May 7, 2012
HIPAA Enforcement Heats Up
By Susan Chapman
For The Record
Vol. 24 No. 9 P. 14
The Office for Civil Rights is ramping up random compliance reviews as part of the continued evolution of the landmark privacy rule.
The HITECH Act mandates that all covered entities—healthcare providers, clearinghouses, and health plans—comply with HIPAA privacy and security standards while requiring the Office for Civil Rights (OCR) to implement a program of periodic audits. To that end, in November 2011, the OCR launched a pilot program to perform up to 150 audits of covered entities to measure compliance in both privacy and security.
According to the OCR, the audits will “present a new opportunity to examine mechanisms for compliance, identify best practices, and discover risks and vulnerabilities that may not have come to light through OCR’s ongoing complaint investigations and compliance reviews.”
The process includes complaint resolution, an issue-based process by which the OCR investigates and follows up on some 10,000 complaints per year; compliance reviews, which now include HIPAA breach investigations and fall under two categories—those under 500 records that must be reported by the end of the calendar year and those involving more than 500 records that must be reported to Health and Human Services (HHS) within 60 days (the OCR must investigate all reported breaches, which average nearly 20 per month); and compliance reviews in cases other than breach reports.
The new OCR audits add another element to the process by closely examining general compliance issues within an overall program.
Selecting the Auditees
The OCR website states, “Every covered entity and business associate is eligible for an audit. Selections in the initial round will be designed to provide a broad assessment of a complex and diverse health care industry. OCR is responsible for selection of the entities that will be audited. OCR will audit as wide a range of types and sizes of covered entities as possible; covered individual and organizational providers of health services, health plans of all sizes and functions, and health care clearinghouses may all be considered for an audit. We expect covered entities to provide the auditors their full cooperation and support and remind them of their cooperation obligations under the HIPAA Enforcement Rule. Business Associates will be included in future audits.”
The audit’s initial phase features 20 covered entities: eight health plans, two claims clearinghouses, and 10 provider organizations composed of three hospitals, three physician offices, a laboratory, a dental office, a nursing/custodial facility, and a pharmacy. However, the OCR has withheld the audited organizations’ exact identities.
“One thing that interests us is that 150 audits were scheduled for this year. The first 20 are pilot audits in the first six months. It’s very unlikely then that OCR will be able to reach the 150 mark,” says Daniel Berger, president and CEO of Redspin, a penetration testing services and IT security audit provider.
Berger was surprised to learn that the initial audits did not also include business associates, which the HHS website defines as “a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.”
Phyllis Patrick of Phyllis A. Patrick & Associates, a security, privacy, and compliance service provider, agrees: “It was very surprising that business associates were not included given that, according to various surveys, they are responsible for 20% to 46% of all breaches.”
However, Chris Apgar, president and CEO of Apgar & Associates, LLC, which offers healthcare privacy and security compliance solutions, holds a different view. “Not including business associates is completely consistent with OCR’s pronouncement in 2009-2010. OCR stated it would not enforce any provisions of HITECH that had not been clarified in the interim final or final rule. The rule relating to the requirement that business associates comply with HIPAA is still a draft rule. This explains why OCR is not auditing business associates at this time. OCR has indicated on its website that business associates will be audited but not in this first round.”
Currently, business associates are not ultimately liable for information breaches; liability rests with the covered entity. “That will change within 12 months when direct civil liability will extend to the business associates,” Berger says. “The final breach law will be issued some time over the next six months. When it’s finalized, business associates will have six to 12 months to comply, so it’s on the horizon.”
Stephen Page, an attorney with Waller Lansden Dortch & Davis, says business associate agreements are coming under greater scrutiny as their role in future audits become clear. “A significant portion of our HIPAA engagements involve reviewing contracts in which covered entities are adding provisions to business associate agreements, such as indemnification clauses, that make the business associate responsible for the costs of the breaches they commit,” he says.
How the Audit Process Works
KPMG, the firm contracted by the OCR to conduct the audits, has established a sequential process. Once KPMG receives the list of covered entities to be audited, it sends each organization a packet that includes an OCR cover letter alerting the entity that it has been selected for audit under the HITECH Act. The announcement also contains a letter from KPMG that delineates the audit’s timeline and initial requirements and includes a list of documents that must be produced within 10 business days.
The KPMG letter goes on to provide information about the on-site audit, which can take place within 30 to 90 days of the letter date. KPMG will later give the covered entity five days notice before auditors arrive at the site.
“The timeline is a real problem for all covered entities,” says Apgar. “They have 10 business days from the date of the letter. It can take five business days just to receive the letter. It’s a challenge even if you are compliant, and it’s particularly tough for large covered entities.”
Once at the facility, KPMG auditors conduct a briefing, interview key individuals, tour the site, review paper documents, and search for proof that compliant policies exist.
After the audit is completed, auditors conduct another briefing before leaving but can continue to ask questions for an additional two to three weeks. After 20 to 30 days, the auditors draft a report, which is sent to the site. The site has 10 business days to prepare comments and send them to KPMG. In response, KMPG can amend the report. Whether or not the firm chooses to change the initial report, all paperwork—the report and the site’s response—is sent to the OCR.
Once the OCR reviews those documents, it can take various steps. The OCR can develop technical assistance and guidance or, in certain cases, it may choose to open a compliance review.
“Serious deficiencies or willful neglect, for instance—risk assessment that needs to be done but is not—are serious violations,” says Mac McMillan, CEO of HIT security firm CynergisTek. “Following an audit, OCR can send its own people in for an investigation. The outcome can be a resolution agreement and/or fines. If the violation is illegal, then the matter can be referred to the Department of Justice for further investigation. If OCR finds something serious, fines can be quite substantial.”
Impact on the Industry
It is currently unclear how much information the OCR will make available to the industry. While the intent of the audits is to work with covered entities to ensure their privacy and security measures are compliant, if there is evidence of willful neglect, as McMillan notes, fines could ultimately result.
“They just wouldn’t result from the audits themselves,” Apgar says. “There are civil and regulatory risks by not complying. OCR is headed by a former federal prosecutor [Leon Rodriguez], and there is currently no budget for audits in 2013. Fines and settlements could make up for that lack of funding. A fair chunk of the industry is not compliant when it comes to security, so there could be ramifications beyond the audits that organizations should be concerned about.”
“It will be interesting to see whether OCR’s bark is worse than its bite,” Berger adds. “In the past, OCR has been fairly reasonable if someone is not compliant. Fines are usually imposed only for those who refuse to comply, and it remains to be seen what the audits will reveal. Have breaches occurred that have not been reported? That’s the biggest thing a hospital should fear.”
Apgar says another consideration is the soft costs associated with breaches, particularly if they involve 500 or more records. “The at-fault party must make a public announcement, so there is damage to the brand,” he says. “Individuals need to be notified directly, and there could be legal ramifications—and costs—as well.”
McMillan takes a more industrywide view of the audits’ potential outcomes. “These audits will paint a pretty accurate picture of where healthcare is today,” he says. “Congress, the General Accounting Office, and other government entities will see where privacy and security are today. The collective outcome will send a message of how healthcare is performing across the board.”
The Value of Being Prepared
Each expert interviewed for this article cautioned that the time to prepare for an audit is well before KPMG’s audit packet arrives.
“People are making a lot of these audits and rightly so, but if you’ve been working at your program and doing the right things, making progress, you’re where you should be,” Patrick says. “Privacy and security are major issues across all industries. You should always be audit ready. That philosophy should be part of your culture and how you do business. It always comes back to basics.”
To help entities become audit ready, Patrick offers a checklist that includes questions such as, “Are privacy and security training programs effective? How do you know? Do you meet the HIPAA Security Rule standards for risk analysis and risk management? Do you have an ongoing program of auditing and monitoring for the privacy and security programs?”
Additionally, many service firms are actively offering preparation assistance to covered entities. Often, these services include “practice” OCR/HIPAA audits to help organizations get a sense of what to expect from auditors. Meanwhile, business associates are being proactive and ensuring they are compliant in order to avoid fines.
Redspin is one organization that performs HIPAA security risk analyses and assessments in an effort to bring in an objective third-party perspective to a covered entity. “Covered entities are supposed to do that per HIPAA,” Berger says. “For a company like ours, we take the more informed, least intrusive approach, operating under the hypothesis that going through our process first would make any future government audit much less painful.”
Meanwhile, Apgar & Associates has partnered with ID Experts, a data breach prevention and remediation firm, to offer mock HIPAA compliance audits to help healthcare organizations prepare.
McMillan cautions that everything within a covered entity is open for review, making it essential to be as ready and organized as possible. “All communication can be looked at—electronic, written, verbal, anything that can be tied back to a person. Therefore, it’s really important to take compliance requirements seriously. Auditors are very thorough. If covered entities haven’t taken the time to prepare, they need to do it now. There is no time once the audit clock starts ticking.”
OCR spokesperson Rachel Seeger agrees that preparation is the best policy: “OCR reminds covered entities and business associates the importance of having in place a carefully designed, delivered, and regularly monitored HIPAA compliance program.”
— Susan Chapman is a Los Angeles-based writer and author.
Case Settled Regarding Lack of HIPAA Safeguards
Phoenix Cardiac Surgery, PC of Phoenix and Prescott, Arizona, has agreed to pay Health and Human Services (HHS) a $100,000 settlement and take corrective action to implement policies and procedures to safeguard the protected health information of its patients.
The settlement follows an extensive investigation by the HHS Office for Civil Rights (OCR) for potential HIPAA Privacy and Security Rules violations.
The incident giving rise to OCR’s investigation was a report that the physician practice was posting clinical and surgical appointments for its patients on an Internet-based calendar that was publicly accessible. On further investigation, the OCR found that Phoenix Cardiac Surgery had implemented few policies and procedures to comply with the HIPAA rules and had limited safeguards in place to protect patients’ electronic protected health information (ePHI).
“This case is significant because it highlights a multiyear, continuing failure on the part of this provider to comply with the requirements of the Privacy and Security Rules,” says Leon Rodriguez, director of the OCR. “We hope that healthcare providers pay careful attention to this resolution agreement and understand that the HIPAA Privacy and Security Rules have been in place for many years, and OCR expects full compliance no matter the size of a covered entity.”
OCR’s investigation also revealed the following issues:
• Phoenix Cardiac Surgery failed to implement adequate policies and procedures to appropriately safeguard patient information.
• The organization failed to document that it trained any employees on its policies and procedures on the Privacy and Security Rules.
• The organization failed to identify a security official and conduct a risk analysis.
• Phoenix Cardiac Surgery failed to obtain business associate agreements with Internet-based e-mail and calendar services where the provision of the service included storage of and access to its ePHI.
— Source: Health and Human Services