Previously it seemed no one was looking. Be forewarned HHS-OCR just bought a new microscope!
Since 1996 covered entities and their business associates have often taken a lax approach to Health Insurance Portability and Accountability Act (HIPAA; Pub. L. 104–191, 110 Stat. 1936, enacted August 21, 1996) compliance, if they bothered to comply at all. Over the years (HITECH/OMNIBUS), the Office for Civil Rights (OCR), under Health and Human Services (HHS), increased the fines/penalties for noncompliance, with settlements often exceeding $1 million. Yet, as a HIPAA consultant, we still encounter a disproportionate number of businesses still refusing to comply with federal law. Is 2014 the year of compliance? Or yet again the year of defiance? You decide, both have associated costs and pain points.
1200 new audits looming
In 2012, we saw the OCR outsource 115 audits (program developed by Booz Allen Hamilton and executed by KPMG), sometimes resulting in findings, fines, settlements, and often a combination. We didn’t hear much about those found compliant, but have to assume some covered entities fared well with their HIPAA audits. According to Susan McAndrew, OCR Deputy Director for Health Information Privacy, another round of audits are planned for 2014: specifically 800 covered entities will be audited and 400 business associates. However, in 2014 audits will be performed by OCR staff, and not outsourced. Auditing BA is new and adds penalties to the, “Should I comply with HIPAA algebraic risk equation,” an equation that now includes penalties up to $1.5 million per violation. For covered entities, one would think misery loves company, so pulling them directly under HIPAA could prove beneficial.
Per Linda Sanches (OCR senior advisor), the OCR will implement an online pre-survey this summer. These survey recipients will be the pool for selecting those to be audited. Let the HIPAA Lottery begin, albeit unlike the Mega Millions’ jackpot odds of 1 in 258,890,850, HIPAA is 50/50 if included in the survey!
How to get a regulatory lottery ticket
OCR will conduct address verification with covered entities surveyed this spring, according to the recent presentation by Sanches. Entities will receive a link to an online screening (i.e., “pre-survey”) this summer. Those audits are planned to be performed between October 2014 and June 2015. If surveyed, you can start checking your mailbox this fall for your “engagement letter.” Since this may be somewhat new for BA’s, your regulatory compliance lottery begins in 2015. The OCR will be leveraging lists compiled from the CE audits to determine a target BA list.
If you are diligently performing your risk assessments, have a solid vendor management program, you review your program and policies annually, and have built a strong compliance program using some risk-based likely governance model, you will likely fare well. If the above statement sounds like 4th century Macedonian more than English, saddle up… 2014 and 2015 may be a bumpy ride!
Covered Entities: So what to expect during the audit?
The focus for 2014 audits will be risk assessments and risk management, breach notification (including notice content and timeliness), Notice of Privacy Practices (NPP) delivery, and access control models for PHI. In short, your HIPAA Policy content, how you conform to the policy, risk, risk management, who can access PHI, and notification if you experience a breach! Listing what won’t be covered probably would have been less daunting.
Business Associates, So what can you expect during the audit?
Risk assessments, risk management, and breach reporting. Less intimidating list, but some (possibly all) of this might be new to BAs. So possibly only a brief reprieve, before you start drinking from the fire hose.
To infinity and beyond
More good news, the OCR is planning another round of audits in 2015 to include computing device and storage media security controls, transmission security, as well as HIPAA privacy rule safeguards, including workforce training, policies and procedures. The 2016 focus will likely be encryption and decryption as well as facility and physical access control.
While perhaps onerous for those in the healthcare industry or providing service to the industry, those entrusted with patients’ sensitive data should be protecting it and therefore doing this stuff anyhow. Only now, the cost of noncompliance may far exceed the cost of compliance. And when you include patient attrition, brand equity erosion, and your lack of a good night’s sleep – doing the right thing makes good business sense. Keep in mind, if you report a material HIPAA breach, you get a fast-pass ticket to the front of the line. Not only OCR auditors, but pesky AG, lawyers, and Congress might take interest – especially in an election year. I don’t want to peddle fear, uncertainty and doubt, but for any entity tasked with safeguarding PHI, it might be prudent to dust off your HIPAA Program.
Brian Dean, CIPP/US, is currently the privacy officer and manager of the Audit and Compliance Team at SecureState, which provides management consulting information security services for companies internationally. Dean is PCI-SSC as a Qualified Security Assessor, PCIP-certified, CISA certified, and previously certified by the Project Management Institute as a Project Manager Professional (PMP).
NIST PDF: HIPPA Privacy, Security and Breach Audits
HIPAA audits: 800 covered entities and 400 business associates