The latest round of OCR HIPAA audits were announced earlier this year, leading many healthcare organizations to review their HIPAA compliance measures and ensure that all necessary policies and procedures have been properly documented.
The second phase will not only review covered entities’ practices, but also how business associates work toward keeping PHI secure.
Furthermore, the audits will consist of three phases, including a small desk audit and an in-depth desk audit. The desk audit will review compliance with the HIPAA Security, Privacy, and Breach Notification rules, while the final phase will include a more general audit. Essentially, this will be a broad review of compliance through the entire organization.
What type of preparation is necessary?
Several compliance experts maintain that this is not a reason for healthcare organizations to panic. In order to maintain HIPAA compliance in the first place, and avoid a potential healthcare data breach, entities need to ensure that their privacy and security measures are comprehensive and current.
“Ultimately, OCR seems to be focused on primarily on the same things that they have always been focused on,” according to Brad Rostolsky, partner at Reed Smith. “They want to make sure your compliance programs are fully developed.”
Covered entities should ask themselves if they have the right policies and procedures in place, if they have a Security Rule risk assessment, if they are properly training employees, and if their business associate relationships are appropriately documented.
Business associates also need to ensure that they are appropriately engaging their subcontractors in the context of HIPAA regulations.
“Preparing for this is really no different than just generally trying to make sure that your house is in order and ensuring that your privacy officer or compliance officer, your in-house legal team, and external legal team are all in communication about what’s in place and are ready to respond if and when they get the audit request,” Rostolsky said.
Colin Zick, co-founder of Foley Hoag LLP’s Privacy & Data Security Practice agreed, adding that OCR is not trying to create a “gotcha” moment for healthcare organizations.
“This is as much an exercise in the brand of your institution as it is anything else,” Zick maintained. “Yes, it’s a legal compliance. But, you want to be compliant with these things because it’s the right thing to do.”
A quick response will be key for this round though, according to Rostolsky. All employees, especially those who work in a compliance role, need to be carefully monitoring for any emails or letters that come in from OCR.
“Ultimately, OCR seems to be focused on primarily on the same things that they have always been focused on. They want to make sure your compliance programs are fully developed.”
There is a 10-day required response time for the desk audit, so organizations cannot afford to let a notification slip through the cracks.
This is also why healthcare entities should know who its compliance officers are, or the designated health information privacy and security officials. Even if an organization is smaller, perhaps an office manager or lead physician is responsible for such communications.
Regardless, OCR will need to confirm that it has the correct contact information so that it can identify the correct mailing address and the email addresses.
Remember the importance of physical safeguards
With the proliferation of mobile devices and BYOD strategies, it can be easy for covered entities to overlook some of their physical safeguard measures. Physical security with respect to paper, such as older files, is very important, Rostolsky warned.
Organizations need to not only ensure they are locking it up appropriately, but also making sure that workforce members understand when it’s permissible to take them outside of the office. If individuals are allowed to take them outside of the office, they need to know how to appropriately protect them in that context.
Documentation is also essential in audit preparation, according to Zick, and HIPAA compliance is not something that organizations can “set and forget.”
Organizations must review whether they’ve added any EHR systems, for example. Moreover, covered entities should review if they have new affiliations, such as a new outpatient center.
Any type of new technology could affect how an audit is conducted.
“It’s not that people are willfully noncompliant,” Zick said. “You just don’t really see that. It’s the loss in the hustle and bustle, and the new thing that’s come up and changes the world, and they didn’t realize it.”
The HIPAA risk assessment is always key
Rostolsky maintained that while healthcare organizations are likely not forgetting about security risk assessments, it is essential that they are done right and are clearly tracked.
“There has never been a situation where I was talking to OCR about something unrelated to that requirement, where they didn’t at some point ask for a copy of [the risk assessment],” Rostolsky said. “Not having that done is a significant exposure point.”
Comprehensive risk frameworks and proprietary frameworks, such as the ISO-27000 series can be beneficial, according to former OCR Senior Health Information Technology and Privacy Specialist David Holtzman.
“Once you have identified what risk assessment framework to use that meets your organization’s needs, is to carry that out either through your internal resources – if they are sufficiently trained and have experience in this area – or to bring in an independent third party to perform the risk assessment and to assist you in identifying any gaps or areas that leave you vulnerable.”
The Department of Health and Human Services (HHS) also states that a risk analysis should be an ongoing process at an organization. Covered entities should regularly review their records and track access to ePHI and detect security incidents.
Organizations should periodically evaluate “the effectiveness of security measures put in place, and regularly reevaluates potential risks to e-PHI.”
“By conducting these risk assessments, health care providers can uncover potential weaknesses in their security policies, processes and systems,” HHS explained. “Risk assessments also help providers address vulnerabilities, potentially preventing health data breaches or other adverse security events. A vigorous risk assessment process supports improved security of patient health data.”
Overall, organizations should evaluate the likelihood and impact of potential risks to e-PHI, and also implement appropriate security measures to address the risks identified in the risk analysis. From there, it is important to document the chosen security measures and also explain why these measures were adopted. Finally, HHS requires organizations to “maintain continuous, reasonable, and appropriate security protections.”
How mobile devices and connected medical devices affect the preparation
The more that is going on within a healthcare organization, especially in terms of devices being connected to its systems, just adds a layer of complexity, according to Rostolsky.
Having appropriate privacy and security measures with all mobile devices will also be essential, he added.
“There are lots of solutions to address those problems from a technology perspective, and no one particular solution is necessarily better for any organization,” Rostolsky explained. “It’s just a question of looking at where your information is flowing, which is always an important thing to do.”
“As we have seen from this current state of cyberattacks and hacking activities in random order attacks, those organizations that have been sticking their head in the sand have been continually vulnerable."
The information flow also helps entities see where their spots of concern might be. Having lots of interconnected devices, or a BYOD policy, should definitely be taken into consideration when implementing policies, fixing security policies, or conducting employee training.
“Training on that is really important,” Rostolsky maintained. “Just because you have the policy doesn’t mean people are following it, but they might not be aware of the requirements. Ensuring that everyone who touches PHI knows their obligation with that information, is important.”
According to Holtzman, an enterprise-wide risk analysis should be conducted in any case of new technology being introduced. Whether an organization first implemented a BYOD strategy, distributed devices to employees, or implemented connected medical devices, there should be a thorough review and documentation process
“That way, you can carefully examine and evaluate any potential vulnerability posed by these technologies that have access to your information system,” he said. “Once you’ve included them as part of your risk analysis, you’re then able to take appropriate measure to put into place the safeguards to reduce the risk to your health information that is posted by these technologies.”
If organizations aren’t aware of what is going on and potentially impacting their information system and information enterprise, then they’re essentially digging themselves into a hole and “sticking [their] heads in the sand.”
“As we have seen from this current state of cyberattacks and hacking activities in random order attacks, those organizations that have been sticking their head in the sand have been continually vulnerable,” he said.
Anna Spencer, a partner at Sidley Austin LLP agreed, adding that the government has previously warned that organizations need to re-evaluate and renew their risk assessment whenever a material change in the environment that impacts the risks to electronic health information occurs.
“I do think that that's one development that probably impacts a lot of covered entities and something that they should be considering and addressing through their risk assessment and their risk mitigation plans,” Spencer said.
The documentation for any risk assessments that have been performed should also be gathered.
“Under that rule, if an organization decides that there's a low risk of compromise of the data, they don't have to report that. But they have to document that determination in a risk assessment.”
Overall, the next round of OCR HIPAA audits should not be a reason for covered entities and their business associates to panic. By adhering to HIPAA regulations and maintaining regular risk assessments, organizations should already find themselves in a good spot.