IMPACT ANALYSIS: Second phase audits of patient-privacy compliance starting under U.S. health agency

January 26, 2016

By Elizabeth Polking, Regulatory Intelligence

(Thomson Reuters Regulatory Intelligence) – Hundreds of U.S. health-care providers over the next three years will be scrutinized for their compliance with patient privacy regulations, as regulators respond to findings of widespread compliance gaps and launch a new round of industry audits.

The audits by the Health and Human Services Department’s office of Civil Rights were slated to begin early this year, and are reported to eventually reach 350 providers such as doctors, pharmacies, and health insurance companies.

The initiative comes as the expanded use of health information technology raises new privacy risks, even as it provides new opportunities and benefits in the healthcare realm.

Covered entities, including doctors, pharmacies, and health insurance companies, that fail to adequately guard protected health information (PHI) leave patients vulnerable to privacy violations, fraud, and other harm. Relevant information includes identifying information such as the patient’s name, test results, medical condition, prescriptions, and treatment history. PHI may also include phone numbers, birth dates, addresses, and social security numbers, which makes financial fraud and identity theft possible.

To counter these risks, the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH) provide national standards for the privacy of PHI, the security of electronic protected information, and breach notification to consumers.

HITECH requires that the Health and Human Services Department conduct periodic audits of covered entities and business associates to assess compliance with the privacy, security, and breach-notification rules under HIPAA. The HHS civil rights office, or OCR, enforces these rules. The OCR established a pilot audit program in 2011 to evaluate the controls and policies implemented to comply with HIPAA standards.

According to information service HealthITSecurity, the audit protocol covers requirements for the notice of privacy practices for PHI, rights to request privacy protection, access to PHI, administration, uses and disclosures, amendments, safeguards, and breach notification.

Phase 1 Audits

The first phase of audits indicated that 80 percent of providers lacked HIPAA-compliant risk-analysis programs, according to an article in Renal & Urology News. This raises concern, as one of the main tenets of HIPAA is to understand an organization’s risk.

Organizations are strongly encouraged to conduct assessments to identify risks and vulnerabilities, and to set a timeline for coming into compliance, Daniel Gottlieb, a partner in the law firm of McDermott Will & Emery LLP, was quoted as saying in the article. If a plan or timeline is out of date, it is considered “a flag that they aren’t taking it seriously,” Gottlieb said.

Meanwhile, the auditing agency itself has been evaluated by the HHS Office of Inspector General (OIG), two reports in September 2015 criticized OCR’s supervisory and investigative roles, and spurred OCR to launch this new round of audits. (For the reports, please click here and here.)

The OIG found that the civil rights office needed to strengthen its oversight and enhance its follow-up procedures relating to breaches of PHI. The OIG report cited weaknesses such as a “primarily reactive” oversight, in which OCR investigations arise only in response to complaints.

The OIG further noted that the civil rights office has not fully implemented the permanent audit program needed to “proactively assess” potential noncompliance with HIPAA. OIG stated that the civil rights office investigative efforts relied primarily on self-reporting of breaches and responses to complaints, tips, or media reports about breaches.

The Inspector General recommended that OCR “improve its ability to search for and track prior breach reports” in its case-tracking system in order to identify those with systematic compliance problems. OIG also recommended that OCR complete documentation of corrective action, and expand outreach and education efforts.

OCR’s responses, included in the reports, confirmed plans for a permanent audit program, for a standardized process of checking for prior breaches when initiating investigations, and for updating its electronic document management and investigations tracking systems. The office says that it now has the capacity to be more proactive in enforcement efforts against entities with a history of breaches. .

Phase 2 Audits

As a result of the recently issued OIG reports, the OCR has announced its plans to begin Phase 2 audits in early 2016. These will target specific areas of noncompliance, as well as directly target business associates. OCR said it would update audit protocols, refine the pool of potential audit subjects, and implement screening tools regarding potential audit subjects.

OCR has selected a contracted vendor to conduct the audits.

According to HealthItSecurity, the purpose of the audit is to “examine mechanisms for compliance, identify best practices and discover risks and vulnerabilities that may not have come to light through OCR’s ongoing compliant investigations and compliance reviews.”

The civil rights office has identified a pool of covered entities that broadly represent the wide range of healthcare providers, health plans and healthcare clearinghouses operating today. Criteria include: whether an entity is public or private; size; affiliation with other healthcare organizations; geography; type of entity and relationship to patient care; and past and present interaction with OCR on HIPAA enforcement and breach notification.

Law firm Baker & Hostetler’s Data Privacy Monitor reported that OCR plans to select 350 covered entities and 50 business associates over the next three years to conduct audits.

Of the 350 entities selected, there will be 232 healthcare providers, 109 health plans, and nine healthcare clearinghouses. The business associates will include 25 IT vendors and 15 non-IT vendors. OCR plans to audit 150 entities and 50 associates for compliance with security standards, 100 entities for compliance with privacy standards, and 100 for compliance with breach notification standards.

Screening audits were already sent out to gather data about operations on HIPAA procedures. This next round will test the efficacy of a combination of desk reviews, on-site reviews, and data security audits.

Those selected are informed by an OCR compliance audit notification letter which explains the process and expectations, clarifies what documentation is required, and specifies how and when to return the requested information to the auditor.

The covered entities and business associations selected are expected to respond to requests within 10 business days.

OCR is developing a web portal for data submission, and also plans to “broadly share best practices gleaned through the audit process and guidance targeted to observed compliance challenges” through outreach portals.

Phase 2 Audits will focus on violations identified from Phase 1, including security risk analysis and management, breach notification, notice of privacy practices, individual access, security device and media controls, data transmission, encryption, physical controls, and workforce education. If a systemic compliance issue is identified, OCR may expand the audit to include an on-site visit and enforcement action.

Preparing for an audit

There are several ways to prepare for a prospective audit. A self-audit tool currently provided by OCR is broad and covers much of HIPAA, but OCR is working on a tool for the next phase that will be more concise and focused on areas that have been identified as problematic.

OCR also plans to issue education resources, including new protocols and compliance guidance.

Although Phase 2 audits will vary slightly, the first round of audits can give some indication of what can be expected.

For example, HealthITSecurity reported that those audited will receive advanced notice of at least a week to coordinate personnel and prepare responses to requests, have open lines to ask questions and avoid surprise requests, be able to give feedback on improving the audit program, and have an opportunity to convey measures taken to remedy previous findings.

Similarly, based on Phase 1, those audited will unlikely be subject to on-site visits, will be unable to refute findings noted in their audit report, and will not need to provide extensive resources. The evaluation will primarily work from documents from the pilot audits.

Baker & Hostetler’s Data Privacy Monitor reports that OCR has posted its current audit protocol, and plans to post revisions before the start of audits. Data Privacy Monitor also published a list of the pertinent areas of compliance that should be evaluated in anticipation of the upcoming audits.

Covered entities and business associates were encouraged to review and revise privacy, security, and breach notification policies so that they are up to date and compliant. With regard to privacy safeguards, practices must ensure that only the minimum amount of PHI necessary is used or disclosed.

Entities must also review security measures to protect electronic PHI in transit, and ensure that devices containing and transmitting the electronic information are encrypted. OCR has emphasized the encryption of personal health information for the upcoming audit, and Gottlieb said in Renal & Urology News that OCR is “cracking down in this area.”

Encryption is required unless it is deemed unnecessary or unreasonable based on a risk and cost assessment. Procedures for the use, reuse, disposal, storage, and backup of devises and systems containing electronic protected health information must be reviewed.

Entities must review processes and documentation of requests to ensure timely responses to individuals in accessing PHI, and review the notice of privacy practices to ensure that current requirements for content, posting, and distribution are met, according to Data Privacy Monitor’s article.

Workforce training materials must also be current and include documentation of training and education on privacy and security standards. A current inventory of where PHI is located must be maintained, and a facility security plan must be in place for those locations. A process must be in place when purchasing new IT equipment or when acquiring a new business and its equipment.

In preparation for the audits, practices must perform comprehensive and periodic risk analyses, and compile documentation verifying that risk assessment, risk analysis, and risk management plans were implemented. The risk management plan should include a timeline for implementing specific security controls for identified risks, and documentation of those controls must be reviewed.

Providers subject to audit must take measures to ensure that the breach notification policy complies with the standard, maintain documentation of prior notifications to show that notice was provided, and review incident response, mitigation, investigation, and breach determination procedures.

The OCR is expected to also request a list of business associates and associated agreements, Renal & Urology News said. Practices must keep business associate contracts thoroughly documented and preserved. Business associate agreements must be updated and in the hands of vendors.

Breach logs must be completed and filed in real time. An inventory of information system assets should be completed. Finally, an individual responsible for these procedures should be clearly identified to ensure a timely response if indeed an audit letter is received. OCR will only accept documentation that is submitted on time. It is imperative to have the documentation compiled and readily available in anticipation of such a request.

Overall, the “best thing a practice can do is ensure that they have policies, procedures, and required forms completed,” and that staff is following those procedures,” Renal & Urology News reported.

OCR uses the audit reports to “determine what types of technical assistance should be developed” and “what types of corrective action are most effective,” according to HealthITSecurity.

If an audit report suggests a serious compliance issue, or if there is a failure to respond to a request, OCR may initiate a full compliance review to address the problem. OCR will not post a listing of audited entities or the results of an individual audit that clearly identifies the entity.

Failure to comply with HIPAA may result in a big fine. OCR is authorized to impose penalties of more than $50,000 per violation, even if it is found that the breach was unintentional. OCR may also dole out penalties of up to $1.5 million per capital year.

While OCR prepares in the upcoming months by updating its audit protocol and finalizing the list of potential audit subjects, the industry will need to prepare as well. Entities must regularly monitor and make adjustments as necessary. Essential measures include periodic, comprehensive internal reviews of policies and procedures, including security risk assessments, reviews of privacy and security processes, and HIPAA compliance training.

(This article was produced by Thomson Reuters Regulatory Intelligence and initially posted on Jan. 14. Regulatory Intelligence provides a single source for regulatory news, analysis, rules and developments, with global coverage of more than 400 regulators and exchanges. Follow Regulatory Intelligence compliance news on Twitter: @thomsonreuters)

(Elizabeth Polking is a Compliance Attorney for Thomson Reuters Regulatory Intelligence. She is based in Eagan, Minnesota.)

No comments so far

We welcome comments that advance the story through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can flag it to our editors by using the report abuse links. Views expressed in the comments do not represent those of Reuters. For more information on our comment policy, see