Are You Ready? HIPAA Audits Are Here.

more+
less-

[author: Michael A. Igel]

As part of health care reform, the federal government mandated that a pilot HIPAA audit program (the “HIPAA Audit Program”) be developed to ensure compliance with HIPAA’s privacy and security rules and its breach notification standards. Expansion of the program is around the corner, and all health care providers and their business associates must be prepared.
In late 2011, the U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”), which oversees HIPAA enforcement, awarded KPMG a $9.2 million dollar contract to develop the HIPAA Audit Program and to conduct the related audits. Between November 2011 and December 2012, as part of the HIPAA Audit Program, 115 “covered entities” (e.g. health care providers, health plans and health care clearinghouses) and “business associates” (e.g. an outside person or entity that performs certain functions or activities that involve the use or disclosure of protected health information (“PHI”) on behalf of, or provides services to, a covered entity) large and small will be audited for compliance with HIPAA’s privacy, security and breach notification rules. Recently, the OCR released its protocols that will serve as a guideline for the audits. The protocol is complex, and is detailed in the companion article included in this Alert.
The HIPAA Audit Program appears to be following the same trail as the federal government’s prior health care provider audit programs. For example, Medicare’s now-famous recovery audit contractor (also known as “RAC”) overpayment audit program began as a similar pilot program beginning in a 2005 study of three states (including Florida). Just a few years later, the RAC program was rolled out officially in all 50 states, and was the precursor for a significant increase in audit health care audit activity. Since that time, many providers have felt the sting of an overpayment audit and repayment obligation.
Considering the likely expansion of the HIPAA Audit Program, and considering the fact that OCR has been clear that it intends to review covered entities and business associates that represent a broad spectrum of health care providers, now is the time for covered entities and business associates to become compliant.
Health care reform strengthened the enforcement of HIPAA, expanded penalties and consequences of violations, and, most notably, imposed new requirements on covered entities and business associates. Because of these new obligations imposed upon covered entities and business associates, business associate agreements need to be amended, and existing HIPAA-related policies and procedures need to be reviewed and updated. The federal government’s failure to release important HIPAA regulations has compounded the challenges associated with these necessary amendments. OCR has indicated that it will not enforce the proposed changes that are part of the health care reform law until the final HIPAA regulations are released and become effective, but state attorneys general (as well as the U.S. Department of Justice) are not bound by OCR’s enforcement discretion, and they have made their presence felt. The government expects full-scale HIPAA compliance, and many providers have failed to account for these changes. Such providers are prime candidates for a failing grade in a HIPAA audit.
What is My Risk?
Historically, the government rarely imposed penalties against covered entities and business associates for HIPAA violations. Times have changed. Recently, various federal agencies and state attorneys general have made it clear that HIPAA enforcement actions will be part of today’s health care world. Providers and business associates of all kinds and sizes have felt the wrath of increased enforcement. Recent actions include:
  • Massachusetts General Hospital - $1 million dollar settlement and three-year Corrective Action Plan for loss of PHI;
  • Cignet Health - $4.3 million settlement for refusing patient access to medical records;
  • UCLA Health System - $865,000 settlement and Corrective Action Plan for allowing unauthorized access to PHI;
  • Phoenix Cardiac Surgery, P.C. - $100,000 settlement and one-year Corrective Action Plan for unlawfully disclosing PHI and for failing to have adequate HIPAA safeguards;
  • Accretive Health, Inc. – In the first enforcement action against a business associate, the Minnesota state attorney general filed a civil lawsuit against Accretive Health, Inc. for several business associate-related HIPAA violations;
  • Blue Cross Blue Shield of Tennessee - $1.5 million settlement and a Corrective Action Plan in the first enforcement action stemming from a covered entity’s self-disclosure of a HIPAA violation.
Am I Next?
The HIPAA Audit Program currently focuses on 115 covered entities and business associates, with expansion expected at any time. Covered entities and business associates should not be surprised to receive an audit request.
How Is the Audit Conducted, and How Long Will It Take?
When a covered entity or business associate (each an “Audited Company”) is selected for a HIPAA audit, the OCR will notify the covered entity in writing. The OCR notification letter will introduce the audit contractor, explain the audit process and describe initial informational and documentary requests. The OCR expects anyone who is audited to provide the requested information within 10 business days of receipt of the request for information.
OCR will then conduct an on-site visit. OCR’s notification to the covered entity of the date for the visit will be 30 to 90 days prior to the anticipated on-site visit. Depending on the complexity of the organization being audited, the on-site review will take between 3 and 10 business days. It can be reasonably presumed that the on-site visit will disrupt the operations of the organization.
Within 20 to 30 days following the on-site visit, the auditor will provide the Audited Company with a draft final report. The Audited Company will have 10 business days to review and provide written comments to the auditor. Within 30 days following receipt of the Audited Company’s written comments, the auditor will complete a final report and submit it to OCR.
What Will the On-Site Visit Include?
The on-site visit will consist of a number of components that are likely to disrupt the business of the Audited Company. The on-site visit will include:
  • Interviews with key organizational leaders;
  • Scrutiny of physical operations controls (i.e. storage, maintenance and use of PHI);
  • Assessment of how well the organization has established and implemented policies and procedures meant to protect PHI;
  • Identification of areas of concern with respect to general regulatory compliance.
What Issues Will Auditors Focus On?
Although the OCR has not released a list of specific regulations that auditors will consider, the Secretary of Health and Human Service’s Office of Inspector General (“OIG”) recently issued a scathing report criticizing the effectiveness of existing oversight of the HIPAA security rule after the OIG’s HIPAA-related audits of seven hospitals in the country. The OIG audits of these seven hospitals identified 151 vulnerabilities in the systems and controls intended to protect PHI. The OCR is likely to consider these vulnerabilities as top priorities. Areas of concern include:
  • Inadequate security of wireless networks;
  • Lack of security updates to software;
  • Inadequate access log recordkeeping;
  • Insufficient incident detection and response procedures;
  • Inadequate password management controls (e.g. consistent password change notifications, etc.);
  • Risk of theft or loss of mobile devices (including laptops).
In its report, the OIG placed emphasis on 124 “high impact” vulnerabilities, which were defined as vulnerabilities that may (i) result in the highly costly loss of major tangible assets; (ii) significantly harm or impede the organization’s mission to provide care; or (iii) result in human death or serious injury. It is expected that HIPAA audits under the HIPAA Audit Program will also focus on these areas.
What Can I Do To Prepare?
It is essential that all covered entities and business associates ensure compliance with HIPAA’s privacy and security regulations. Preparation should include:
  • Review of written policies and procedures to ensure compliance with HIPAA;
  • Review of and updates to compliance plans and risk assessment plans;
  • Updates to privacy and security safeguards, and development of corrective action plans as needed;
  • Review and update of employee training materials.
The Trenam Kemker Health Care Audit Defense Team has developed a checklist to serve as a starting point for clients who wish to assess compliance with the HIPAA security and privacy rules. The checklist should not be substituted for a more complete assessment of your organization’s HIPAA compliance.  Please contact Michael Igel at migel@trenam.com or 727-820-3963 for more information.