- Businesses and healthcare providers are facing increasing pressure to meet and maintain HIPAA compliance standards. The Office for Civil Rights (OCR) announced it will be performing a new round of random audits throughout 2016.
Before 2016, 98 percent of the OCR’s closed privacy cases were a result of complaints. In this second phase of audits the OCR is making an effort to take action on the recent findings by the U.S. Office of Inspector General.
The report claimed that the OCR had not implemented sufficient measures to ensure covered entities were abiding by HIPAA privacy standards. The OCR plans to take a proactive approach to enforcing HIPAA policies and its second series of audits will encompass a wider range of organizations.
What’s the fuss?
For businesses, the primary concern revolves around changes specified in the 2013 Final HIPAA Omnibus Rule. While these modifications have been legally in place for three years, there has been little effort on behalf of the OCR to enforce these standards.
The most significant change included in the amendment is the restructured responsibilities of covered entities and their business associates. Whereas before, the liability for HIPAA violations fell on the shoulders of the healthcare provider, now business associates are subject to the same fines and penalties as the practice with which they’re engaged. This means business associates must perform annual security reviews, hold regular employee training sessions, and implement a remediation plan if needed to address any security holes within the organization’s network.
To clarify, a covered entity is any healthcare provider, healthcare clearinghouse, or health plan that electronically transmits private health information. A business associate is any person or organization that produces, stores, receives, or transmits PHI for the covered entity with which they’re associated.
However, in some states, the definition of a covered entity has been expanded and organizations should check with their legal counsel or a state trade association to learn more about state-specific regulations. The 2016 audits will be random and the OCR has yet to specify how many audits will occur. While it’s not likely an organization will experience a random audit, the HIPAA privacy and security policies should be strictly adhered to and evaluated to prevent the costly legal and financial penalties that can accompany a data breach.
What will a HIPAA compliance audit entail?
The OCR plans to complete three phases of audits throughout 2016. The first stage will involve desk audits of covered entities, and the second will be of business associates. These evaluations will examine the organization’s compliance with HIPAA’s privacy, security, and breach notification rules.
The third round will occur onsite and will evaluate a wider range of HIPAA compliance requirements. For desk audits, the OCR will request a number of documents that must be delivered within 10 business days and may require the organization provide documentation up to six years prior to the audit. Requested items can include records of security reviews, remediation plans, policies, processes, employee training logs, and any additional information that correlates with HIPAA compliance standards.
Audits will review everything from patient PHI privacy requests, to use and disclosure of PHI, to changes of PHI, to physical, technical and administrative safeguards to ensure an organization is HIPAA compliant.
How can a business associate make sure it’s HIPAA compliant?
It’s necessary that an organization has the right processes, policies, and documents in place at all times. Auditors often find businesses lack adequate security reviews, remediation plans, and employee training programs when they are evaluated. These deficiencies can cause significant costs from both the fines and legal penalties associated with a breach, as well as the time, effort, and money involved in the remediation of these mistakes.
For example, on June 30, 2016, the OCR announced that the Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS) experienced a data breach that occurred from an employee’s stolen iPhone in February 2014.
The breach affected 412 individuals and cost the organization $650,000 in fines and penalties. The employee’s device held an abundance of sensitive information and was left unencrypted and without a password protection code in place.
In addition, OCR found the business did not perform a security review, have an established risk management plan or security breach response strategy, and had not implemented a BYOD policy prior to the incident. The lack of planning and preparation by CHCS left the organization vulnerable to attack and with a lofty corrective action plan to fulfill.
Any organization bound by HIPAA standards should ask itself the following questions to determine its adherence to compliance regulations:
- Does my business have written policies and protocols in place to address HIPAA standards?
- Is my business performing and documenting regular risk assessments?
- Does my business have an established data security policy?
- Does my business have a BYOD security and use policy?
- Are the business associates affiliated with my organization HIPAA compliant?
- Does my business have an effective incident response plan to handle a breach if it occurs?
- Are my employees required to complete regular HIPAA training programs?
HIPAA compliance regulations affect a number of organizations and it's important businesses understand their specific responsibilities.
Businesses can either engage a managed IT services provider to help navigate HIPAA compliance laws, or manage and implement standards independently using the pool of resources made available by the OCR. Whichever you decide, just do it!
Clyde Bennett is the Chief Healthcare Technology Strategist for Aldridge Health, a subsidiary of Aldridge. Clyde is responsible for staying current on technology and regulations impacting the healthcare industry. With over 30 years of experience in the science and media field, he advises and guides his clients to new opportunities that technology can provide to them and mitigate risk.