You Ain’t Seen Nothing Yet – OCR Indicates Major Hike in HIPAA Audits
They were last seen in 2012, but the second round of HIPAA compliance audits have yet to commence, but they are apparently coming back this year with plans in place for them to be bigger and bolder than ever before. The Department of Health and Human Services’ Office for Civil Rights (OCR) indicated to Washington lawyer and HIPAA expert, Adam Greene – partner of Davis Wright Termaine – that compliance enforcement is set to significantly increase.
OCR Has Already Increased Its Enforcement Actions
In a presentation at HIMSS15 in Chicago on Tuesday, Greene pointed out that there had been an increase in enforcement actions involving financial penalties in recent years. Greene said there “was one or three fines levied in 2008-2011, five in 2012 and 2013 and seven last year in 2014”.
The OCR has had to deal with more than 100,000 claims since it started enforcing HIPAA legislation and in the majority of cases these claims have been resolved without any investigation being necessary. In almost a quarter of cases (24%) the Covered Entity (CE) took voluntary corrective action after areas of non-compliance were discovered.
In 11% of cases the OCR discovered no violation and the claim proved to be unfounded, while only 23 cases resulted in a violation and penalty (0%). Settlements have increased already and that trend is likely to continue.
Greene said that the “HHS will not be handing out violations like speeding tickets but increasing monetary fines and more fines are what he sees coming in the future.” And also said we are “entering a new era of HIPAA enforcement”.
No Firm Date for the Second Round Compliance Audits
The OCR has been criticized for delaying the audits but plans are certainly in place and according to Greene the next set of audits will “dwarf anything seen so far” according to a report in HealthDataManagement.
There was no indication of when the OCR will be starting the audits; although Greene said they were expected later this year. It has been three years since the end of the pilot phase and last year there was a delay due to web portal changes. This year the planning of the protocol appears to be taking some time.
While many covered entities (CEs) are anxious about the impending audits, now is the time to ensure that all policies and procedures are compliant and ease the stress when they do commence.
The figures from the first round of compliance audits show that risk analyses were not so much a problem for organizations; many had simply not conducted them. The majority of those that did perform a risk analysis did not do so thoroughly and therefore did not identify all security vulnerabilities.
The Biggest Threats Come from Within and Most are Preventable
Given the number of data breaches involving PHI that are reported to the OCR each month, it is clear that many organizations have not conducted risk analyses, done so incorrectly or have failed to address the security issues they raised.
Instead of focusing on preventing major security breaches by shoring up defenses against hackers, Greene pointed out that there are more pressing problems, and hacking incidents only constituted 7% of breaches reported to the OCR that involved more than 500 individuals.
There are much bigger threats from within that are more likely to cause HIPAA violations. “If you’re big focus is on hacking, you are not focused in the right place,” he went on to say “The biggest threat is the model employee who decides to work from home and doesn’t have safeguards.” It was pointed out that more than half of HIPAA breaches – 53% – were caused by the theft of devices from cars and homes.
Data encryption would solve the issue in many cases, although this is not the only solution to safeguard PHI. Training and education goes a very long way and organizations must certainly address the issue of data security when data is allowed to leaves the premises and be taken to areas where security standards may be considerably lower.
What Should be the Main Focus of HIPAA Compliance Efforts?
The advice provided to CEs by Greene was to go back to basics and consider the bigger picture. The first step to take is to conduct a thorough risk analysis – in the pilot audits 80% of healthcare providers and 67% of health insurers failed to do this. Until this is done, organizations will be found to have violated HIPAA.
The risk analysis should be the main focus, and it must be thorough and totally comprehensive. It should discover all security vulnerabilities and risks to PHI in all forms so that action can be taken to address those issues. Three questions were offered that CEs should be asking as part of a risk analysis: “Does it discover where electronic protected health information is located? Does it address the theft of mobile devices? Does it address the risk of improper security configuration? “
The OCR is mostly concerned with three areas of compliance: Prevention of data breaches including the implementation of the administrative, physical and technical safeguards laid down in the Security Rule; The response to breaches when they do occur as governed by the Breach Notification Rule; and accessing of records under the Privacy Rule.
It is inevitable that CEs will suffer data breaches, but what the OCR wants to see is evidence that the minimum standards have been implemented and policies are in place so that when breaches do occur, rapid action can be taken to mitigate damage, identify the root cause of the problem and address it so it doesn’t happen again. That is the key to avoiding HIPAA violation penalties.