On March 21, 2016, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced the beginning of Phase 2 of its HIPAA audits of covered entities and their business associates. Per the OCR announcement, “OCR will review the policies and procedures adopted and employed by covered entities and their business associates to meet selected standards and implementation specifications of the Privacy, Security, and Breach Notification Rules. These audits will primarily be desk audits, although some on-site audits will be conducted.” Although OCR has announced that only a few hundred covered entities and business associates will be audited during Phase 2, OCR has not disclosed exact numbers and has been specific that every covered entity and business associate is eligible for an audit. In addition, OCR has said that it will use the results of the Phase 2 Audits to develop its permanent audit program, underscoring that this increased audit activity is likely to continue into the future.
History of the Audit Program
The Health Information Technology for Economic and Clinical Health Act (HITECH) requires OCR to conduct periodic audits of covered entity and business associate compliance with the HIPAA Privacy, Security, and Breach Notification Rules. In 2011 and 2012, OCR implemented a pilot audit program, referred to as “Phase 1”, in which it audited only 115 covered entities for compliance with HIPAA’s requirements. Drawing on the Phase I experience and results, OCR is now implementing Phase 2 of the program. Phase 2 expands the audit scope to include business associates as well as covered entities. OCR will not audit entities with open complaint investigations.
This increase in audit activity comes just a few months after the OIG issued two reports calling for better oversight of covered entities. The first report, titled “OCR Should Strengthen its Oversight of Covered Entities’ Compliance with the HIPAA Privacy Standards,” found that OCR’s oversight is primarily reactive and that OCR had not fully implemented the required audit program to proactively assess possible noncompliance from covered entities. OIG recommended in part that OCR fully implement a permanent audit program and develop a policy requiring OCR staff to check whether covered entities had previously been investigated for noncompliance.
The second OIG report, “OCR Should Strengthen its Follow-up of Breaches of Patient Information Reported by Covered Entities,” found that OCR had incomplete documentation of covered entities’ corrective actions in 23% of closed “large-breach” cases in which OCR made determinations of noncompliance. OIG also found that OCR did not record “small-breach” information in its case-tracking system, which limits its ability to track and identify covered entities with multiple small breaches. OIG’s recommendations included that OCR maintain complete documentation of corrective actions taken and enter small-breach information into its case-tracking system.
OCR agreed with OIG’s recommendations in both reports and has begun to proactively implement programs to address the issues and recommendations identified in them.
Recommendations for Covered Entities and Business Associates
Although OCR has indicated that the 2016 Phase 2 audit program is “primarily a compliance improvement activity” aimed at identifying the types of technical assistance to develop and corrective actions that would be most helpful, the program is not the only reason an entity should consider putting its HIPAA house in order. HIPAA noncompliance poses financial risks to covered entities and business associates. OCR’s $1.55 million settlement with North Memorial Health Care of Minnesota (North Memorial) earlier this month illustrates the serious risk of noncompliance. An audit is not the only way noncompliance can come to OCR’s attention—the North Memorial settlement followed a breach report by North Memorial disclosing a breach by a business associate. The settlement resolved allegations that North Memorial had violated HIPAA by not implementing a business associate agreement where required and failing to conduct an organization-wide HIPAA risk analysis. In addition to the payment, North Memorial is also required to develop an organization-wide risk analysis and risk management plan, as well as to train appropriate workforce members on all policies and procedures newly developed or revised pursuant to the corrective action plan.
Covered entities and business associates should be aware of the increased scrutiny and heightened enforcement of HIPAA compliance. Some general recommendations to consider are:
Be alert for e-mails from OCR. The first step of the 2016 audit process will be an e-mail from OCR requesting verification of an entity’s address and contact information. Receipt of an e-mail does not necessarily mean that an entity has been selected for audit, but not responding to a request for information will not exempt an entity from the audit pool. In other words, an entity that does not respond may still be selected for audit, and OCR has expressed an expectation that entities will provide full cooperation and support, even expressly stating that OCR expects covered entities and business associates to check junk or spam email folders for emails from OCR, (OSOCRAudit@hhs.gov), in anticipation of the requests for information. Note also, that if an entity receives a request for information and does not respond, OCR will use publicly available information to create its audit pool, potentially creating confusion and increasing the risk of missing the 10 business day response time for entities ultimately selected for an audit.
Evaluate HIPAA compliance. With OCR’s increased scrutiny of covered entities and business associates, organizations should proactively evaluate their HIPAA compliance programs. OCR has said that it will post updated audit protocols on its website closer to conducting the 2016 audits. While the updated protocols will be the best tool for organizations to conduct their own internal self-audits as part of their HIPAA compliance activities, covered entities and business associates need not wait for the revised protocols prior to self-evaluating. The Phase 1 protocols are available here and provide useful guidance for the present time.
Address any compliance gaps. If a covered entity or business associate identifies any gaps in its HIPAA compliance, it should take steps to address them. Entities should also consider whether any identified issues or updates trigger a notice requirement (for example, notice to patients of an updated Notice of Privacy Practices). We anticipate that organizations will be required to provide copies of their security risk assessment and their breach notification policy, among other items.
Document, document, document. As always, covered entities and business associates should ensure that they appropriately document their compliance efforts. Not only will this exercise help keep an entity on track with its HIPAA compliance, it will also place the entity in a better position to timely support an assertion of compliance should it receive a request for information from OCR or be selected for an audit. Note that covered entities will be asked to provide a list of all of their business associates as part of the 2016 pre-audit screening questionnaire, and this and other similar requests may be challenging to meet in a short time frame if the information is not already readily available. OCR expects organizations to submit all documents and responses to an audit within 10 business days of the date the audit request is received.
To review the entire document and formatting for this alert (e.g., footnotes), please access the original below:
Phase 2 HIPAA Audits Underway: What Covered Entities and Business Associates Need to Know