- With the most recent round of OCR HIPAA audits announced just last month, many healthcare organizations are working to ensure that they are prepared should they be called for investigation.
While the announcement should not come as a total surprise, several healthcare legal experts explain that covered entities that maintain thorough documentation of their approaches to compliance should be in good shape.
One thing for covered entities and business associates to be aware of is that they will only have 10 days to respond to the initial request, according to Anna Spencer, a partner at Sidley Austin LLP.
Covered entities should ensure that they have all necessary documents assembled, such as HIPAA policies and procedures, as well as their procedures for complying with the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule.
The documentation for any risk assessments that have been performed should also be gathered.
“Under that rule, if an organization decides that there's a low risk of compromise of the data, they don't have to report that. But, they have to document that determination in a risk assessment.”
Spencer added that any Notice of Privacy Practices and acknowledgements of privacy practices are also documents that an organization will need to have in place for a potential audit.
From there, organizations should review them and ensure they understand whether or not there are any updates that need to be quickly done.
“Do a quick review, and follow up on any major issues that have been already identified by your organization,” Spencer explained. “And then consider doing a training if a training hasn't been performed in quite some time.”
Assembling a list of business associates would also be beneficial, especially as OCR explained that they would be asking about covered entities’ related business associates.
The upcoming round of HIPAA audits is not a cause for panic, according to Colin Zick, co-founder of Foley Hoag LLP’s Privacy & Data Security Practice. OCR is not trying to create a “gotchya” moment for healthcare organizations, and if covered entities are staying compliant, they should not be overly concerned.
Having policy procedures in place and being able to supply them if necessary is important, as well as having comprehensive training policies in place. That way, employees at all levels know what needs to be done to stay secure.
“This is as much an exercise in the brand of your institution as it is anything else,” Zick said. “Yes, it’s a legal compliance. But, you want to be compliant with these things because it’s the right thing to do.”
In general, the government has been fairly patient in regards to HIPAA compliance, he added.
“If you look at the longer-term enforcement activity, for years OCR didn’t levy really heavy fines,” Zick maintained. “They would tell you what you were doing wrong, tell you to fix it, and then said you were on your way. Then, gradually, they started to ramp up the fines because they figured that people had had enough time to adjust.”
How the latest round of HIPAA audits differs from the first
A lot has changed in the healthcare industry since the first round of audits that took place in 2012, according to Spencer.
“The fact that business associates are included in this round makes it more comprehensive than the last round,” she stated.
OCR has also secured close to $11 million in penalties in the last year alone, Spencer said. The enforcement environment is more rigorous.
“The government's been clear that they don't intend this round of audits to be punitive in nature and that their primary intent is to help provide assistance to covered entities and business associates to comply with the HIPAA rules,” she maintained. “However, they've also said that if they find a serious compliance issue that they may initiate a compliance review, which would be a more in-depth assessment and carry the possibility of an enforcement action.”
At this point, the majority of healthcare organizations – regardless of size – should already have the necessary policies and procedures in place, according to Foley & Lardner LLP intellectual property lawyer Aaron Tantleff.
However, a policy in and of itself is not enough, he added.
“You also have to have done and performed a risk assessment to identify an organization's strengths and weaknesses,” Tantleff explained. “Especially on the weaknesses side, you need to make sure that you've identified those areas that require remediation, and that you have a plan to address them.”
Tantleff also called to the importance of employee training, and that it would be a large component to the latest round of audits.
This is an important aspect to assessing an organization's risk because covered entities must educate and train their employees, business associates, etc. on how to effectively secure PHI in accordance with HIPAA regulations, he said.
How mobile devices, connected devices, affect organizations’ preparation
The increase in mobile devices and connected medical devices has definitely affected how covered entities need to prepare for the OCR audits, according to Spencer.
The government has clearly said that organizations need to re-evaluate and renew their risk assessment each time there is a material change in the environment that impacts the risks to electronic health information, she said.
“I do think that that's one development that probably impacts a lot of covered entities and something that they should be considering and addressing through their risk assessment and their risk mitigation plans,” Spencer maintained.
The proliferation of mobile devices has definitely complicated how covered entities need to prepare for audits, according to Zick.
“Everybody wants a connected device, and they want it to be seamless and easy. But we also know people lose devices all the time,” Zick cautioned. “And, if you don’t have plans and mechanisms for of what goes on a device, or what doesn’t go on a device, or what are we going to do inevitably when it’s lost, then you have a problem.”
In terms of connected medical devices, Tantleff said that they can potentially introduce more risk to an organization. However, this can happen when any new type of technology is introduced. A covered entity must ensure that it takes the time to evaluate any third-party technology and understand how it could potentially affect its operations.
“The best advice that I can currently give is, before you allow any of these devices into your organization, you must have a documented set of procedures by how you evaluate these things and your policies as to why you're using these things,” he cautioned.
Common compliance areas covered entities may overlook
Maintaining HIPAA compliance is not easy in general, Spencer explained, and covered entities and business associates alike face difficult challenges when it comes to keeping data secure.
Risk assessments and employee training are two critical areas that cannot be overlooked. While both are required under HIPAA regulations, they are also critical to data governance, she stated.
“I think cybersecurity is a real challenge,” Spencer said. “Organizations making sure that they are regularly conducting risk assessments, and fine tuning their risk management plans is important.”
The increase in healthcare ransomware attacks is currently one of the largest issues organizations are facing, she added, so covered entities need to ensure they have appropriately backed up their systems and data.
One area of particular note is that OCR noted that under the Freedom of Information Act (FOIA), it may be required to release certain information about the audits. This is very concerning, she explained.
“Right now, plaintiffs' attorneys are bringing cases where there's a data breach, and they're alleging negligence and other privacy-related torts,” Spencer said. “And to the extent they would be able to secure information from an audit that showed the confidential decision-making and issue spotting within an organization through a FOIA request, that would be a potential gold mine to plaintiffs' attorneys.”
Zick agreed that documentation is essential in audit preparation, adding that HIPAA compliance is not something that organizations can “set and forget.”
Policies and procedures may have been set with the announcement of the HIPAA Omnibus Rule, but organizations need to review if they’ve added EHR systems or expanded since then. Moreover, covered entities should review if they have new affiliations, such as a new outpatient center.
Any type of new technology could affect how an audit is conducted.
“It’s not that people are willfully noncompliant,” according to Zick. “You just don’t really see that. It’s the loss in the hustle and bustle, and the new thing that’s come up and changes the world, and they didn’t realize it.”