It’s time to review and complete your policies and procedures before the U.S. Department of Health and Human Services (HHS) begins Phase 2 HIPAA audits later this year. The Health Information Technology for Economic and Clinical Health (HITECH) Act requires HHS to perform audits of covered entities and Business Associates (BAs) to make sure they are complying with the Health Insurance Portability and Accountability Act (HIPAA); which includes Privacy, Breach Notification, and Security Rules. The HHS Office of Civil Rights (OCR) began audits in 2012 and shares the results of 115 covered entity audits from this pilot program. By reviewing the initial audit findings, employers can identify the focus of previous HIPAA audits and prepare accordingly.
With respect to the Security Rules, the OCR initial audit found most entities failed to perform a comprehensive and accurate security risk assessment. Without an assessment, it is difficult to maintain the documentation of an internal risk analysis or the associated management plan to detail how the organization intends to manage the risks. Other concerns included a lack of media management and audit controls, including controls for the disposal of protected health information (PHI).
As to the Privacy Rule, most covered entities failed to meet the audit protocol related to providing a Notice of Privacy Practices and having executed Business Associate Agreements (BAAs). Also lacking were procedures for the use of PHI as it relates to internal access, applying the “minimum necessary” rule, documented workforce education and training on an annual basis, or the application of sanctions after a failure to safeguard PHI.
The OCR’s Deputy Director of Health Information Privacy, Deven McGraw, reported recently that Phase 2 audits have begun. The OCR is at the early stages of this Phase and is currently confirming addresses for those Covered Entities (CEs) and BAs that will receive questionnaires. The OCR will then select a diverse pool of audit candidates from information gathered on this questionnaire. The Phase 2 audits will include at least 200 desk audits, the focus of which will be on specific provisions of the rules, and conduct 10 to 25 full-scale onsite audits.
Expect updates to the current audit protocol used in 2012. Updates will occur as a result of the HIPAA Omnibus Rule and provide more guidance in evolving areas such as cyber-security. We should see the proposed changes in April 2016, with a comment period allowed, with final changes implemented yet in 2016 before Phase 2 audits begin. It is prudent to familiarize your team with the current audit protocol.
First, be on the lookout for the OCR’s email being sent to request contact information. OCR will follow up with the pre-audit questionnaire sent to select covered entities for desk audits and on-site audits. It is important for privacy officials and executives to take immediate action. Keep in mind, the email may be incorrectly classified as spam. OCR expects entities to check their junk or spam email folder for emails from OCR. If an entity does not respond to OCR’s request to verify its contact information or pre-audit questionnaire, OCR will use publicly available information about the entity to create its audit subject pool. Therefore an entity that does not respond to OCR may still be selected for an audit or subject to a compliance review.
This HIPAA Audit Checklist can serve to get you started.
In addition to reputational repercussions for the business, HIPAA and HITECH have significant economic penalties. For instance, HHS can impose civil penalties of $100 to $50,000 per violation with the total amount, imposed on an entity for all violations of an identical requirement, not to exceed $1.5 million during a calendar year. Keep in mind the maximum fine is for each separate violation of each provision and most compliance failures involve numerous provisions.
Criminal Penalties are enforced by the Department of Justice (DOJ). These apply when a person knowingly discloses health information in violation of the provisions. The penalties include a fine of not more than $50,000, imprisonment of not more than one year or both, and can extend to a fine of $250,000 and imprisonment of up to ten years, or both, when there is intent to sell or use health information for personal gain or malicious harm.
Effective February 18, 2009, the HITECH Act authorized all state attorneys general to bring civil actions in federal court for violations of HIPAA to protect the interest of residents in their states.
Any audit can be disruptive to business as usual. It’s prudent to prepare now. Become familiar with the audit protocol, document requirements, and correct procedures. Make the necessary changes internally to be prepared to respond quickly.
Click here to download this update.