The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is increasing its Health Insurance Portability and Accountability Act (HIPAA) audit efforts, as evidenced by the impending launch of Phase 2 of the HIPAA audit program and its announcement late last year of a $750,000 settlement with the University of Washington Medicine (UWM). Covered entities and business associates should begin preparing now for increased scrutiny by OCR of their compliance with the HIPAA Privacy, Security, and Breach Notification Rules.
OCR's major settlement announcement on December 14, 2015 followed its recent declaration that Phase 2 of the audit program would commence in early 2016. Both actions are in the wake of two critical reports by the HHS Office of Inspector General (OIG), OCR Should Strengthen Its Followup of Breaches of Patient Health Information Reported by Covered Entities and OCR Should Strengthen Its Oversight of Covered Entities' Compliance with the HIPAA Privacy Standards, which condemned the efforts by OCR regarding breaches of patient health information and oversight of HIPAA compliance.
The settlement agreement with UWM in December was the result of an investigation of a November 2013 breach in which electronic protected health information (e-PHI) of approximately 90,000 individuals was accessed after an employee downloaded an email attachment infected with malicious malware. OCR’s investigation indicated that UWM’s security policies did not ensure that all of its affiliated entities were properly conducting risk assessments and appropriately responding to potential risks. The settlement includes a monetary payment of $750,000, a corrective action plan, and annual reports on the organization’s compliance efforts.
The OIG analysis in each of its September 2015 reports came from statistical samples of reported privacy breaches by covered entities and related OCR investigations between September 2009 and March 2011. The OIG determined that OCR had failed to fully implement the audit program it was required to develop, leading to a system of oversight that was too reactive. The reports also found that OCR’s case-tracking system had incomplete documentation of corrective actions taken by reporting entities, failed to document information for small breaches (i.e., breaches affecting fewer than 500 individuals), and limited its own staff’s ability to search for prior reports of large breaches due to a lack of consistent reporting standards. As a result, the OIG warned that Medicare Part B providers, including those that have had documented breaches, may not be adequately safeguarding protected health information.
In these reports, the OIG recommended that OCR should:
- Fully implement a permanent audit program;
- enter small breach information into its case-tracking system or a linked, searchable database;
- maintain complete documentation of corrective action;
- develop an efficient method in its case-tracking system to search for and track covered entities that have reported prior breaches;
- develop a policy requiring OCR staff to check whether covered entities have reported prior breaches; and
- continue to expand outreach and education efforts to covered entities.
The OCR agreed with the OIG's recommendations. With regard to full implementation of its audit program, OCR announced that Phase 2 of the program would be launched in "early 2016." Virginia-based FCi Federal was selected as the vendor for Phase 2. Phase 2 will include a combination of desk and on-site reviews of policies, targeting “specific common areas of noncompliance.” Unlike the initial phase, Phase 2 will focus on both covered entities and HIPAA business associates. The OCR audit protocol is divided into modules representing elements of privacy, security and breach notification. The protocol covers, in part, Privacy Rule requirements for notice of PHI privacy practices, rights to request privacy protection, access of individuals to PHI, use and disclosure of PHI, and accounting of disclosures; Security Rule requirements for administrative, physical, and technical safeguards; and Breach Notification Rule requirements of risk assessment, timeliness, and notification to individuals, HHS, and the media. The complete audit protocol can be found here.