Share this article on:
Hartford, Conn., Dec. 14, 2015 – – Day Pitney LLP has announced the launch of a new HIPAA Self-Assessment Tool ahead of the second round of Dept. Health and Human Services’ Office for Civil Rights HIPAA-compliance audits.
New HIPAA Self-Assessment Tool Launched
Day Pitney, a full service law firm employing approximately 300 attorneys in it its Connecticut, New Jersey, New York, and Washington, D.C. offices, has developed the HIPAA Self-Assessment Tool to assist covered entities with their final compliance efforts before the audits commence next quarter.
James Bowers, Day Pitney director of Compliance Risk Services and former chief compliance officer at Aetna Inc., recently pointed out that “Companies should really start self-audits as soon as possible to make sure they are in compliance with the HIPAA rules.”
The HIPAA Self-Assessment Tool allows covered entities to assess their organization for potential HIPAA violations, allowing them time to take action to address any issues before they are discovered by auditors. Covered entities should already have conducted risk assessments to identify security vulnerabilities, although recent investigations conducted by Office for Civil Rights have shown that vulnerabilities are often allowed to persist. Failures to conduct comprehensive risk assessments have been cited in the settlements reached with covered entities in 2015.
The risk assessment must identify all security vulnerabilities that exist at an organization, and efforts must be made to mitigate those risks. So far this year, a number of covered entities have been found to have missed the risks associated with portable storage devices and laptop computers. Others have failed to update software, change default passwords on medical devices, conduct comprehensive staff training on data privacy and security issues, and have not implemented appropriate administrative, technical, and physical safeguards to keep ePHI secure.
The HIPAA Self-Assessment Tool allows compliance officers, privacy officers, medical records managers, CISOs, and CIOs to make final preparations ahead of the audits. While there can be no guarantee that use of the HIPAA Self-Assessment Tool will ensure an audit is passed, organizations can benefit greatly from using the HIPAA Self-Assessment Tool and can identify gaps in their HIPAA-compliance programs. Even when considerable time, resources, and effort have been put into compliance, gaps may still exist.
The HIPAA Self-Assessment Tool is straightforward to use. According to Susan Huntington, “Once a client inputs its information, the Tool provides an automated assessment summary,” she went on to say, “If there are areas of noncompliance, our team is ready to work with the client to address and correct such areas.”
The second phase of the HIPAA-compliance audit program has been extensively delayed, although major progress has been made and OCR has announced the next phase will start in early 2016. The audits will assess compliance with the HIPAA Privacy, Security, and Breach Notification Rules. OCR will look at specific areas of compliance and will expect to see evidence of HIPAA in action.
The purpose of the audits is not to punish organizations for failing to comply with Health Insurance Portability and Accountability Act Rules, but rather assess whether covered entities have applied HIPAA Rules to safeguard ePHI and prevent data breaches.
While the first round of compliance audits only saw Corrective Action Plans (CAPs) issued for non-compliance issues discovered by auditors, OCR is unlikely to be as lenient second time around. The Security Rule has been in effect since April 21, 2005, and the Privacy Rule since April 14, 2003. Covered entities have therefore had plenty of time to bring policies and procedures up to the standard required by HIPAA. Financial penalties are expected to be issued for serious compliance issues discovered during the audits.
OCR has the authority to issue financial penalties for non-compliance issues, with the maximum fine for HIPAA violations being $1.5 million, per violation category, per year that violations have been allowed to persist.
In the past few weeks, OCR has agreed to three settlements with covered entities after potential violations of HIPAA Rules were discovered during data breach investigations. Lahey Hospital and Medical Center agreed to pay $850,000, Triple-S Management Corporation of Puerto Rico must pay a $3.5 million financial penalty to OCR, and the latest enforcement action saw University of Washington Medicine agree to settle potential HIPAA violations and pay OCR $750,000. With substantial penalties being issued, a thorough self-assessment ahead of the audits is strongly advisable.