Officials at the U.S. Department of Health and Human Services Office of Civil Rights (HHS OCR) have recently selected a vendor to conduct the second wave of HIPAA audits. These so-called “Phase 2 Audits” are set to commence on the heels of two important HHS OCR enforcement proceedings alleging violations of the HIPAA Security Rule:
St. Elizabeth’s Medical Center, a tertiary care hospital in Massachusetts, allegedly failed to conduct a risk assessment before its employees used a cloud document-sharing application and failed to respond to a security incident in a timely manner, leading to a $218,400 fine and Corrective Action Plan (CAP). Orrick reported on this case in a previous alert.
Cancer Care Group (CCG), one of the largest privately owned radiation oncology groups in the country, recently signed a $750,000 settlement and CAP stemming from the theft of PHI belonging to approximately 55,000 patients stored on a stolen laptop and unencrypted backup media. According to OCR, the investigation uncovered that prior to the security incident, CCG failed to conduct an enterprise-wide risk assessment, and failed to implement a policy addressing the removal of unencrypted devices containing ePHI from company facilities – two issues that OCR identified as key contributing factors to the data breach. The CAP requires CCG to conduct risk analysis regarding its handling of ePHI, to develop and implement a risk mitigation plan addressing certain identified risks, and to review and update security policies, procedures and employee training.
The HIPAA Security Rule establishes a federal standard for protecting individuals’ PHI and ePHI that is created, received, used, or maintained by Covered Entities (CEs) and Business Associates (BEs). This standard requires that entities design, implement and enforce appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of PHI. HHS OCR is responsible for the administration and enforcement of the Security Rule. It performs compliance audits and investigations and has the authority to impose civil penalties and corrective action plans for violations. In addition to the Security Rule, OCR also enforces the Privacy Rule and Breach Notification Rule.
Required by the Health Information Technology for Economic and Clinical Health (HITECH) Act, HHS OCR initiated its pilot Phase 1 Audit program in November 2011. Those audits were punctuated by HHS OCR’s publication in June 2012 of an online searchable audit protocol that mapped the Security, Privacy and Breach Notification requirements evaluated in Phase 1. The audit protocol has emerged as a valuable tool for conducting internal assessments because it established a roadmap for aligning organizational performance of key HIPAA requirements with, among other things, security policy development, security monitoring and detection, security governance and management, workforce training, incident response planning, and business associate contracts.
Although the prior audit focused exclusively on CEs, the Phase 2 Audits will encompass both CEs, as well as BEs, which often serve critical data processing and management services. There is no doubt that HHS OCR will leverage the insights learned during Phase 1 to inform and design the audit protocols for Phase 2, which have not yet been published. If the recent enforcement actions and settlements against St. Elizabeth’s and CCG are any indication of things to come, both CEs and BEs should consider conducting comprehensive risk assessments to identify issues for remediation before the Phase 2 Audits begin. As in those investigations, HHS OCR will likely be looking for whether organizations have conducted enterprise-wide risk assessments to identify their core technical and procedural vulnerabilities, and whether those assessments then translated into remediation strategies, as well as operational policies and employee training. In particular, HHS OCR is sure to examine the preparedness of organizations to detect, response, and recover from security incidents and data breaches. Moreover, as Phase 2 will encompass BEs, the same types of risk analysis and risk management, as well as breach reporting issues, promise to be front-and-center given the spate of recent high profile data breaches (across industries) that have been attributable to third-party service providers.
As a result, CEs and BEs should take this opportunity to review their security programs to identify potential HIPAA compliance issues, use the existing searchable online audit protocol tool as a starting point for conducting a comprehensive self-assessment, consider retaining expert outside help as necessary to provide an objective view and to help in developing a comprehensive plan that addresses physical, technical and administrative safeguards, and prepare and begin implementation of remediation plans. The best defense is early identification of risks and areas for remediation to provide organizations with the opportunity to avoid enforcement actions.