Those involved in the health care industry have been dealing with the requirements of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH) for years, including complying with national standards for the privacy of protected health information (PHI), securing electronic PHI, and providing breach notification to consumers, when required. In 2009, state attorneys general were empowered under HITECH to enforce HIPAA rules by permitting civil actions against the violators. HITECH also requires the U.S. Department of Health and Human Services (HHS) Office of Civil Rights (OCR) to perform periodic compliance audits by covered entities and business associates with the HIPAA Privacy, Security and Breach Notification Rules.
In 2011 and 2012, OCR established a pilot audit program to assess the controls and processes 115 covered entities had implemented to comply with HIPAA requirements. In September 2015, the HHS Office of Inspector General (OIG) issued its findings on the initial audit program. (See, U.S. Department of Health and Human Services, Office of Inspector General, “OCR Should Strengthen Its Oversight of Covered Entities’ Compliance with the HIPAA Privacy Standards,” September 2015, OEI-09-10-00510). The report concluded that there was a “less than effective” enforcement of the Health Insurance Portability and Accountability Standards. OIG found that the OCR’s oversight of covered entities’ compliance with the HIPAA privacy rule, was essentially reactive in that it was merely responding to complaints in the vast majority of its investigations. OCR had not fully implemented an audit program to proactively identify and assess covered entities’ compliance with privacy standards.
The OIG’s 2015 Recommendations
The 2015 OIG report addressed the “reactive” practices of the OCR. As a result of its findings, the OIG made five recommendations: (1) fully implement a permanent audit program; (2) maintain complete documentation of corrective actions taken by covered entities; (3) develop an efficient method in its case tracking system to search and track covered entities’ history of investigations; (4) develop a policy requiring OCR staff to check whether covered entities were previously investigated; and (5) continue to expand outreach and education efforts to covered entities. OCR concurred with all five recommendations.
Armed with these findings, the OCR has commenced its 2016 audit program and has recently taken an aggressive stance when settling covered entities’ HIPAA violations. The goal of the formal audit program is to ensure that covered entities have taken the necessary steps to adequately safeguard PHI. By mandating compliance with HIPAA standards, the OCR hopes that covered entities minimize patients’ exposure to harm as a result of a data breaches, including identity theft.
Prior OCR Settlements and Attorney General Actions
As a backdrop to 2016 HIPAA Audits, it is helpful to review some of the recent settlements that were reached as a result of HIPAA violations.
In 2014, for example, New York-based hospitals agreed to pay a $4.8 million fine to settle allegations that they failed to secure patients’ PHI. The settlement came after the OCR received notice in September 2010 from both organizations that a breach of unsecured PHI affecting 6,800 individuals had occurred. The hospitals had participated in a joint arrangement where they operated a shared network of data and a shared network firewall that was administered by both hospitals. An OCR spokesperson at the time stated that the settlement should serve as a reminder that healthcare organizations need to make data security central to how they manage their information systems.
In 2015, Triple-S Management agreed to pay $3.5 million to settle OCR’s claims that the company’s subsidiaries violated HIPAA and other privacy and security rules even though there was no data breach. In that case, the OCR found widespread noncompliance, including failing to implement proper safeguards to protect beneficiaries’ health information, disclosing that information to third parties without permission and using or disclosing more of that information than necessary for mailings.
In September 2015, the OCR reached a $750,000 settlement with Indiana-based Cancer Care Group PC because it failed to conduct an organizational risk analysis and implement follow-on device and media control policies to protect the transportation of “unencrypted” PHI. Had a risk assessment been done, the organization could have identified the control weakness.
On December 2, 2015, the attorney general from New York announced a settlement with the University of Rochester Medical Center (URMC) to prevent future patient privacy breaches. Not only must URMC pay a $15,000 penalty, it must also train its workforce on policies and procedures related to protected health information.
On December 7, 2015, the OCR announced that Lahey Hospital & Medical Center in Burlington, Massachusetts “will pay $850,000 in a settlement with federal officials after a stolen laptop exposed private patient information in violation of federal law.” The laptop was stolen from an unlocked room at the hospital and “contained information about 599 patients.” In addition to the fine, “Lahey must adopt a ‘robust corrective action plan’ to improve the measures it takes to protect patient information.”
In March 2016, the OCR reached a $1.55 million settlement with North Medical Center of Minnesota (North Medical) and a $3.9 million settlement with a clinical research institute. Both settlements followed the self-reporting of stolen laptop computers from cars. In addition to the monetary settlements, both covered entities entered into compliance agreements that required them to conduct security risk analysis and modifications of policies and procedures, among other requirements.
The implementation of the 2016 HIPAA audits and these recent settlements underscore the importance for covered entities and business associates to review their obligations under HIPAA to ensure they are in compliance with the rules and regulations.
The 2016 HIPAA Audit Program
The first phase of the 2016 audit program began in March with 150 covered entities and 50 business associates. This phase includes 150 “desk audits” and 50 on-site audits. Of the 50 on-site audits, 40 will be at covered entities and 10 will be at business associates. The inclusion of business associates is new. Entities with an open complaint investigation or which are currently undergoing a compliance review will not be audited.
Initially, the 2016 audit program started with e-mails to covered entities, such as health care providers and insurance plans, and to business associates that handle PHI on behalf of covered entities. The next step will be the issuance of “pre-audit questionnaires” seeking details about their business size and operations.
Barbara Holland, the HHS regional manager for OCR’s mid-Atlantic region, stated at a PHI Protection Network Conference in Philadelphia in March 2016, that the OCR is “beginning to raise [its] expectations about compliance” and that it has a “lower tolerance for noncompliance.”
Planning for 2016 OCR Audits
Covered entities and business associates should heed the OCR’s admonitions about compliance with HIPAA requirements not only with respect to the prospects of a HIPAA audit but also given the recent settlements it has reached for HIPAA non-compliance. Companies should not wait until their organization receives an audit notice or have to self-report a HIPAA violation before reviewing the state of their organization’s compliance. The following 10 steps should be taken to help prepare for an OCR HIPAA audit:
1. Conduct, test and document a HIPAA risk analysis to identify the risks that threaten the confidentiality, integrity or availability of protected health information and have a corrective action plan in place to address any identified deficiencies.
2. Document policies and procedures specific to your organization and ensure they are implemented.
3. Document and designate a security official and a privacy official who will be responsible for the development and implementation of the policies and procedures required by the HIPAA Security Rule and Privacy Rule, as well as be the point of contact for audits and questionnaires.
4. Train employees from the boardroom to the mailroom on policies and procedures and conduct follow-up awareness training. It is essential that training be mandatory with 100 percent compliance and that employee affirmations of compliance be documented and maintained.
5. Perform a defensible HIPAA assessment. Identify what measures are in place to ensure PHI is secured and evaluate whether you are storing and disclosing PHI only as necessary.
6. Maintain an inventory of any and all devices that access ePHI and make sure they are properly secured. It is also important that the policies and procedures for securing equipment that access ePHI be properly documented.
7. Maintain a record of which devices are encrypted and when. Encryption is a growing area of focus for HHS and OCR and it can be safe harbor to HIPAA breach notification requirements.
8. Know who your business associates are, maintain a list and have business associate and subcontractor business associate agreements in place. Equally important is to know the security and reporting obligations your company has as a business associate as well as the obligations your company’s business associates and subcontractors have to your company.
9. Maintain policies and procedures for security incidents.
10. Create an internal and external incident response team, with retention agreements in place. If your incident response team primarily consists of IT, consider hiring an outside consultant to help your company implement a more holistic approach to data privacy and security, which should include legal, human resources marketing and finance representatives.
Other Considerations
1. To the extent possible, the risk assessment exercise should be conducted under the direction of an attorney so that attorney-client privilege can be invoked in the event of a future data breach.
2. Review and update your organization’s HIPAA policy documents and be prepared to produce them to the OCR either during the desk audit or on-site visit.
3. Confirm whether your organization has been involved in any prior audits, and the results of that audit.
4. Following the receipt of the audit report, be prepared to agree to a corrective action plan that addresses any concerns that have been identified in the audit.
Conclusion
The 2016 HIPAA audit season and recent OCR settlements should serve as a reminder that health care entities review their policies and procedures to ensure that they are in compliance with not only HIPAA but also the ever-changing state breach notification laws. Failure to perform this type of internal security risk analysis will likely increase the severity of consequences a health care entity will face in the event of a HIPAA violation, data breach or cyber incident.
Cinthia Granados Motley is Partner and Carol J. Gerner is Counsel in Sedgwick LLP’s Chicago office. They can be reached at cinthia.motley@sedgwicklaw.com and carol.gerner@sedgwicklaw.com, respectively, or via the firm’s website – http://www.sedgwicklaw.com.
The views, opinions and positions expressed within these guest posts are those of the author alone and do not represent those of Becker’s Hospital Review/Becker’s Healthcare. The accuracy, completeness and validity of any statements made within this article are not guaranteed. We accept no liability for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with them.
