United States: Day Of Reckoning Is Here: HIPAA Audits To Resume

Yesterday, the U.S. Department of Health and Human Services' (HHS) Office for Civil Rights (OCR) launched the resumption of long-awaited Health Insurance Portability and Accountability Act of 1996 (HIPAA) compliance audits. Given the alarming number of data breaches in the healthcare industry, found to be in excess of 40 percent of all data breaches,¹ healthcare providers, insurance plans, clearinghouses and their business associates are well-advised to get their HIPAA compliance in order before OCR comes knocking. And the knocks have already begun, with the OCR targeting about 200 audits in 2016.

OCR has become increasingly aggressive over the past few years in bringing lawsuits where protected health information (PHI) has been compromised through data breaches. Regulatory fines have consistently been in the million-dollar range, and enforcement is likely to increase now that OCR has resumed HIPAA compliance audits.

OIG's Audit Finding

In an audit report released in September 2015, HHS's Office of Inspector General (OIG) had found less than effective enforcement of the HIPAA Privacy Rule.² OIG's concern was that covered entities (such as doctors, pharmacies and health insurance companies) that do not adequately safeguard PHI (such as medical condition, prescriptions, or treatment history) could expose patients to an invasion of privacy, identity theft, or other harm. OCR accepted OIG's audit findings and undertook to resume HIPAA compliance audits in early 2016.

OCR's Response

Unlike the 2012 pilot audits, which included only 20 covered entities, "Phase 2" will cover about 200 covered entities and business associates. As for the audit approach, the majority of the audits will consist of remote desk reviews, although some on-site reviews will take place. If the audit reviews turn up serious compliance issues, further investigations may occur, with the potential for the imposition of penalties and corrective action plans.

Preparation for Audit

The most common deficiency found by OCR in its pilot audits was an organization's failure to conduct a security risk assessment to identify and mitigate risks to PHI (e.g., PHI on exposed servers, laptops unencrypted, default passwords not changed, security software not up to date, and inadequate training). This deficiency continues to be found in recent OCR enforcement actions. Accordingly, this area of noncompliance should be the primary focus of audit preparation.

Preparation for an audit begins with a thorough review of the compliance requirements found in the HIPAA Audit Protocol. OCR has stated that it plans to update the audit protocol later this year, so interested parties should stay abreast of this development on OCR's website. The audit compliance requirements are divided into three categories: security, privacy, and breach notification.

As noted, a common compliance deficiency that has been identified is the failure to conduct a security risk assessment. A risk assessment identifies and assesses risks to the security of PHI, evaluates security controls put in place to mitigate those risks, and monitors the effectiveness of those controls on an ongoing basis.

In addition to conducting a risk assessment, adequate audit preparation requires a review of the myriad HIPAA policy requirements relating to, for example, privacy practices; uses and disclosures of PHI; training; complaint handling; discipline; administrative, technical and physical security safeguards; and security incident management. These policies will likely be requested and examined by OCR in a desk audit prior to an on-site visit.

Potential audit targets should also compile any previous audit reports, evaluations, or assessments regarding implementation of the HIPAA security, privacy and breach notification standards. Well before receiving an audit notice, organizations should develop an audit response plan that outlines key considerations such as who will be the organization's lead responder to the audit team, a list of responsive documents, and how personnel will be prepared to answer questions.

Consequences of an OCR Audit

Any audit can be disruptive to an organization's business, but the OCR audits and the resulting reports may create unintended liability exposures. Should an audit review indicate a serious compliance issue, OCR may initiate a full-blown compliance investigation to address the problem. Thus, a substandard audit result could trigger penalties and a corrective action plan, even in the absence of a data breach.

Another concern is that audit reports are not confidential or protected under any privilege. Consequently, in the event of a breach or complaint investigation, state attorney general offices will be able to request a copy of the entity's OCR audit report to demonstrate knowledge of prior deficiencies. In addition, audit reports will likely be discoverable and could be used to prove knowledge of substandard compliance in possible subsequent litigation. Finally, in states like Connecticut, where case law has established that the HIPAA regulations could be the standard for protecting privacy under state law,³ a substandard OCR report could be viewed as a de facto violation of the state law on privacy.

Conclusion

Now that OCR audits have resumed, it is time for covered entities and business associates to begin to prepare by performing self-assessments based on the HIPAA Audit Protocol and taking corrective action to address identified vulnerabilities. Additionally, organizations should consider having legal counsel involved at the beginning of any OCR audit due to the unpredictable nature of government audits and the potential consequences associated with the audit reports.

For more information about the upcoming HIPAA compliance audits, please contact one of the individuals listed in the sidebar. To assist healthcare entities in preparing for a HIPAA audit, Day Pitney LLP has developed several tools, including a self-assessment tool based on OCR's HIPAA Audit Protocol, to facilitate compliance with the HIPAA Privacy, Security, and Breach Notification Rules. Information on these compliance tools is available on request.

Footnotes

1 Identity Theft Resources Center Breach Statistics 2005-2015.

2 The HIPAA Privacy Rule provides standards for using, sharing and disclosing patients' protected health information.

3 Byrne v. Avery Center, 314 Conn. 433 (2014).

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.