OCR Sheds Light on Phase 2 HIPAA Audits
Share this article on:
The Office for Civil Rights (OCR) has announced that it is to recommence its HIPAA compliance audit program this fall. Phase 2 will consist of 350 compliance audits which will be conducted on healthcare providers, healthcare clearing houses and health plans, along with 50 further audits which, in accordance with the HIPAA Omnibus Rule, will be conducted on business associates.
The OCR conducted a round of pilot audits in 2011/2012 which looked closely at a wide range of areas of compliance in order to allow it to ascertain the level of compliance across different sectors of the healthcare industry. The pilot round involved 115 covered entities, which were subjected to a full compliance audit including a site inspection. The audits uncovered numerous areas in which healthcare organizations were violating HIPAA regulations.
The majority of organizations that were audited were to have found to have violated HIPAA with only 11% of covered entities found to be fully compliant. 80% of healthcare providers found to have violated HIPAA did so by failing to conduct a full risk analysis, while 39% of all audited entities registered violations of the Privacy Rule. 10% violated the Breach Notification Rule and many were found to have violated all three; with smaller healthcare providers standing out for a broad range of non-compliance issues.
The results have allowed the OCR to tailor the next round of audits and focus on the key areas of HIPAA compliance which resulted in the most violations, while the audit plan also needed to be updated due to the issuing of the Omnibus Final Rule last year.
Phase 2 HIPAA Compliance Audits Changes
The second phase of HIPAA compliance audits is to involve more covered entities and will have a much narrower focus, covering the Privacy, Security and Breach Notification Rules.
There have been two major changes to how the second phase of audits will be conducted. OCR staff will be conducting all of the phase 2 audits – accountancy firm KPMG was contracted to conduct the pilot – and the next phase is to comprise of both on-site compliance assessments and a number of “desk audits”, which will be conducted remotely and will largely consist of a full document check. The OCR will however be asking questions to ascertain whether HIPAA polices are being put into practice.
According to the OCR, the number of full compliance audits will be dictated “as resources allow”, but is expected to consist of 150 full compliance audits with a particular focus on the Security Rule, 100 audits covering Breach Notification Rules and 100 focused on the Privacy Rule.
OCR Audit Program Timeline
The audits are scheduled to take place between October 2014 and June 2015. The coming round of audits will look at privacy and security, in particular relating to the storage and transmission of Electronic Health Records and how breaches are managed.
A further round of audits is expected later in the year which will have more of a focus on staff training and documented policies and procedures. By 2016 the OCR is expecting to look more closely at data encryption on media devices containing ePHI and ePHI transmission together with the physical controls that have been put in place to secure those devices.
A permanent audit program is expected to be established after the Second round of audits have taken, which are intended to improve overall HIPAA compliance and raise data privacy and security standards.
2014 Desk Audits
The desk audits will assess compliance with Privacy and Security Rule provisions. Adherence to the Privacy Rule will also be assessed, in particular how organizations are responding to requests by patients for access to their health records and notices of privacy practices. Policies and procedures relating to the Breach Notification Rule will also be checked.
2014 On-Site Audits
The on-site audits will be more thorough and the OCR is expected to want to see HIPAA in action, and will be checking that policies have been translated into compliant work procedures. They will have a strong focus on the Security Rule, which the pilot uncovered to be a major area of non-compliance. Risk analyses will be thoroughly assessed as will risk management.
The OCR will be publishing details of the protocol for its second phase audits on its website in due course. This will allow all covered organizations the opportunity to conduct an internal pre-assessment for compliance, and address any issues discovered. Business Associate audits are not expected to take place until 2015.
Selection of Covered Entities for Audit
As occurred with the pilot phase, the audit process will start with a pre-screening questionnaire which is intended to assess the suitability of the organization for audit. 550-800 organizations will be selected at random from America’s Health Insurance Plans’ databases of health plans and health care clearinghouses and the National Provider Identifier database. Each selected entity will be sent a link to an online questionnaire.
Once the surveys have been completed, the most appropriate entities will be selected for either an on-site audit or desk audit. The sample will be geographically representative and questions will be asked to determine the organizations size, the services it offers and the use of electronic health records.
232 health care providers, 109 health plans and 9 health care clearinghouses will be selected for audit, and each will be individually notified if they have been chosen and they will be allowed two weeks to respond to the OCRs request for documentation.
The OCR will request specific documents which must be collated and sent to the OCR for assessment. Selected organizations will also be required to supply up to date lists of their Business Associates, including full names and current contact information. The OCR will use that information to select Business Associates for audit in 2015.
A failure to provide any of the documentation on time will result in that document being considered missing, and therefore a violation, which could trigger a full compliance audit.
After completion of the audit, the OCR will issue the entity concerned with a summary of its findings and the management will be given the opportunity to comment on any violations discovered before the final report is issued.
OCR Taking a Tougher Stance on HIPAA Violators
The OCR was criticized in 2008 by the Department of Health and Human Services for its apparent lack of policing. Between December 2000, when it was first tasked with policing HIPAA, and 2008, the OCR had failed to issue any fines for violations. Instead, organizations discovered to have violated HIPAA rules were issued with action plans with strict reporting requirements to ensure the issues were corrected.
The OCR then started taking a tougher stance on violators and issued its first HIPAA fine in January 2009 to CVS Pharmacy Inc, which was ordered to pay $2.25 million for the improper dumping of patient records. The OCR has since been policing HIPAA Privacy and Security Rules much more rigorously, and has issued substantial fines to covered entities found to have seriously violated HIPAA rules. The most notable being the $4.8 million financial penalty to New York Presbyterian Hospital and Columbia University in May 2014.
Phase 2 Audit HIPAA Violation Penalties
Phase 2 of the compliance audits is likely to see financial penalties issued for non-compliance issues, which could potentially be up to a maximum of $1.5 million per annum, per violation category. If the audits uncover serious violations of HIPAA they are likely to trigger a full compliance audit, and that could uncover a much wider range of compliance issues and lead to substantial financial penalties, sanctions and potentially even criminal proceedings against the organizations concerned.
The advice to all covered entities, including the newly covered Business Associates, is to take action now and ensure that policies and procedures are up to date, that security risk analyses are conducted and all risks discovered are effectively managed.