HIPAA audits are coming, and a lot of unprepared providers are going to be caught with their pants down.
The audit mandate, an extension of the HITECH Act, means that any provider subject to HIPAA standards is also subject to a potential audit of their privacy, security, and breach notification statuses. If you’re interested in viewing the audit protocol, it’s available here, but we’ve put together this article to help inform and prepare you around a some essential audit points:
- What your HIPAA program should look like today
- What’s coming down the HIPAA pipeline in 2016
- OIG’s take on the current HIPAA environment
- Advice on how to prepare for Phase 2 HIPAA Audits
Why Audits Matter
Of course, all responsible providers are looking to stay on top of HIPAA requirements to avoid trouble when going through an audit, but as threats to patient information grow, government compliance will likely be the least of your worries.
That’s largely because healthcare information is a sitting duck.
A recent study (the Building Security In Maturity Model) that tracks and measures observable software security practices across 12 core areas recently included healthcare in its industry list. Healthcare came out on bottom, falling short on all 12 core areas measured. This might not be quite as alarming if the industry weren’t struggling with a multi-billion dollar threat that’s so serious, millions are impacted by just one breach and even Congress is considering getting involved.
On top of that, patients are beginning to understand exactly how big a deal their own informational security is. The Ponemon Institute released its fifth annual study on medical identity theft earlier this year (with the support of Kaiser Permanente and The Medical Identity Fraud Alliance — you can download the full study here.) and its findings reveal a patient population that is willing to make major healthcare decisions based on security risk.
The majority of medical identity theft victims will find themselves paying around $13,500 to resolve their identity theft-related issues (in payments to insurance companies, providers, and obtaining legal counsel and access to identity service providers.) The study most importantly found though, that patients hold providers responsible for the well-being of their information, with 79 percent of respondents saying it was important that providers protect their information, and almost half (48 percent) indicating that they would change providers if their records were lost or stolen. It also found that patients expect prompt notification if a breach has occurred.
What Your HIPAA Program Should Look Like Today
One of the easiest ways to put patients and ease and address the regulation issue before it even really becomes an issue, is to have your core HIPAA program in place and active.
While audits can seem complex, the OCR (Office Of Civil Rights) does focus on a few core areas that you can use to ensure your practice or organization are ready to prepare for the audits coming in 2016. You’ll want to start by asking yourself a few, key questions.
- Do we have written policies and procedures that address HIPAA standards and vulnerabilities?
- Are we performing regular risk assessments? Are those assessments being documented?
- Do we have an incident response plan in case there is a breach of PHI?
- How are we addressing data security? Does it cover BYOD practices, mobile devices and storage media?
- Are our business associates on top of their requirements?
- Are patients receiving Notices of Privacy Practices? Is it available to our patients on our portal/practice website?
- Do we have a training program in place that properly informs new staff members and periodically refreshes existing workers on HIPAA compliance?
Since most audits will be desk audits (an auditor will not be visiting you) written documentation and proper tracking of training, notice delivery, and staff responsibilities will be essential. Here are a few, additional tips from PowerYourPractice on covering more detailed compliance issues.
- Do not share sensitive PHI with staff, patients, or family members who should not have access.
- Keep email transmission of PHI to a minimum.
- Backup all disks and storage devices that contain PHI (you may even want to consider a cloud solution).
- Consider a role-based security plan for your employees.
- Keep computers and other hardware updated with the most recent anti-virus scanning software available.
What’s Coming Down The Pipeline
Next year holds some changes to HIPAA and its application that make the coming Phase 2 audits particularly interesting.
Breach Notification
The breach notification rule requires that covered entities and business associates notify specific entities (including patients, government, and sometimes the media) in the case of the breach of unsecured protected health information. Because of recent findings in OIG Reports (which we’ll cover shortly) providers and healthcare organizations can expect stricter higher expectations of compliance with the rule in 2016.
Audits
The healthcare industry has been anticipating the second phase of HIPAA audits (they were initially scheduled to begin in 2014) but has been met with multiple delays. Finally though, it’s expected that they postponement is over and that the audits will happen in 2016.
Both HIPAA-covered entities and Business Associates should keep their eyes open since OCR has been under particular pressure to address issues around privacy and security, as well as inconsistent enforcement of existing rules. As things stand now, the agency is relying mostly on self-reporting of data breaches and the audits represent a more proactive approach to addressing HIPAA standards.
In September, it was announced by Deputy Director for Health Information Privacy at OCR, Deven McGraw that the second phase of compliance audits would actually begin in 2016, though no indication was given of when they would kick off nor how many audits would actually be performed. (On previous occasions, OCR has indicated it will conduct around 400 audits.) Director of HHS, Jocelyn Samuels has made sure to emphasize the fact that audits will not only address current issues, but will also address historical compliance states around HIPAA rules — meaning organizations that have only recently come up to HIPAA compliance could be held responsible for deficiencies in their past efforts.
In order to better understand the current state of HIPAA compliance and the industry’s behavior around patient privacy and security, the Office of Inspector General began a research process that has culminated in two reports, released just this September.
The reports have been touted as positive and helpful guidance for OCR, as they support the fact that OCR should be strengthening oversight.
The OIG Report
The reports (available here) involved OCR engaging in multiple activities including
- Interviewing OCR officials
- Reviewing a statistical sample of privacy cases investigated by OCR
- Surveying OCR staff
- Reviewing OCR’s investigation policies
The agency made a few, key findings…
They have not been proactive.
As things stand, OCR has been investigating potential noncompliance with privacy standards most often as a result of complaints, tips, and media reports. A full 98 percent of closed privacy cases were the result of investigations initiated by complaints.
This may seem strange since the HITECH act audit requirement became effective in 2010, but since then, OCR has not fully implemented an audit program that would proactively address compliance among covered entities and business associates.
Covered entities are largely non-compliant.
The report also found that in about half of closed privacy cases, the covered entity in question was non-compliant with at least one privacy standard. The two most common types of non-compliance were tied to the standard on restricting disclosures and uses of PHI, and around safeguard implementation. Hospitals and individual providers lead the pack among the most frequent offenders.
Corrective action is not being properly documented.
In cases where OCR did determine that corrective action needed to be taken, 26 percent were lacking complete documentation in PIMS. This means that the agency was left unable to verify whether the covered entity actually took corrective action around their noncompliance issues.
A good number of OCR staff aren’t quite doing their jobs.
OCR staff have the discretion as to whether to check if a covered entity has been previously investigated, and 29 percent indicated that they either rarely, or never exercised that discretion. The reasons they gave included relying on other staff to perform the checks and lacking efficient ways to search for covered entities in PIMS.
In response the report also outlines suggestions to address the problems listed above.
Implement a permanent audit program.
OCR does have a loose audit program in place, but it is far from complete. OIG recommends that the agency should begin entering audit and investigation information into a PIMS-linked, searchable database.
Maintain documentation.
The report also recommends that OCR should begin maintaining complete documentation of corrective action, giving them the ability to easily verify whether a covered entity has or has not taken corrective action around noncompliance.
Other suggestions include developing policies that require OCR staff to check whether covered entities have a history of investigation, and developing a more efficient method of searching through PIMS.
Getting Your Practice Audit-Ready
As we mentioned before, audits will cover not only your current compliance efforts, but also your past. That though, isn’t a reason to throw in your towel, as your current levels of compliance will still weigh heavily in an audit. We want to present you with some bits of advice on getting your practice or facility ready for next years’ HIPAA audits, but first, here is a breakdown of how they will (and have) panned out.
Round one started in late 2014 and focused on breach notifications, privacy notices, access issues, and security risk analysis and management. Earlier this year, audits shifted to business associates and focused on security risk analysis and management as well as breach reporting to covered entities. In late 2015 (where we are now), a new group of covered entities was chosen to review device and media controls, privacy safeguards, transmission security, and workforce training.
The final phase, scheduled to being next year, will focus on
- Facility access control
- Encryption and decryption
- High-risk areas that have not yet been determined
Getting ready for these audits can be a very involved process, but here is a general overview from QIP Solutions:
- Identify your business associates: Business associates are receiving a new focus for this round of audits, so it’s essential that you be aware of what’s going on with yours. You can expect that an auditor will want to be provided with a list, and as you won’t have a lot of time to put information together after it’s been requested, you should start assembling your information now.
- Start documenting your compliance program: Remember how we mentioned that audits will also include past HIPAA compliance review? Auditors will expect that you have correct, historical documentation of your history that is dated and with information indicating it has been periodically reviewed.
- Ensure that documentation reflects your compliance program: Auditors will not be circling back around to clarify issues with your documentation. Be thorough and make sure your documentation is an accurate and clear description of your current program.
- Don’t over-submit: OCR will make requests of the information they want. Send nothing else. The last thing you want to do is confuse your reviewer and push them toward a more in-depth review.
- Keep your current risk assessment handy: You can’t look past this one. Having a current risk assessment is a fundamental requirement of the Security Rule.
- Be ready to provide your Notice Of Privacy Practices: You should have these posted in waiting areas and online, as well as policies and procedures that document when the notice is received.
- Check your individual access, as well as incident response: Make sure that all policies and procedures around individual access are up to date and in place. Members of your incident response team should also be identified and fully understand their responsibilities and roles.
Audit preparation isn’t just about policies though. Modern healthcare environments can’t afford not to pay specific attention to preparedness around technology. Here are 5 pieces of advice from encryption provider Sookasa on getting your tech ready for audits in 2016.
- Review security policies: You’ll want to conduct a thorough review of all your security policies and procedures so that you know how users are accessing your files as well as understand your ePHI protocols around how files are synced, stored, and shared, both intra- and extra-organizationally.
- Update all of your policies: Policies from data breach mitigation, to new employee training, file-sharing, and terminated employee access, should be kept up to date and documented. This should be a regular practice, but in audit season, it’s doubly important.
- Check your electronic files: Know where your encryption stands. You should be at a point where anything that touches PHI is encrypted, but if you aren’t, make sure you can at least identify which files are encrypted and which aren’t. If you can fix things pre-audit, do that.
HIPAA audits promise to be a major happening in 2016 healthcare, but with some proactive choices, you’ll be able to optimize your audit experience and relationship with HIPAA and OCR next year.