Are You Ready for New HIPAA Audits?
Americas patient privacy law, the Health Information Portability and Accountability Act of 1996, has been anything but static. Regulators have pushed to keep it current and to draft forward-looking rules. This fall is no different, with a second round of government audits scheduled that could be the toughest yet for covered entities (i.e., health plans, health care clearinghouses, and health care providers who electronically transmit any health information).
Covered entities often face an uphill battle when trying to manage HIPAA requirements. They must respond to regulatory updates, such as the recent changes in the Omnibus Rule of HIPAA, which governs the interactions between service providers and health care companies. Those amendments can quickly force covered entities into a tough spot.
The updated regulations are comprehensive and might be the most stringent of all with respect to data management governance coming from the federal government. The upcoming Phase 2 audits will force covered entities to examine every aspect of their information security policies, procedures, and practices. But this is a daunting task given that industry giants such as Target, Home Depot and JP Morgan Chase have been hacked despite spending tens of millions of dollars trying to stop attackers from accessing sensitive records.
Organizations can try to go it alone in staying current with all of HIPAAs evolving regulations, which require the implementation of a comprehensive set of administrative, physical, and technical safeguards to secure patients data and preserve their medical privacy. The smarter ones are increasingly turning to service providers especially those that manage information technology to meet and sustain compliance. These critical business associates have become essential to enable medical providers to focus on what they do bestpatient care, while easing much of the regulatory and technology burden by relying on experts in those fields.
However, engaging a business associate does not allow the covered entity to merely pass the buck and walk away. Indeed, because inexperienced or careless business associates are just as likely as covered entities to be the source of a medical data breach, they must be carefully screened and monitored. Check with other medical providers to see who they use and recommend. Ask each service provider up front for an example client list. Lastly, require the business associate to provide you with annual independent audit reports to verify their ongoing compliance.
Office for Civil Rights has new plans and tougher audits
The U.S. Department of Health and Human Services Office for Civil Rights (OCR), which conducts HIPAA audits, was supposed to start Phase 2 audits this summer. In mid-September, it pushed back the date so that entities could report their self-evaluations via the Web.
That was a blessing for organizations that needed more time to achieve compliance and prepare for an audit. While spending for upgrades and updates could prove costly, that amount will be much less than the crippling fines and sanctions for failing the OCRs tests that could run into the millions of dollars.
Given the negative publicity generated by security lapses, organizations that fail tests also face the likelihood that their reputations will be severely damaged in the eyes of patients. The cost of protecting patient data by using encrypted email and data center security services, as well as general compliance support, will almost always be far lower than the price of being called out for noncompliance or, even worse, falling victim to a security breachwhich can result from intentional cyber-attacks or mere accidents by well-meaning employees. Examples include a Massachusetts hospital fined $1.5 million when an unencrypted laptop was stolen, and an Alaska state health department that was fined $1.7 million when an unencrypted USB drive vanished from an employees vehicle.
The OCR shared some bad news when it announced the delay. It will conduct more on-site audits and halve the number of remote audits to 200. That means more inspectors will be visiting offices, reviewing records and asking questions. Face-to-face audits are more comprehensive, as OCR staff examine whether security procedures are in place and more importantly -- being followed.
The OCRs staff will be focusing on how well organizations handle risk analysis and risk management, notice of privacy practices and access rights, and content and timeliness of breach notifications. That will be followed up with more audits in 2015 covering device and data transmission safeguards, audits of business associates, and other areas. You can expect auditors to take a close look, given that 89 percent of the 115 entities audited in the first round had at least one compliance problem.
Can you hope to avoid an audit? Probably not. The OCR will be sending out surveys to about 1,200 covered entities and their business associates. The office has organized them by size and will inspect providers of all sizes, not just the big guys.
Considerations for the coming months
Health care providers should begin preparing for the Phase 2 audits without delay. They should take a proactive and comprehensive approach to eradicating gaps in security and privacy protections before they become an issue. One of the best areas to begin an internal review is with systems that govern and manage data communications (i.e. email and file transmissions).
It can be tricky for a medical organization to stay ahead of the technology curve and properly manage information systems in a HIPAA-compliant manner. One solution is to partner with an expert provider of HIPAA email tools and data center management services. That technology companys understanding of the regulations and IT can help anticipate problems and implement solutions.
David Bailey is a vice president and Charlie Frayer is General Counsel and Chief Privacy Officer at Protected Trust, a cloud-based information technology hosting vendor.