How to Prepare for Increased HIPAA Audits

Register now

The Department of Health and Human Services Office of Civil Rights is on track to increase the number of HIPAA violation investigations starting in 2015 and to be prepared providers need to focus on risk analysis, privacy safeguards and training.

OCR has indicated to HIPAA expert and lawyer Adam Greene, a partner at Washington law firm Davis Wright Termaine, that what is in the pipeline for enforcement of HIPAA violations “will dwarf anything seen so far.”

Also See: How a ‘Book of Evidence’ Eases HIPAA Audits

Actual enforcement violations – where money has changed hands between a violating party and HHS – have in fact been on an upward trend recently, Greene said during a presentation Tuesday at HIMSS15 in Chicago. From the initial time compliance started being enforced in 2003, there was one or three monetary fines levied in 2008-2011, five in 2012 and 2013, and seven last year in 2014.

To date, over 100,000 claims have been brought to the Office of Civil Rights and 65% were administratively resolved without any investigation, 24% had voluntary corrective action after OCR found an indication of non-compliance, 11% no violation was found and 0%, or 23, resulted in a violation, Greene said.

But Greene adds, “We are entering a new era of HIPAA enforcement and what does that look like?” He explained HHS will not be handing out violations like speeding tickets but increasing monetary fines and more fines are what he sees coming in the future.

As a result, he encouraged those attending HIMSS to focus on risk analysis, privacy safeguards and training, as that can help prevent these fines and audits.

Despite large cases of hacking recently discovered, only 7% of reported breaches involving 500 or more individuals as of Feb. 15 involved hacking. “If you’re big focus is on hacking, you are not focused in the right place,” he said. “The biggest threat is the model employee who decides to work from home and doesn’t have safeguards.” The largest amount of reported breaches (53%) involved theft, such as breaking into cars and homes.

HHS’ audits also found that 80% of providers and 57% of health plans did not have complete or accurate risk analysis in place, Greene said. While he expect audits to begin later this year and settlements for investigations taking place now not to be announced until 2018 or later, it is important providers prepare now for the future by focusing on risk analysis, and looking at:

* Does it discover where electronic protected health information is located?

* Does it address the theft of mobile devices?

* Does it address the risk of improper security configuration?

Finally, Greene says to focus on breach avoidance and response. While encryption and loss prevention may be key to preventing a breach, providers must assume the workforce will be careless and prepare accordingly. If a breach is discovered, Greene said to ensure the root cause is addressed as OCR will ask about that. “Be sure when they get around to the data request, you addressed the root cause,” he said. “If something is too unreasonable, such as too pricey, write that down so when they ask you about it, you can show you thought about it. Or they will assume you had not thought about it.”

For reprint and licensing requests for this article, click here.