The Health and Human Services Office of Civil Rights (OCR) is conducting a second round of audits to assess compliance with the Health Insurance Portability and Accountability Act. Unlike the first round, OCR is including business associates.
- OCR is emailing notices to entities that might be audited.
- A questionnaire will help determine audit targets.
- Auditors Will Be Looking For Non-compliance Issues That Were Most Common In The First Round.
The Health and Human Services Office of Civil Rights (OCR) announced recently that it is launching a second round of audits during 2016 to assess compliance with the Health Insurance Portability and Accountability Act (HIPAA), and this time, it is including business associates. That change means that healthcare organizations should act now to ensure their business associates are fully compliant and not exposing the healthcare organizations to fines and other penalties.
This new round of audits underscores how HIPAA compliance is an ongoing responsibility, not a goal to meet and then move on, says Jessica Forbes Olson, JD, an attorney with the law firm of Fox Rothschild in Minneapolis, MN. The focus on business associates will test whether healthcare organizations have fully vetted and educated the vendors they trust with protected health information (PHI), she says.
“Covered entities and business associates often make the mistake of believing that HIPAA compliance is a one-time project, rather than an all-the-time practice. The upcoming OCR audits should be the impetus many entities need to do a self-audit and ensure their HIPAA ‘ducks’ are in order,” Olson says. “Recent OCR enforcement activity has shown that the cost of compliance is a drop in the bucket compared to the cost of non-compliance we’ve seen come in the form of OCR settlements of hundreds of thousands or millions of dollars.”
Round two of the OCR audits will include reviewing compliance with HIPAA Privacy, Security, and Breach Notification rules, as with the first round. The addition of business associates in round two makes the risk even higher for healthcare organizations because OCR can hold the healthcare provider accountable for a business associate’s shortcomings.
The round two audits will occur in three phases, Olson explains. First there will be desk audits of covered entities, then desk audits of business associates. The last phase will be follow-up on-site reviews. OCR is expected to conduct about 200 audits, including the desk audits, Olson says.
OCR has identified the audit pool and begun contacting the healthcare providers and business associates by email, Olson explains. Covered entities must respond within 14 days, so Olson urges healthcare providers to make sure that these automated emails are not lost in spam or junk email folders.
The initial email will be followed by a pre-audit questionnaire. However, Olson notes that receiving a pre-audit questionnaire does not necessarily mean the covered entity will be audited. Many more entities will receive a questionnaire than eventually will be audited. OCR chooses audit targets based on information in the questionnaires, which ask for details about the healthcare organization’s operations, including items such as revenue, patient volume, and the number of employees. The questionnaire also asks the entity to identify all business associates. Healthcare providers should make sure there is a current and accurate list available.
Don’t think that you can fail to respond to the initial OCR email. If you fail to respond, perhaps because the email was lost in your system, OCR will draw on public information to gather much of the information sought in the questionnaire, Olson explains. Of course, failing to respond to OCR could play into the agency’s decision of whether to audit your organization.
If OCR targets your facility for a round two audit, you will receive another email notifying you of that fact.
OCR will conduct the desk audits through the rest of 2016, and on-site audits are not expected until 2017, says Peter A. Blenkinsop, JD, an attorney with the law firm of Drinker Biddle in Washington, DC. In choosing the covered entities to audit on site, OCR will focus on specific areas of concern that were identified in round one of the audits, and it primarily will target the most common types of non-compliance.
“There is a very good chance that they will be focusing on things like making sure that covered entities and business associates have conducted a comprehensive security risk assessment. With addressable safeguards under the security rule, they will be looking for the entities to show that they have either implemented those addressable safeguards or they have documented what alternative safeguards they’ve chosen to put in place to meet that same objective,” Blenkinsop says. “Those are areas where OCR found many deficiencies in phase one.”
Additional problems commonly found in the round one audits include a notice of privacy practices that meets the requirements of the privacy rule, employees training on HIPAA policies and procedures, and transmission security. Blenkinsop notes that although OCR does not require encryption, it does expect covered entities to protect data transmitted over an open network, and that expectation usually means encryption. An alternative would be transmitting the data through a closed network.
Device and media control also was a common area of non-compliance in earlier audits. This control becomes especially important if you allow employees to store PHI on laptops, phones, and other devices. The covered entity must have policies and procedures in place to protect PHI on these devices, which have figured in some of the largest and costliest data breaches.
OCR will focus on those areas, but a covered entity can be asked about any aspect of HIPAA compliance. One of the best ways to prepare for a potential round two audit is to study OCR’s audit protocols, Blenkinsop suggests. The protocols are available online at http://1.usa.gov/24hFxqF.
“The minimum that covered entities should be doing is to come up with a readily available list of your business associates, and if you’re a business associate, you should have a list of other vendors who are essential sub-business associates of you,” he says. “You need to be able to produce those quickly if OCR asks for them, and you also should know where your HIPAA policies and procedures are and that they are up to date. When the desk audit begins, you will have just 10 days to respond with the documents that OCR requests. You don’t want to wait until that request comes to start putting things together.”
Result: A broader review?
The audit could be only the start of a compliance nightmare. If OCR finds serious deficiencies, it may conduct a more comprehensive compliance review, which could lead to civil and criminal penalties, Blenkinsop notes. However, OCR has stated that the main purpose of the audits is to identify compliance and security challenges so that it can provide better training and resources for HIPAA compliance, he says.
“I think that should alleviate some concern on the part of covered entities and business associates who have been making a good faith effort to comply,” Blenkinsop says. “If you’ve been making a good faith effort and have a program that shows you were trying to comply, I think it’s unlikely that these audits are going to result in a penalty for you.”
Blenkinsop expects the round two audits to show compliance failures are more common in smaller entities, as was the case in round one. Larger entities are more likely to have a dedicated department and staff for compliance, whereas at smaller entities, the job may fall to someone who has plenty of other responsibilities as well, Blenkinsop notes. However, larger organizations are more likely to be targeted by hackers seeking PHI, which should serve as its own motivation to comply with HIPAA, he says.
However, overall enforcement activity from OCR has been increasing steadily for a few years, notes Michael A. Moroney, JD, an attorney with the law firm of Carroll McNulty and Kull in Basking Ridge, NJ. The round two audits should be seen as only one more reason to make sure your organization has a thorough, well-organized HIPAA compliance plan, he says. Just having a HIPAA notebook on a shelf and asking patients to sign a HIPAA notice isn’t going to cut it.
“We’ve always told our clients that it costs far less to address HIPAA compliance head-on and develop a good program than it does to defend yourself and try to mediate penalties from OCR,” Moroney says. “It may be disruptive to develop a good plan, but it’s better to do it on your own time and with your own budget than to wait until it’s too late and OCR tells you what the plan is going to be, how much you’re going to spend on it, and what the timeframe is. OCR typically is very onerous when it comes to telling you how to develop a compliance plan.”
- Peter A. Blenkinsop, JD, Drinker Biddle, Washington, DC. Telephone: (202) 230-5142. Email: email@example.com.
- Michael A. Moroney, JD, Carroll McNulty and Kull, Basking Ridge, NJ. Telephone: (908) 848-6300. Email: firstname.lastname@example.org.
- Jessica Forbes Olson, JD, Fox Rothschild, Minneapolis, MN. Telephone: (612) 607-7478. Email: email@example.com.