Getting Ready for a HIPAA Compliance Audit
In 2011 the Department of Health and Human Services’ Office for Civil Rights (OCR) put in place an audit program to review the state of healthcare compliance. The pilot audits, which began in 2011 and were finished in 2012, uncovered many violations of HIPAA Privacy, Security and Breach Notification Rules.
Only 11% of audited bodies passed the audits with no observations or breaches, while more than 60 percent of the audits uncovered security standard breaches.
The OCR was soft on offenders and did not issue major penalties for non-compliance issues, instead action plans were created to help the audited organizations implement the necessary security measures to protect healthcare data.
The OCR is not expected to be as soft during the second phase of the audit program, which is due to begin later this year. The second phase is likely to see groups fined for HIPAA violations in line with the new penalty structure brought in with the Omnibus Rule of 2013.
Second Phase of the OCR Compliance Audit Program
One of the targets of the pilot round of audits was to discover which aspects of the Health Insurance Portability and Accountability Act were not being adhered to. After looking at the results, the OCR developed the second round of compliance audits, which will mainly target those areas of HIPAA which lead to the most violations. Risk analyses, patient access rights to their healthcare data and the issuing of breach alerts will be a major focus of the second round of audits.
The introduction of the Omnibus Rule in 2013 grew the reach of HIPAA to include business associates and their subcontractors, and they too will be audited as part of the next round, along with healthcare suppliers, health plans and healthcare clearing houses.
With the next round of audits now coming quickly, all covered groups are advised to revise and update policies and procedures and must ensure that all HIPAA Privacy and Security Rules are being followed. With this in mind we have put together a checklist covering the aspects of HIPAA Privacy and Security Rules which the OCR auditors are expected to look at.
How to Get Ready for the Second Round of Compliance Audits
Risk Analyses – Under the Security Rule, all covered groups must complete a thorough risk analysis to identify all potential vulnerabilities which could be exploited by hackers looking to steal ePHI and personal identifiers of patients and health plan subscribers.
The risk analyses must look at all IT systems which can potentially touch healthcare data and all devices which can be used to obtain ePHI and personal identifiers. The risk analysis must also review paper records, x-rays and other physical records such as doctor’s notes.
A risk analysis is not a one-time occurence. It is a procedure which should be carried out on a regular basis, in particular after a material change in HIPAA legislation. Auditors will be checking to make sure that this is in place.
Risk Management – Any security issues identified during the risk assessment must be tackled and the appropriate safeguards implemented promptly to address those risks. Auditors will be looking carefully at the actions taken to manage risks and will expect those to be actioned in a reasonable time-frame.
List all Business Associates – If a covered group is chosen for audit, one of the first requirements will be to put together a list of all business associates. Lists should be established and maintained with up to data contact information. The OCR will use those lists to choose BAs for audits.
Addressable Security Standards – Under HIPAA, many security standards are addressable, not obligatory. If a covered group has elected not to adopt any addressable implementation standards, auditors will require documentation stating why the standards have not been addressed and what other measures have been employed in their place to secure data.
Breach Notifications – A HIPAA-covered group is required to have policies and procedures in place to deal with a security breach to ensure alerty can be issued in a reasonable timescale. Policies and processes must reflect the content requirements as stated in the Breach Notification Rule.
Notices of Privacy Practices – Notices of privacy practices must be sent out. NPPs should cover all instances under which ePHI and personal identifiers will be implemented, and under what circumstances patients will be contacted. A website privacy policy must be in place, but this in itself is insufficient under HIPAA Rules.
PHI Safeguards – Under the Security Rule, all covered groups must put in place the appropriate technical, physical and administrative safeguards to protect all patient health data and personal information. This applies to electronic data as well as physical records such as doctor’s comments, paper files, x-rays, microfilm and all other forms of data. Access to the records must also be restricted and controlled.
Equipment inventory – Covered groups must maintain an inventory of all electronic equipment which is used to store, transmit, access or copy data. Any equipment with a hard drive or other data storage device must be on the list. This incorporates PCs, laptops, portable storage devices, fax machines, digital printers and photocopiers.
Staff Training – All staff must be given training on HIPAA Privacy and Security Rules, including its responsibilities to stay within HIPAA standards. All training must be recorded and should be signed by each member of staff to confirm that it has been given.
Physical Security Plans – A physical security plan must be in place for all locations where Protected Health Information is kept.
Transmission of ePHI – Any system which is capable of sending ePHI must use data encryption to secure the data on the move. This includes all equipment in use under BYOD schemes. If data encryption is not used to safeguard PHI, there must be a recorded reason as to why this is not the case, along with details of the alternative controls that have been used in its place.
Decommissioning of Equipment and disposal of PHI – Before digital technology is decommissioned the data stored on the devices must be securely and permanently deleted, while physical records must be rendered indecipherable or destroyed in a safe environment.
Failure to Adhere with HIPAA Regulations
The Office for Civil Rights (OCR) has the power to issue fines for non-compliance up to a maximum of $1.5 million per violation category, annually, regardless of whether the violation has arisen due to willful neglect of ignorance of HIPAA Rules.
Covered groups are therefore asked to review to make sure that all issues identified by the risk analysis have been addressed and all procedure and policies are current in line with HIPAA regulations.