HIPAA ComplianceIn the health care industry, HIPAA rules and regulations apply to all providers, their business associates, and covered entities. Acovered entity is a health provider, a health plan, or a health care clearinghouse.

Deven McGraw, deputy director of health information privacy at Department of Health and Human Services’ Office (HHS) for Civil Rights (OCR) recently commented on the HIPAA compliance audits being performed during the summer of 2016. She said:

“Organizations chosen for remote “desk audits” of their HIPAA compliance, which will begin this summer, need to be prepared to quickly provide supporting documentation.”

The audits are part of Phase II of the HIPAA Compliance Audits that are directed at covered entities and business partners of providers. The OCR plans on auditing between 200 to 250 covered entities and business associates. In mid-July 2016, OCR notified 167 covered entities that they have been chosen for a remote desk audit and must provide requested documentation by July 22, 2016.

The majority of audits will be remote desk audits, but, OCR plans to make site visits by the end of 2016 that will be more rigorous.

What Are the HIPAA Phase II Audit Subjects?

The overall goal of the HIPAA Phase II audit is to investigate and evaluate how covered entities and their business associates are following rules and regulations regarding HIPAA Privacy, Breach Notification Rules, and Security. The Phase II audits have three essential rounds, which are:

  • Remote Desk Audits for covered entities – Round One
  • Remote Desk Audits for Business Partners – Round Two
  • Onsite Audits for Both Covered Entities and Business Partners – Round 3

The OCR notes that if an organization participates in either Round One or Two, they still can be the subject of a Round 3 audit. The likely topics of Phase II audits will be:

  1. Privacy
  2. Data security; and
  3. Breach Notification

Recent Enforcement Activity

According to McGaw, recent enforcement activities should help others learn what they need to do from resolution agreements and corrective plans following breach investigations. She said:

“They’re intended to be instructive to the industry for things they should be looking for. For example, time and again we see that entities are not doing a security risk assessment that are enterprise wide … that take into account all the electronic protected health information that is in their environments.”

However, the Oregon Health & Science University may not agree that there are things to learn, they settled with OCR for a $2.7 million settlement and a three-year plan of corrective action. There were 7,066 patients who were affected by two separate breaches in 2013. The first breach involved a stolen laptop from a surgeon’s vacation rental that was not encrypted and the second was for the use of a cloud-based provider (Google) of storage services without a business associate agreement.

Jocelyn Samuels, OCR Director said:

“From well-publicized large scale breaches and findings in their own risk analyses, OHSU had every opportunity to address security management processes that were insufficient. Furthermore, OHSU should have addressed the lack of a business associate agreement before allowing a vendor to store electronic Personal Health Information (ePHI). This settlement underscores the importance of leadership engagement and why it is so critical for the C-suite to take HIPAA compliance seriously.”

These are not the first breaches that OSHU has reported; there was one in 2012 that also involved the theft of unencrypted data. Some speculate these prior reports weighed on the decision for such a large settlement.

And, it was only one of eight settlements reached this year and the 35th since 2008. The total amount of the settlements is $36,639,200.

The breaches occurred in order of frequency at:

  • Private practice;
  • General hospitals;
  • OPD facilities;
  • Pharmacies; and
  • Health plans (group health plans and health insurance issuers).

If your organization was part of the information gathering done by OCR in late 2015 and early 2016 you can be selected for an audit. Make sure your documentation is readily available and up-to-date as you only have a few days to submit it.