HIPAA Audits Underway - Prototcols Posted
The U.S. Department of Health and Human Services, Office of Civil Rights (OCR) enforces the privacy and security rules set forth in the Health Insurance Portability and Accountability Act, as amended (HIPAA). In 2011, OCR instituted a pilot audit program whereby OCR began analyzing the HIPAA processes, controls and policies in place for selected covered entities, but not business associates. Having started pilot audits last November, on June 26, 2012, OCR posted the protocol(s) it will use to conduct future audits, which will eventually be expanded to include business associates. (You can access OCR’s website and view these protocols by clicking.)
The protocols list the performance criteria on which OCR will focus and the audit procedures OCR will enlist when auditing a covered entity’s compliance with the security rules, the breach notification rules, and the privacy rules. The audit procedures consist of OCR both interviewing management and members of the workforce, and obtaining and reviewing HIPAA privacy and security documents.
Increased HIPAA Enforcement Leads to Large Settlements
In addition to auditing covered entities for compliance with HIPAA, OCR investigates breach reports submitted to OCR by covered entities and business associates, as required by law. The Alaska Department of Health and Social Services (DHSS) submitted a breach report to OCR, which triggered an investigation. DHSS reported that a portable electronic storage device possibly containing electronic-PHI had been stolen from a vehicle of a DHSS employee. After investigating, OCR determined that DHSS did not have adequate policies and procedures in place to safeguard PHI. DHSS recently agreed to pay $1,700,000 to settle the potential violations of the HIPAA security rules. As part of the settlement, DHSS also agreed to comply with a “Corrective Action Plan” whereby DHSS was required to develop and distribute written security policies, obtain certification from all employees who have access to e-PHI that they have read and understand the policies, update the security policies at least annually, train all employees who have access to e-PHI at least annually on the security policies, and obtain certification from all trained employees that they have received training.
In another example of increased HIPAA enforcement related to the Breach Notification Rule, Blue Cross Blue Shield of Tennessee (BCBST) agreed to pay OCR $1,500,000. The investigation followed a notice submitted by BCBST to HHS reporting that 57 unencrypted computer hard drives were stolen from a leased facility in Tennessee. The drives contained the protected health information (PHI) of over 1 million individuals, including member names, social security numbers, diagnosis codes, dates of birth, and health plan identification numbers. OCR’s investigation concluded that BCBST failed to implement appropriate administrative safeguards to adequately protect information remaining at the leased facility by not performing the required security evaluation in response to operational changes. In addition, the investigation showed a failure to implement appropriate physical safeguards by not having adequate facility access controls; both of these safeguards are required by the HIPAA Security Rule.
Phoenix Cardiac Surgery, P.C., of Phoenix and Prescott, Arizona, agreed to pay OCR $100,000 and take corrective action to implement policies and procedures to safeguard the PHI of its patients. This investigation resulted from a report that the physician practice was posting clinical and surgical appointments for its patients on an Internet-based calendar that was publicly accessible. OCR also found that the physician practice did not have adequate policies and procedures in place to ensure the confidentiality of patient PHI.
More HIPAA Guidance Forthcoming
In early June, OCR indicated that it was “extremely close” to publishing a final omnibus HIPAA rule which was expected to include a final breach notification rule, a final enforcement rule, a final rule implementing changes to the privacy and security standards, and a final rule modifying HIPAA’s privacy rule in accordance with the Genetic Information and Discrimination Act. The omnibus rule was sent to the White House Office of Management and Budget (OMB) on March 26, 2012 for review, and the review process usually takes 90 days. Nevertheless, and despite that OCR intends to implement a permanent audit program by December, the OMB announced on June 22, 2012 that it is extending its review of the omnibus rule to an unspecified date in the future.
Provider Best Practices
Notwithstanding the delay in issuing the final omnibus HIPAA rules, in light of OCR’s significant enforcement actions, healthcare providers should:
- Ensure they have in place HIPAA privacy and security policies, a privacy notice, and business associate agreements with each of their business associates.
- Ensure all employees who have access to PHI are trained on the provider’s privacy policies and that all employees who have access to e-PHI are trained on the provider’s security policies.