- Federal regulators are actively preparing to conduct extensive audits to determine business compliance with HIPAA privacy and security requirements. Covered businesses that handle PHI, i.e., individually identifiable health information transmitted or maintained in any form, are required to maintain HIPAA compliance and are subject to substantial monetary fines if found in violation of HIPAA rules. Traditionally, the federal government has focused its enforcement actions on health plans and healthcare providers. This is changing.
The HIPAA audit process, expected to commence in the summer or fall of 2015, is viewed as a major enforcement action by the responsible agency: The Department of Health and Human Services’ (HHS) Office of Civil Rights (OCR). The Director of OCR, Jocelyn Samuels, said that the audits will “proactively uncover risks and vulnerabilities [of businesses’ HIPAA compliance].” Audited businesses will be required to demonstrate strict compliance with applicable HIPAA requirements. Accordingly, it is critical that any organization subject to HIPAA have applicable compliance policies and security measures in place before the audits begin.
Businesses Subject to HIPAA & Audits
Two categories of businesses are required to be HIPAA compliant: Covered Entities, health plans and health care providers that transmit PHI in electronic form; and Business Associates, entities that create, store, maintain or transmit PHI for a regulated activity on behalf of a Covered Entity. Business Associates include telecommunications and information service providers that transmit and retain PHI, and medical equipment manufacturers whose devices store PHI.
Narrow “Mere Conduit” Exemption
Entities that provide “mere conduit” service are excluded from HIPAA liability. The mere conduit exemption applies to telecom or information services that exclusively provide transmission or temporary storage of transmitted data incident to such transmission. This includes entities such as internet service providers (ISPs) and paging carriers. On the other hand, any service provider that maintains PHI on behalf of a Covered Entity is a Business Associate, not a conduit, even if the provider does not view the PHI.
The key difference between a conduit and Business Associate is the transient versus persistent nature of the opportunity to view the PHI. To qualify as a conduit, a service provider must ensure that PHI is only temporarily stored. It is irrelevant whether the service provider actually views the PHI.
It is easy for a telecommunications or information service provider to mistakenly think it is a conduit, because it does not access PHI. For example, an email host that receives a transmission containing PHI from a Covered Entity unwittingly becomes a Business Associate even if it never accessed the PHI itself. Consequently, any service provider handling PHI that has not taken steps to comply with HIPAA should closely review their services to determine whether and to what extent they store or maintain PHI.
Audits are Heating Up
OCR has already commenced sending out “screening surveys” to several hundred potential audit targets, including Business Associates. The screening surveys gather data about the operations of potential auditees regarding their HIPAA privacy, security, and breach notification procedures. Any business receiving a pre-audit survey is required to respond within a set period of time. If OCR is dissatisfied with the response, it will likely commence a full audit. OCR has stated that it may conduct remote desk audits or on-site audits, depending on the perceived needs and resources available.
Another indication that OCR will soon launch the audits is its recent hiring of Deven McGraw, a former large law firm privacy law partner as its new Deputy Director. Ms. McGraw, who has long served as an advisor to HHS on health care privacy and security issues, will be spearheading OCR’s enforcement efforts, including those involving the audits.
Sanctions for Non-Compliance
Monetary sanctions for failing to comply with HIPAA are steep. OCR is authorized to levy penalties of more than $50,000 per violation, even if OCR determines that the breach was unintentional. For willful violations not timely corrected, OCR could impose penalties of up to $1.5 million per calendar year.
The crux of OCR’s audits is to determine compliance with the HIPAA Omnibus Rule, a set of regulations intended to enforce the privacy and security provisions of HIPAA and its companion legislation: The Health Information Technology for Economic and Clinical Health Act (HITECH). The rules are complex; a detailed analysis is beyond the scope of this advisory.
In general, the HIPAA Omnibus Rule requires Business Associates to: (a) have safeguards in place to protect against unauthorized use and disclosure of PHI; (b) report breaches to Covered Entities; (c) ensure that their subcontractors that handle PHI are HIPAA compliant; and (d) have Business Associate Agreements (BAAs) that include PHI privacy and security provisions with all Covered Entities and subcontractors with whom they work. All compliance procedures and records must be documented, and records made available to OCR if requested.
Business Associates should ensure that all their subcontractors and Covered Entities that handle PHI are HIPAA compliant and have the appropriate safeguard procedures in place. Accordingly, HIPAA requires that Business Associates have BAAs containing all applicable HIPAA compliance language with their subcontractors and Covered Entities. The terms of these contracts are critical, because a careless agreement could result in a Business Associate assuming HIPAA compliance responsibility that it would not otherwise have, and liability for breaches caused by the other entity.
Preparing for Audits -- Time is of the Essence
OCR could launch its audit processes at any time. Hence, the time is now for all Covered Entities and Business Associates to prepare for an OCR audit. At a minimum, those subject to HIPAA obligations should review their HIPAA security policies, procedures and records to determine if they could withstand an audit. A recent survey by a reliable information media research group revealed that a substantial percentage of Covered Entities and Business Associates could not meet OCR audit requirements. Many of those entities believed they were HIPAA compliant or qualified as conduits, but upon minor scrutiny discovered that they were not.
It is critical that all Business Associates take the time to focus on HIPAA compliance. With the current political and media focus on patient privacy, it is clear that, in addition to the imminent mass audits, OCR will engage in HIPAA-related investigations and enforcement for the foreseeable future. Consultation with knowledgeable counsel would be helpful to Business Associates to review existing compliance measures and take steps necessary mitigate the risk in any audit or enforcement action before OCR comes knocking at the door.
Disclaimer: This article is intended for informational purposes only and is not for the purpose of providing legal advice. You should not act upon the information in this article without seeking professional counsel.
Linda McReynolds and Ron Quirk are Senior Managing Attorneys at Marashlian & Donahue, LLC, The CommLaw Group (www.CommLawGroup.com). Ms. McReynolds is a Certified Information Privacy Professional/U.S. (CIPP/US).