The Office of Civil Rights (OCR) recently announced plans to begin the next round of its HIPAA audit program in early 2016. In comments responding to two reports issued by the Office of Inspector General (OIG) of the U.S. Department of Health and Human Services on September 29, 2015, OCR announced that it will begin Phase 2 of the HIPAA audits early next year. Consistent with prior descriptions of the Phase 2 audits, OCR stated in its recent response to OIG that the audits would include a combination of desk audits and on-site audits, will involve both covered entities and business associates, and will target specific common areas of noncompliance. OCR Director Jocelyn Samuels previously indicated that in the Phase 2 desk audits, covered entities and business associates will have two weeks to upload applicable HIPAA policies and procedures to a portal for OCR auditors to review. This remote audit approach will not allow for additional clarifications or discussion between the auditor and entity; therefore, policies and procedures must be accurate and complete and ready to upload.
In addition to being prepared for the Phase 2 audits, privacy and information security requirements impact the entire scope of a provider’s operations and are key components of a comprehensive compliance strategy. Ensuring the privacy and security of patients’ Protected Health Information (PHI) is especially important as regulatory oversight increases for hospice providers with efforts to hold those providers more accountable for their quality of care.
Trends from past HIPAA enforcement actions by OCR can help providers focus their compliance planning, identify potential vulnerabilities and be best prepared should they be the subject of an OCR audit. Reviewing the root causes of these enforcement actions can point to valuable lessons learned. The most common root cause for enforcement actions from 2008-2014 related to stolen, unencrypted media such as laptops or USB drives. This category was followed by a number of enforcement actions stemming from technical issues or implementation errors that made Electronic Protected Health Information (ePHI) accessible to the public on the internet or subject to other unauthorized access. There were also several actions related to the improper disposal of hard copy PHI and failure to comply with requirements of the Privacy Rule, such as providing patients a right to access their PHI or inappropriate uses and disclosures by staff or other authorized users.
Most of these enforcement actions resulted from investigations following breach notification by the covered entity or individual complaints to OCR. Therefore, in addition to the high costs of settlement amounts and required corrective action plans that result from regulatory enforcement actions such as these, providers must also consider the costs associated with a breach, including: expenses involved in actual breach notification, investigation and cyber forensics costs, legal fees, and reputational damage when planning a risk management strategy. It is also notable that enforcement actions span across various types of entities including non-profits, large retail pharmacies, regional medical centers, large health systems, government agencies, and at least one hospice provider. Surprisingly, although different entities may share the same root cause for the incident that triggered investigation and enforcement, there seems to be a correlation between the entity’s ability to pay and the size of the settlement. For example, a retail pharmacy paid $2.25 million for inappropriate disposal of PHI in a store dumpster while a smaller health system paid $800,000 for leaving 71 boxes of paper medical records in a physician’s driveway accessible to the public. The risks to the hard copy PHI were very similar, but the settlement amounts reflect on the size and capabilities of the different entities. Regardless of size and operations, entities should be aware of their regulatory obligations and the threats to their networks, systems, and data.
So, what can covered entities and business associates learn from these enforcement actions?
- Encrypt! Encrypt! Encrypt! Although encryption is not a mandatory specification in the HIPAA Security Rule, encryption can greatly mitigate the potential risks that result from theft or loss of a portable device (e.g., mobile phone or laptop) or removable media (e.g., CD or USB drive). Encryption can also be a safe harbor from breach reporting requirements and OCR has repeatedly noted the importance of applying encryption whenever possible.
- Risk Analyses. Conduct on-going risk analyses of systems, networks, equipment and other repositories or access points to ePHI. Implement remediation plans and update policies and procedures to address critical risks identified during such risk analyses.
- Device Management. Don’t sell, retire or reissue computers, portable devices, or even leased copiers or scanners without securely wiping all content. Implement appropriate policies and controls around mobile devices, particularly personal mobile devices used for work.
- Hard-Copy PHI. Do not underestimate or forget the security threats to non-electronic PHI and the associated requirements. Maintain policies and procedures to implement Privacy Rule requirements and to control the security and disposal of hard copy PHI.
- Training. Train employees and monitor adherence to HIPAA policies and procedures, including permissible uses and disclosures and incident reporting. In addition, educate employees with a general understanding of the threats and vulnerabilities to PHI and other sensitive data staff may access or handle.
- Incident Response. Develop and test an incident response plan to quickly identify and mitigate potential security incidents.
- Audit Preparedness. Hospices and their care partners and business associates should prepare for the upcoming Phase 2 audits and help minimize the risks and vulnerabilities described above by:
- Conducting a gap assessment of current policies and procedures to confirm alignment with the Privacy and Security Rules.
- Updating their risk analysis to identify threats and vulnerabilities to PHI and prioritize remediation items based on the criticality of and risk to the data.
- Reviewing business associate agreements and associated policies and procedures for the oversight of service providers.
- Developing an audit response plan or compiling a repository to have HIPAA-specific policies and procedures easily accessible and ready to provide upon request.
- Familiarize all staff, including senior management, with the entity’s privacy and security compliance program, HIPAA requirements, general risks associated with PHI, and the contact person or department for questions about these areas or any requests or inquiries from OCR or other agencies.
These takeaways are just some of the key components of a comprehensive compliance program.
Tara Cho, an attorney no longer with Poyner Spruill, was the original author of this article.