The Office for Civil Rights (OCR) recently announced its intention to begin its second round of HIPAA audits. Slated to begin in 2016, the initiative will include both on-site and desk audits and will focus on areas of poor compliance found in initial audits.
It is expected that only about 300 provider organizations across the country will be audited. The likelihood your group will receive one of the dreaded OCR audit letters is small, but experts recommend preparing just in case. If you have your ducks in a row for an audit, it will also reduce the likelihood a breach will occur in your organization.
According to Kelly McGee, an attorney at the Boston-based law firm Donoghue Barrett & Singal, Phase 1 HIPAA audits revealed that about 80% of providers did not have HIPAA-compliant risk analysis programs. This is a problem because one of the main tenets of HIPAA is to understand an organization’s risk. Many of OCR’s enforcement actions involved groups that had not conducted assessments.
Daniel Gottlieb, a partner in the law firm of McDermott Will & Emery LLP, headquartered in Chicago, said organizations really need to perform an assessment to identify their risks and vulnerabilities. Because OCR understands security and compliance is ongoing, they also expect action plans that include reasonable timelines for tasks that will bring an organization into compliance.
“OCR asks for a plan and timeline if they are doing an investigation,” Gottlieb said. “And if it’s out of date, that would be a flag that they aren’t taking it seriously.”
“You have to be really lucky to win the lottery and really unlucky to be one of providers selected for an audit,” Gottlieb said. “The bigger risk would be having a security breach, which would lead to an investigation.”
Prepping for an audit can help reduce the risk of a breach. Gottlieb and his colleagues recommend to clients that they perform a self-audit using OCR’s audit tool. The current audit tool is very broad and covers much of HIPAA. OCR has said publicly that is it working on a tool for Phase 2 that will be more concise and focus on points that were identified as problems in the pilot program. The organization has not given a specific time that either the tool will be available or the coming audits will commence.
Encryption of personal health information is among the points that OCR has emphasized for its upcoming audits. Encryption is required unless it is not deemed by an organization as reasonable or appropriate.
There is a list of factors, Gottlieb said, that should be considered to determine if an office needs to encrypt its information, including its risk assessment and cost. If it is cost-prohibitive for small practices to implement encryption, they may be exempt, but Gottlieb said OCR is cracking down on this area. For things like laptops, where the cost of encryptions is low, practices should have it done.
“In theory, it is an addressable standard, but I think OCR has pretty much determined that it is always reasonable and appropriate to encrypt a laptop,” he said.
Updated breach policy
Another issue to consider is breach policies. Amendments were made to the breach policy guidelines in 2013, but Gottlieb said many groups he has worked with still follow the previous 2009 standards.
The primary changes in the 2013 rule are the factors considered to determine if an unauthorized disclosure is a breach that triggers notification. These include whether or not a person can be re-identified by the information released and the identity of the recipient of the disclosed information, Gottlieb said.
One of the best things practices can do is make sure they have policies, procedures, and required forms completed. The next step is to make sure staff is following those policies.
“A lot have a organizations have great policies, but they are not actually doing what it says,” McGee said.
Here are some other considerations:
- Business associate agreements need to be updated and in the hands of vendors
- Breach logs need to be completed and filed if a breach occurs
- An inventory of information system assets should be completed
- A facility security plan should be created that includes the physical locations that store or access personal health information
Finally, a person responsible for these processes at each organization should be clearly identified. There may not be a lot of time to respond if an organization is unlucky enough to receive an audit letter, so it needs to get to that person immediately to begin preparation.