Healthcare Industry Prepares for the HIPAA 2017 Audits

Given the number of HIPAA 2017 audits that OCR has planned, the probability of any healthcare organization being selected for a compliance audit is relatively small; however, that does not mean healthcare organizations can afford to be lax when it comes to HIPAA compliance. With onsite audits looming, healthcare organizations need to be prepared.

Even if covered entities and business associates have not been selected for a desk audit, they may be selected for a full compliance audit later this year. Should a healthcare organization escape a 2017 HIPAA compliance audit, if a data breach is experienced, OCR will investigate.

OCR follows up on all data breaches impacting more than 500 individuals. Covered entities that have experienced a data breach or security incident will be required to demonstrate that HIPAA Rules have not been violated and policies and procedures comply with the HIPAA Rules.

The high number of healthcare data breaches reported in recent years shows healthcare organizations need to be prepared for a HIPAA investigation in the event that a security incident is experienced.

Desk-Based HIPAA 2017 Audits

Late last year, a selection of healthcare providers, healthcare clearinghouses and health plans were selected for a desk audit as part of the OCR’s second phase of HIPAA compliance audits. The desk audits required selected covered entities to submit a wide range of documentation to OCR to demonstrate compliance with the HIPAA Privacy, Security and Breach Notification Rules.

The updated OCR audit protocol covers many aspects of HIPAA Rules that could potentially be investigated by OCR during the HIPAA 2017 audits. OCR is not assessing healthcare organizations on all elements detailed in its updated audit protocol. Auditors will only require a selection of documents to be submitted, but since covered entities are unaware which documents need to be submitted for the audits, they must ensure that their HIPAA document binders are 100% up to date to ensure the requested information can be provided in a timely fashion.

OCR is conducting 167 desk-based audits of covered entities in the second phase of the HIPAA compliance audits, which commenced in late 2016. Those audits are now approaching completion and OCR has started analyzing the results. Each audited covered entity will now be notified of the results and will be allowed to comment. The results of those audits are expected to be released publicly later this year.

The HIPAA 2017 audits will mostly consist of desk-based audits of business associates of covered entities. 48 business associates of covered entities have been notified that they have been selected for a desk audit. They are now required to submit the necessary documentation. Business associates, like covered entities, have been given 10 days to submit the necessary documentation.

Once the business associate audits have been completed, OCR will move on to the final phase of the HIPAA 2017 audits. OCR will be conducting a small number of on-site audits in 2017. Those audits will involve a more comprehensive look at organizations’ HIPAA compliance programs and will include a thorough review of HIPAA policies and procedures. OCR will expect to see evidence of HIPAA compliance in action.

What is the Purpose of the HIPAA 2017 Audit Program?

Last month, OCR senior advisor explained the purpose of the HIPAA 2017 audits is twofold. First, the HIPAA 2017 audits will allow OCR to find out whether HIPAA policies and procedures have been implemented by covered entities and their business associates. The last update to HIPAA Rules – the Omnibus Rule – was finalized shortly after the last phase of HIPAA compliance audits in 2012. It has now been more than three years since the Omnibus Final Rule was issued, giving covered entities plenty of time to update their policies and procedures. OCR expects to see widespread compliance.

The second purpose of the HIPAA 2017 audits is to identify potential risks and vulnerabilities that threaten the confidentiality, integrity and availability of ePHI. While OCR is aware of many of the risks and vulnerabilities from complaints and breach reports, the audits will highlight potential threats to ePHI that OCR and the government would not otherwise be aware of until a data breach occurs or a complaint is submitted.

The HIPAA 2017 audits will reveal which aspects of HIPAA Rules covered entities and business associates are failing to address and any areas of compliance that are proving problematic. The information gathered during the audit process will allow OCR to issue further guidance for covered entities to ensure those risks and vulnerabilities are addressed.

Former OCR Director Leon Rodriguez planned to introduce a permanent OCR HIPAA compliance audit program and Jocelyn Samuels was under pressure to see that program come to fruition. While that has not happened during Samuels’ time as OCR Director, many HIPAA professionals believe that after the HIPAA 2017 audits have been completed, a permanent audit program will be launched. That program is likely to see audits conducted regularly, although at a much-reduced level than the HIPAA 2017 audits.

Will OCR Issue Fines for Non-Compliance if HIPAA Violations are Discovered?

Sanches pointed out that there are two aspects of HIPAA Rules that continue to cause problems for covered entities: Risk analyses and risk management. These two aspects of HIPAA are fundamental elements of the HIPAA Security Rule.

If errors are made during a risk analysis, or the risk analysis is not conducted at all, covered entities will be unaware of vulnerabilities that could be exploited by cybercriminals or malicious insiders to gain access to ePHI. When risks are identified, it is essential that they are managed and reduced to an acceptable level. The failure to address those risks will leave the door wide open and ePHI will be exposed.

Risk analysis failures were common during the first phase of compliance audits in 2011/2012. If covered entities are still failing to conduct risk analyses and manage risks in 2016 and 2017, OCR could take action and issue financial penalties.

Last year, OCR increased its enforcement activity. More settlements were reached with covered entities to resolve HIPAA violations than in any other year since the Enforcement Rule came into effect. Last year there were 12 HIPAA settlements agreed and one Civil Monetary Penalty issued. OCR is now aggressively enforcing HIPAA Rules.

The first round of HIPAA compliance audits in 2011/2012 were conducted shortly after the HITECH modifications to HIPAA became enforceable. The first round of audits was therefore more focused on education and information gathering. No fines were issued, even though widespread non-compliance was uncovered. Now, five years on, covered entities have had plenty of time to respond and comply with the change to HIPAA Rules. OCR is not expected to be as lenient this time around.  The HIPAA 2017 audits are not intended to be a witch hunt, but OCR is unlikely to turn a blind eye if serious HIPAA compliance issues are uncovered.

OCR is also under considerable political pressure to increase its enforcement activities and hold covered entities accountable for failing to comply with federal regulations. Some HIPAA settlements can therefore be expected from the 200+ compliance audits conducted in 2016 and 2017.

Small to Mid-Sized Healthcare Organizations Should Seek Professional Help with HIPAA Compliance

There is pressure on OCR to increase its enforcement of HIPAA Rules and ensure covered entities are achieving the minimum standards demanded by HIPAA to prevent data breaches. It is clear from the breach reports that the HIPAA compliance efforts of healthcare organizations need to be monitored carefully. 2016 was a record year for healthcare data breaches and the past three years have seen huge numbers of healthcare data breaches reported.

The penalty for a HIPAA violation can be in excess of $50,000 per HIPAA violation. A fine up to $1,500,000 per violation category, per year that the violation has persisted can be issued. With such high penalties, covered entities cannot afford to fall afoul of HIPAA Rules.

While large healthcare organizations have the staff and resources to ensure compliance with HIPAA Rules, small to mid-sized healthcare organizations can struggle with HIPAA compliance, in particular with risk analyses and risk management.

To ease the burden on staff and to ensure that all aspects of HIPAA compliance have been addressed, small to mid-sized covered entities should consider seeking help from HIPAA professionals to ensure that if OCR auditors and investigators come knocking, it will be possible to easily demonstrate compliance and avoid HIPAA penalties.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.