MTSOs Gear for OCR Audits
By Susan Chapman
For The Record
Vol. 26 No. 12 P. 20
While security has always been a priority, it will be emphasized even more as visits loom.
The latest round of HIPAA audits is expected to be the most stringent yet. Unlike the pilot audits, which began in 2011, these will impact medical transcription service organizations (MTSOs), which are considered business associates (BAs) of covered entities (CEs). As the audits get under way, MTSOs are working diligently to be prepared should they need to answer the bell.
The Pilot Audits
As required by the HITECH Act, the Office for Civil Rights (OCR) must periodically audit CEs and BAs to ensure HIPAA compliance. To satisfy this mandate, it created a pilot program in 2011 to analyze HIPAA compliance among 115 CEs.
Daniel F. Gottlieb, JD, a partner at McDermott Will & Emery LLP, says HIPAA compliance has become more of a priority of the Obama administration during the last two to three years. "While there haven't been numerous reported enforcement actions resulting in civil or criminal penalties, there have been over 20 resolution agreements resulting in the payment of a settlement amount since 2008, including five in 2014. The OCR has definitely stepped up enforcement," he says.
Gottlieb believes the first series of audits were more educational, allowing the OCR to evaluate HIPAA compliance efforts of the various CEs. Besides helping the OCR understand the mechanisms CEs employed to ensure compliance, the program also helped reveal vulnerabilities, risks, and best practices.
During the pilot audits, all CEs were eligible. Organizations from insurance plans and hospitals to osteopaths and health care clearinghouses were selected to provide a diverse picture of compliance. The program featured three phases: developing protocols, determining which CEs were to be audited, and conducting comprehensive audits under revised protocols. The process involved site visits during which auditors conducted interviews with key staff members and observed organizations' operations and processes. Following the visits, auditors provided each CE with a draft report, to which the organization had an opportunity to respond before the final report was submitted to the OCR. The pilot audit program formally concluded in 2012.
Susan Lucci, RHIA, CHPS, CHDS, a consultant and chief privacy officer at Just Associates, says the pilot audits uncovered several issues related to security risk analyses, in that they either were not completed or were performed incorrectly. "This is certainly going to be high on the radar of this next round of audits," she says.
"The OCR is creating a database of business associates, and the expectation is that the OCR fines for noncompliance will be much higher this next time around."
What the Pilot Revealed
According to the OCR, only 13 of the 115 audited CEs had no adverse findings or observations. Health care providers represented 53% of the audited entries, but were responsible for 65% of the total findings and observations. Security violations accounted for more than 60% of the findings or observations and 58 of the 59 audited providers had at least one security failing. Two-thirds of those audited had no accurate risk assessment process in place. Other problem areas included protected health information (PHI) access management, security incident procedures, contingency planning and backup, workstation security, media movement and destruction, encryption, and audit controls and monitoring.
When it became necessary to notify individuals of security breaches, many issues, including timeliness, method of notification, and the burden of proof—determining whether a breach had occurred and if notification was even necessary—needed to be addressed. The audits also found that smaller entities struggled with compliance more than larger organizations.
Anecdotally, organizations discovered it's better to tackle compliance in advance rather than wait until an audit letter arrives. Other lessons learned included the following:
• The revised pilot audit protocol can be employed as an effective tool to evaluate existing compliance measures.
• Addressable security measures—most notably, encryption—are essential.
• Policies and procedures must be employed properly to be effective.
Phase 2 Audits
During this summer, the OCR conducted a preaudit survey of some 800 CEs to ascertain information regarding each organization's location, size, contact information, services offered, and information on BAs. Based on the results, the OCR will select approximately 350 entities for audit, with BAs taking their turn in 2015.
The second round of audits will differ from the first in several ways. For example, rather than visit sites, the OCR will request information from CEs and BAs, effectively eliminating the opportunity for those groups to explain any perceived irregularities. To prevent fraud, those organizations being audited face a short turnaround time and are required to provide only current documents. The OCR is also employing its own auditors rather than relying on contractors.
Phase 2 centers on areas that had a high proportion of noncompliance during the pilot program, including PHI access, risk assessment inaccuracies, privacy notification problems, and the manner in which breach notifications occur.
Preparing for Phase 2
Aware that there is a high price to pay for not being in compliance, MTSOs have taken steps to ensure preparedness with the latest round of audits. "In the past, some organizations claimed to be HIPAA compliant with security measures in place when in fact they were not. Such organizations are now on notice," Lucci says.
Lee Tkachuk, CEO of Keystrokes Transcription Service, says the recent settlement between California-based GMR Transcription Services and the Federal Trade Commission (FTC) serves as an example of the government's focus on MTSO compliance. According to the FTC website, the agency alleged that GMR "engaged in deceptive and unfair information security practices that exposed the personal information of thousands of consumers online, in some instances including consumers' medical histories and examination notes. … In its complaint, the agency alleged that GMR's data security practices were inadequate and resulted in transcriptions of audio files provided by GMR's customers being indexed by a major search engine and made publicly available to anyone using the search engine."
Under the settlement agreement, GMR is prohibited from misrepresenting how well it maintains the privacy and security of consumers' personal information. Also, GMR "must establish a comprehensive information security program that will protect consumers' sensitive personal information, including information the company provided to independent service providers," according to the FTC. "In addition, the company must have the program evaluated both initially and every two years by a certified third party. The settlement will be in force for the next 20 years."
"The FTC corrective action was a two-decade plan with very specific and costly requirements of proving GMR's ongoing security issues," Lucci says. "So they either had to comply or do what they did—they eliminated a very profitable division of their offerings and no longer offer medical transcription services."
The GMR case was extreme, a situation that Gottlieb has never witnessed in the MTSO industry. "I work with MTSOs, and I've not seen people leave the business over HIPAA compliance issues," he says.
HIPAA compliance shouldn't be all that complicated, Gottlieb says. "If an IT professional were to look at HIPAA standards, they are pretty basic. For example, it makes sense to have a security officer. And most businesses that have any type of confidential or proprietary information encrypt it in electronic form or use other security safeguards," he notes. "Another requirement is to have data backup policies and procedures. Backing up information makes good sense for any business that relies on data for general business activities. They need to have information available if they want to recover it. So, many of the HIPAA requirements are things people are doing anyway, and they are pretty sensible."
In terms of administrative safeguards, risk analysis, and risk management, CEs and BAs must conduct periodic security risk assessments of all information systems and document that any recommendations were addressed within a reasonable amount of time.
When striving to protect items such as devices and media, Gottlieb advises MTSOs to implement an electronic media sanitization policy to address the disposal and reuse of electronic media. They also should take inventory of information system assets, including mobile devices, to track the physical movement of electronic PHI. CEs and BAs also must adopt a physical security plan for each location with access to PHI.
As MTSOs transmit information, they must review security measures to guard against unauthorized access to electronic PHI sent over the Internet and implement encrypted e-mail and/or text messaging applications, Gottlieb says. In addition, organizations must either encrypt transmitted electronic PHI or produce written risk analysis that supports the absence of encryption.
Should a security incident occur, CEs must adhere to the content and timeliness requirements of the breach notification rule. The same requirements hold true when BAs, including MTSOs, must report a breach to a CE.
CEs also must create a written policy addressing an individual's right to access PHI, including the appropriate limitations on fees. In addition, the Notice of Privacy Practices must meet the privacy rule's content requirements and be posted on the CE's website.
CEs and BAs must have reasonable and appropriate safeguards in place to protect PHI in any medium, including paper. For example, organizations must use shredders to destroy paper PHI.
In terms of training, organizations must have training materials that are consistent with the final Omnibus rule, be able to track completion of the required training, and regularly review records to determine that all staff members have been trained as needed for their respective job duties.
Gottlieb recommends other preparatory steps. "CEs and BAs should have complete lists of all BAs that include current contact information and an associated inventory of signed BA agreements in the event of an audit request," he says. "If a CE and/or BA has not implemented any of the Security Rule's addressable implementation standards for any information system or facility, then an organization should document why the implementation specification was not reasonable and appropriate as well as the alternative security measures that were implemented."
Keystrokes Transcription Service has long emphasized security, which positions the MTSO well should HIPAA auditors come knocking. "We have a seven-level layer of security and are very strict with our transcriptionists," Tkachuk says. "They have to know HIPAA compliance. In addition, we have them watch a security video to reinforce their training."
Both online and offline precautions are accounted for. "Whenever transcriptionists sign into our intranet, they have to read HIPAA again and sign off on it," she says. "Their computers also have to be solely for transcription and their offices must be secure with doors that close. They're unable to print any documents unless they're in a facility, and nothing can be saved onto their computers."
Tkachuk points out that clients are becoming increasingly aware of security and compliance issues. "We've been getting a lot of certified letters from our customers with new BA agreements attached. Not e-mail, not regular mail, certified," she says.
Take the prospect of being audited out of the equation, says Linda Allard, CHPS, president of New England Medical Transcription (NEMT), who notes that proper security habits should be practiced on a daily basis. "I think we all need to make sure we're compliant whether we anticipate an audit or not," she says. "The audits remind us to ask ourselves important questions that we should ask every day. Have we all done our security audits? Have we addressed everything? Is our training the way it's supposed to be?"
Still, the potential audits can serve as an organizational reminder that security should be top of mind for staff. "It's good to use this time as a company checkup and be sure we've done everything correctly," Allard says. "We all need to know that we have our paperwork and are able to answer the questions in the two weeks that we're allotted whether or not we're ever required to answer the OCR's questions. Making sure that our policies are in place should be standard practice."
She recommends MTSOs not view the prospect of an OCR audit as a final exam of sorts. "I've told colleagues we shouldn't cram; we should try to be ready all along, not at the end or just for an audit," Allard says. "We want to be in compliance all the time, and we want everyone to think about it all the time. Being proactive will make us safer. And I believe these philosophies are not only good for NEMT, but also important for our industry as a whole."
— Susan Chapman is a Los Angeles-based writer.