Recent enforcement activities of the Department of Health and Human Services’ Office for Civil Rights (OCR) have shown an increase in fines and penalties assessed against smaller providers for failing to comply with the privacy, security and breach notification requirements of the Health Insurance Portability and Accountability Act (HIPAA). Historically, OCR has focused on larger providers, such as hospitals and health systems, and breaches involving more than 500 individuals; however, OCR is now aggressively enforcing HIPAA compliance of smaller providers, including sole practitioners, and investigating smaller breaches affecting fewer than 500 individuals. As a result, 2016 is expected to be a critical year for HIPAA enforcement and a record year for fines and penalties for noncompliance.
Reason for the Change
In fall 2015, the Office of Inspector General (OIG) issued a report regarding OCR’s HIPAA enforcement practices. The report found that OCR actively investigated all large breaches (affecting more than 500 individuals), but failed to document investigations of small breaches (affecting fewer than 500 individuals), suggesting that small breaches are often overlooked. This variance is largely due to limited federal resources and the fact that OCR simply does not have the time or manpower to investigate small breaches.
The OIG’s report also suggests that certain covered entities routinely violate HIPAA regulations and exhibit compliance issues that warrant increased fines and penalties. In response, OCR is increasing its enforcement activities by reviewing covered entities with previous breaches to reassess compliance and markedly increasing the fines assessed against repeat offenders. In addition, on March 21, 2016, OCR announced that phase 2 of its HIPAA audit program had begun, which is undoubtedly an effort to overcome any scrutiny cast on OCR by the OIG’s report.
Phase 2 HIPAA Audits
Although the second round of HIPAA audits has been expected for some time, OCR is now actively selecting covered entities and business associates for phase 2 HIPAA audits. The goal of the audit program is to assess compliance with the HIPAA Privacy, Security and Breach Notification Rules. OCR intends to use the data it obtains during the audit process to examine compliance mechanisms, determine best practices, and discover program risks and vulnerabilities.
Phase 1 took place in 2011 and 2012, and focused on the compliance of covered entities. Phase 2 will differ from phase 1 in that the audits will be expanded to include business associates. This phase will consist of three series of desk and on-site audits. The first series of audits will be desk audits of covered entities, and the second series will be desk audits of business associates. Desk audits are conducted off site and will examine specific compliance requirements of the Privacy, Security and Breach Notification Rules by reviewing policies, procedures and compliance plans of each entity selected for the audit. OCR expects the first and second series of desk audits to be completed by the end of 2016. The third series of audits will be on site and focus on a broader scope of HIPAA requirements than the desk audits. Selection for the first or second round of desk audits does not preclude selection for the on-site audits conducted during the third round, so some entities may be subject to both.
It is imperative that you evaluate your HIPAA compliance now & not wait until you are selected for an audit or are—even worse—a party to a breach.
Any covered entity or business associate can be audited, regardless of size or type of provider. Audit selection criteria include the size and type of the entity, affiliation with other healthcare organizations, whether the entity is public or private and geographic factors. The only entities exempt from an audit are those with an open complaint investigation or those currently subjects of compliance review.
Advance Preparation Is Critical
Fines and penalties assed by the OCR due to noncompliance with HIPAA requirements can put a small provider out of practice. For this reason, it is imperative that you evaluate your HIPAA compliance now and not wait until you are selected for an audit or are—even worse—a party to a breach.
The unfortunate truth is that a security incident is more likely to happen than not. Therefore, it is critical that you take the following steps now to ensure you are prepared in the event of an audit or breach:
- Conduct a thorough review of your HIPAA policies and procedures. Confirm that those policies and procedures have actually been implemented and are effective.
- Review applicable state law to ensure that your HIPAA compliance program also complies with state health privacy laws. Many states have adopted privacy regulations that specifically address health information, and understanding these laws is a critical component of compliance.
- Assemble an incident response team (IRT). Involve legal, IT and human resources representatives, among others.
- Draft an incident response plan (IRP). This will be your go-to document in the event of a breach and should identify the IRT and clearly describe the decision-making process when handling security incidents.
- Test your IRT & IRP. This can be done by educating and then testing your IRT on HIPAA compliance requirements. In addition, pose hypothetical security incidents to the IRT and have them follow the IRP. Once completed, revise the IRP to overcome any shortcomings noted during the hypothetical scenario.
- Perform a risk assessment. Include penetration testing of your computers, devices and electronic health record software.
Completing these steps will not only benefit your organization by reducing the likelihood of investigations, complaints, security incidents, and significant time and money spent responding to such issues, it will bring you peace of mind in the knowledge that your organization is well prepared.
Steven M. Harris, Esq., is a nationally recognized healthcare attorney and a member of the law firm McDonald Hopkins LLC. Contact him via email at [email protected].