regardless of size and operations, entities should be aware of their regulatory obligations and the threats to their networks, systems, and data.

So, what can covered entities and business associates learn from these enforcement actions?

These takeaways are just some of the key components of a comprehensive compliance program.

Tara Cho, an attorney no longer with Poyner Spruill, was the original author of this article.

◀︎ Back to Thought Leadership