Yesterday, the U.S. Department of Health and Human Services' (HHS) Office for Civil Rights (OCR) launched the resumption of long-awaited Health Insurance Portability and Accountability Act of 1996 (HIPAA) compliance audits. Given the alarming number of data breaches in the healthcare industry, found to be in excess of 40 percent of all data breaches,1 healthcare providers, insurance plans, clearinghouses and their business associates are well-advised to get their HIPAA compliance in order before OCR comes knocking. And the knocks have already begun, with the OCR targeting about 200 audits in 2016.
OCR has become increasingly aggressive over the past few years in bringing lawsuits where protected health information (PHI) has been compromised through data breaches. Regulatory fines have consistently been in the million-dollar range, and enforcement is likely to increase now that OCR has resumed HIPAA compliance audits.
OIG's Audit Finding
In an audit report released in September 2015, HHS's Office of Inspector General (OIG) had found less than effective enforcement of the HIPAA Privacy Rule.2 OIG's concern was that covered entities (such as doctors, pharmacies and health insurance companies) that do not adequately safeguard PHI (such as medical condition, prescriptions, or treatment history) could expose patients to an invasion of privacy, identity theft, or other harm. OCR accepted OIG's audit findings and undertook to resume HIPAA compliance audits in early 2016.
Unlike the 2012 pilot audits, which included only 20 covered entities, "Phase 2" will cover about 200 covered entities and business associates. As for the audit approach, the majority of the audits will consist of remote desk reviews, although some on-site reviews will take place. If the audit reviews turn up serious compliance issues, further investigations may occur, with the potential for the imposition of penalties and corrective action plans.
Preparation for Audit
The most common deficiency found by OCR in its pilot audits was an organization's failure to conduct a security risk assessment to identify and mitigate risks to PHI (e.g., PHI on exposed servers, laptops unencrypted, default passwords not changed, security software not up to date, and inadequate training). This deficiency continues to be found in recent OCR enforcement actions. Accordingly, this area of noncompliance should be the primary focus of audit preparation.
Preparation for an audit begins with a thorough review of the compliance requirements found in the HIPAA Audit Protocol. OCR has stated that it plans to update the audit protocol later this year, so interested parties should stay abreast of this development on OCR's website. The audit compliance requirements are divided into three categories: security, privacy, and breach notification.
As noted, a common compliance deficiency that has been identified is the failure to conduct a security risk assessment. A risk assessment identifies and assesses risks to the security of PHI, evaluates security controls put in place to mitigate those risks, and monitors the effectiveness of those controls on an ongoing basis.
In addition to conducting a risk assessment, adequate audit preparation requires a review of the myriad HIPAA policy requirements relating to, for example, privacy practices; uses and disclosures of PHI; training; complaint handling; discipline; administrative, technical and physical security safeguards; and security incident management. These policies will likely be requested and examined by OCR in a desk audit prior to an on-site visit.
Potential audit targets should also compile any previous audit reports, evaluations, or assessments regarding implementation of the HIPAA security, privacy and breach notification standards. Well before receiving an audit notice, organizations should develop an audit response plan that outlines key considerations such as who will be the organization's lead responder to the audit team, a list of responsive documents, and how personnel will be prepared to answer questions.
Consequences of an OCR Audit
Any audit can be disruptive to an organization's business, but the OCR audits and the resulting reports may create unintended liability exposures. Should an audit review indicate a serious compliance issue, OCR may initiate a full-blown compliance investigation to address the problem. Thus, a substandard audit result could trigger penalties and a corrective action plan, even in the absence of a data breach.
Another concern is that audit reports are not confidential or protected under any privilege. Consequently, in the event of a breach or complaint investigation, state attorney general offices will be able to request a copy of the entity's OCR audit report to demonstrate knowledge of prior deficiencies. In addition, audit reports will likely be discoverable and could be used to prove knowledge of substandard compliance in possible subsequent litigation. Finally, in states like Connecticut, where case law has established that the HIPAA regulations could be the standard for protecting privacy under state law,3 a substandard OCR report could be viewed as a de facto violation of the state law on privacy.
Now that OCR audits have resumed, it is time for covered entities and business associates to begin to prepare by performing self-assessments based on the HIPAA Audit Protocol and taking corrective action to address identified vulnerabilities. Additionally, organizations should consider having legal counsel involved at the beginning of any OCR audit due to the unpredictable nature of government audits and the potential consequences associated with the audit reports.
For more information about the upcoming HIPAA compliance audits, please contact one of the individuals listed in the sidebar. To assist healthcare entities in preparing for a HIPAA audit, Day Pitney LLP has developed several tools, including a self-assessment tool based on OCR's HIPAA Audit Protocol, to facilitate compliance with the HIPAA Privacy, Security, and Breach Notification Rules. Information on these compliance tools is available on request.
 The HIPAA Privacy Rule provides standards for using, sharing and disclosing patients' protected health information. Byrne v. Avery Center, 314 Conn. 433 (2014).
On September 20, Susan Huntington presented during an educational call-in discussion, "Insurance and Coverage Risk Management Approaches to Address the Opioid Crisis," for the American Health Lawyers Association (AHLA).
Day Pitney was a presenting sponsor of the 14th Annual Women of Innovation Awards gala, presented by the Connecticut Technology Council and held at the Aqua Turf Club in Southington, CT.
Erin Magennis Healy, Lori J. Braender and Thomas A. Zalewski authored an article, "A Provider's Guide to Managing a Medical Device Recall," which was published in the American Health Lawyers Association Journal of Health & Life Sciences Law.
Day Pitney Alert
Susan Huntington and Danielle Corcione will present an educational call-in discussion, "The Focus on Individuals in Fraud Investigations and Considerations for D&O Insurance," for the American Health Lawyers Association on November 9 from 11 a.m. to 11:45 a.m.
Day Pitney Press Release
Day Pitney's recently updated HIPAA self-assessment tool was featured in an article published in Clinical Lab Products magazine.
Day Pitney Press Release
Susan Huntington and Eric Fader were quoted in an article, "Growing HIPAA Focus Leads To Fresh Compliance Options," published in Law360.
Day Pitney LLP is pleased to announce the availability of its updated HIPAA Self-Assessment Tool 2.0 ("Tool"), designed to provide an easy and cost-effective way for organizations to perform a self-assessment of HIPAA compliance based on the U.S. Department of Health and Human Services' Office for Civil Rights ("OCR") expanded audit protocol.