The United States Department of Health and Human Services (DHHS) has begun Phase 2 HIPAA audits for covered entities and business associates. In communication dated March 21, 2016, DHHS announced plans to ramp up the agency’s efforts to assess compliance with the HIPAA Privacy, Security and Breach Notification Rules. The Office of Civil Rights (OCR) has been assigned by DHHS to serve in an investigative and enforcement role that will seek to identify best practices, while proactively uncovering risks and vulnerabilities to protected health information.
While this phase of HIPAA compliance has been anticipated for some time as it was delayed from its initial launch in fourth quarter of 2015, no governmental agency had yet to provide an exact timetable or process for implementation. According to DHHS, the OCR will review the policies and procedures utilized by entities and employees involved in any form of protected health information documentation. The reviews will focus on whether or not the entities and employees meet selected standards and implementation specifications of the Privacy, Security, and Breach Notification Rules. While the majority of these reviews will be “desk audits,” the OCR plans to conduct some on-site audits as well.
At this early point in the process, it is critical for hospitals, practice groups, insurance companies and any professionals working with protected health information in any way to pay close attention to the initial outreach by the OCR. According to DHHS, the first step will come in the form of an email from the Office of Civil Rights. In an effort to verify an entity’s address and contact information, the OCR will send an email to covered entities and business associates. The email will be requesting that contact information be provided to the OCR in a timely manner, which DHHS has determined is within 14 days. In addition to the verification of contact information, the OCR will use the initial outreach to transmit a pre-audit questionnaire to gather data about the size, type and operations of potential auditees. The data collected will be used with other information to create potential audit subject pools.
If the OCR does not receive a response to its email inquiry within the specified timeframe, the agency will then use publically available information about the entity to create its audit subject pool. Under the structure outlined by DHHS, it is imperative that healthcare professionals involved with protected health information pay close attention to incoming email as well as their spam or junk folders. DHHS and the OCR will not allow entities and professionals to use the excuse that they did not receive the HIPAA email. In fact, an entity that does not respond to the OCR may still be selected for an audit or subject to a compliance review, according to HHS. The OCR plans to post updated audit protocols on its website closer to conducting the 2016 audits and the information will reflect the HIPAA Omnibus Rulemaking.
Potential Stress on Internal Resources & Cost of Possible Fines
As detailed in an article published by Elliott Davis Decosimo in August of 2015, the requirements to just meet the Security Rule Safeguards outlined in HIPAA can potentially stress the IT resources of most healthcare practices beyond their limits. Even hospitals can find facilitating all aspects of Security Rule Safeguards to be quite challenging. Compliance with the Security Rule and meeting the criteria established by the Security Rule Safeguards are not negotiable. If an organization is selected for a HIPAA audit either by response to the upcoming inquiry or through a non-response as outlined here, those entities that have not taken the proper steps with HIPAA compliance can encounter some significant penalties.
As an example, violations of the Security Rule that are discovered either through these audits could result in fines exceeding $1 million. A thorough risk assessment by an independent third party is designed to examine all threats to a healthcare organization. The threats can take the form of physical, environmental and human threats. Additionally, a thorough risk assessment can identify vulnerabilities that, if exploited by a threat, could result in a breach. Vulnerabilities could include IT hardware, software applications, password management, contingency planning, staff training and policies and procedures. To read the full article on the importance of compliance with HIPAA’s Security Rule Assessment requirements, please click here.
We Can Help!
Navigating the requirements outlined by the next phase of HIPAA compliance demands proven expertise. At Elliott Davis Decosimo, our approach is to examine threats to the healthcare entity, vulnerabilities within the healthcare entity and the entity’s compliance with the Security Rule safeguards. We can then provide the healthcare entity with a measure of risk associated with operations based upon compliance or non-compliance. This level of risk provides the organization with a road map of how to mitigate their risk exposure by identifying areas of high, medium and low risk. This roadmap allows the entity engaging the Security Rule assessment to properly allocate IT resources to mitigate its risk exposure. In addition to healthcare entities, Elliott Davis Decosimo specializes in working with business associates involved with protected health information to ensure they are in compliance with all aspects of the Security Rule.