Web Portal Delays Second Round of HIPAA Audits
Share this article on:
The second round of HIPAA compliance audits, originally scheduled to take place this fall, has now been delayed until 2015 to give the OCR time to test its new internet portal. The new web portal is one of the new measures being introduced to assist it in policing HIPAA and it is expected to streamline the data collection. The portal will also be used to report HIPAA breaches and violations.
According to OCR senior adviser, Linda Sanches, “We recently had an opportunity to update the technology we’re using, giving us capabilities that we just didn’t have access to before.”
The roll out of the new portal needs to be completed before the OCR can conduct its next round of audits as the system will need to be used to collect and collate the thousands of documents a round of audits generates. The new system will also allow Jocelyn Samuels to develop the OCR’s program of permanent audits, which former OCR Director Leon Rodriguez had envisioned before he took up his new role with Homeland Security.
The collection and analysis of documents is an extremely labor intensive process, and the OCRs resources severely limit the number of audits it can realistically conduct. The new portal should allow HIPAA-covered entities to easily upload documents if they are selected for a compliance audit, while the automation of the data collection will free up a considerable amount of resources at the OCR.
The original audit plan involved a pilot of 115 audits, which after an initial assessment would lead to a second round involving 400 remote audits and a number of onsite visits. The number of desk audits has now been reduced to 200, but its budget for onsite visits has been increased. More healthcare organizations can therefore expect a full and thorough onsite inspection. The next round of audits will also be conducted in the main by OCR staff; the pilot audits were conducted by accounting firm, KPMG.
Second Round Compliance Audit Protocol
The audit process will commence pre-screening audits, in which covered entities will be required to use the portal to submit their documents. The OCR has yet to announce how many pre-screening audits it will be conducting, although in February the OCR did submit a collection request to the federal register to allow it to contact up to 1,200 covered-entities including healthcare providers, health plans, clearinghouses and Business Associates. The OCR will then select the most suitable entities for desk and onsite audits.
According to Sanches, covered entities will be audited first followed by Business Associates. She advises all covered entities to contact their Business Associates and address any HIPAA issues that currently exist. They should also be informed, if they are not already aware, that they will be subject to audits and are responsible for ensuring that they are compliant with all HIPAA Privacy and Security Rules, including the latest Omnibus Rule changes.
Covered entities will be required to submit a list of all contractors and Business Associates as part of the pre-screening process and she suggests now is the time to “get your house in order.”
The sample for the next round of audits will be taken at random; however, there will be some bias as the audits will need to be geographically representative and the full range of covered entities will need to be covered. Therefore, all covered entities: healthcare providers, health plans, clearinghouses and their Business Associates could be selected for audit. The second round will focus on larger organizations but that is not to say that pharmacies and small practices will not be selected for audits.
The OCR has confirmed there will only be a small number of exceptions in the second round; any organization currently under investigation by the OCR will naturally be exempt as will HIPAA-covered entities that have an “open breach”.
Second Round HIPAA Audits to Have Narrower Focus
Sanches confirmed that the scope of the new round of audits will be very specific, covering Breach Notification Rules, patient privacy regulations and security risk assessments; the later being an area which was uncovered as a major source of violations during the first round of audits.
The desk audits will primarily consist of a document check and covered entities will need to supply proof that they have the policies in place to ensure Protected Health Information is appropriately secured. Sanches pointed out that documented security analyses may need to be submitted along with privacy and security policies, and questions will be asked to determine whether policies are actually procedures that are being followed.
Any covered entity selected for a full audit will be visited by the OCR for an onsite document check and will be subjected to a much more comprehensive audit which will not be restricted to document checks. The audits may have a narrower focus this time around; however any HIPAA violations discovered by the OCR staff are unlikely to be ignored.
The exact protocol for the audits has not yet been announced, although a notice will be issued by the OCR in due course.
Financial Penalties will be Issued for HIPAA Violations
The OCR has been taking a tougher stance on HIPAA violators in recent months and has reached settlements with a number of organizations that have caused serious HIPAA breaches; many investigations are also currently active.
The Enforcement Rule details the factors which the OCR uses to assess whether a penalty is appropriate, together with a scale of permissible fines for each violation. HIPAA breaches are capped at $1.5 million per violation, per annum although the total cost of a data breach can be many times that figure.
The OCR treats each case individually and many factors are taken into consideration before penalties are issued. The OCR considers the number of individuals affected, the level of risk that each faces as a result of a breach, the extent of the data exposed and the length of time the security breach was allowed to persist.
The audits however are intended to delve deeper and uncover flaws in policies and procedures which could potentially lead to a data breach. Violations of HIPAA Rules will similarly result in fines being issued, even if no individual has had data exposed.
Security Risk Analyses will be a Major Focus
The pilot audits revealed the difficulty covered entities have conducting risk assessments; many organizations were found to have breached regulations by either not conducting a risk analysis at all or failing to identify and address all security issues. Risk analyses are clearly going to be a major focus in the second round of audits.
Hackers are on the constant lookout for security flaws that enable them to gain access to healthcare databases and computer systems and the introduction of new technology means new opportunities are created for cybercriminals.
A risk analysis is therefore not a onetime action that needs to be conducted in order to be compliant; it is an ongoing process that is necessary to monitor data security and ensure that vulnerabilities are identified and addressed before they result in data breaches. The OCR will be looking for evidence that a full and thorough risk analysis has been conducted – covering all systems touching ePHI – together with evidence of physical controls securing computer hardware. It will also be looking for proof that these risk analyses have been ongoing.