Author: Mahesh Balan

The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) warned healthcare professionals and their business associates of its intention to launch a series of random HIPAA compliance audits throughout 2016. This announcement caused some panic among businesses unsure of their ability to pass a compliance review. Many organizations are unclear as to who’s bound by HIPAA compliance standards and what aspects of their business will be evaluated during an audit.

Any organization that transmits electronic Protected Health Information (ePHI) is required to comply with all HIPAA parameters. These rules work to protect the security and confidentiality of patient data and the failure to adhere to these standards could put a business at risk for both substantial fines and potential lawsuits. Covered entities and their business associates need to understand what’s required to meet HIPAA standards and how their organizations could be affected if a random audit were to occur.

Understanding what is changing and what an audit entails will help ensure if businesses meet HIPAA compliance standards.

What has changed?

Before 2016, the OCR was only investigating non-compliance situations after a complaint, tip, or media report had been filed thus 98% of closed privacy cases were the result of a complaint. The Health Information Technology for Economic and Clinical Health (HITECH) audit act was effective starting in 2010, but the OCR has yet to implement an audit program that will proactively evaluate the compliance status of covered entities and business associates. A 2015 report released by the Office of Inspector General found the OCR’s oversight of HIPAA compliance to be lacking. Now, the OCR plans to strengthen its review efforts by implementing a second phase of audits that was scheduled to occur in 2014, but encountered a number of delays.

In this new round of assessments, providers with fewer than 15 physicians and healthcare business associates will be subject to audits. A business associate is any person or group that generates, stores, receives, or transmits PHI on behalf of the covered entity with which they’re affiliated. A covered entity is any health plan, healthcare clearinghouse, or healthcare provider that electronically transmits PHI.

However, it’s important to note that some states define these roles differently and businesses should check with their legal counsel or state trade association to determine the state’s specific rules. In Texas, for example, covered entities are classified as any organization in possession of PHI, meaning business associates are subject to the same regulations imposed on covered entities. While the odds a practice will be randomly audited are slim, it’s pertinent that an entity with access to PHI be vigilant about consistently evaluating and modifying its HIPAA security and compliance strategy, thus avoiding damages to its bottom line and reputation.

The HIPAA Omnibus Rule

The Final HIPAA Omnibus Rule was established in 2013 to revise previous HIPAA definitions, clarify procedures and policies, and include business associates and their contractors within the HIPAA regulations. While the rule has been in effect for a few years, the OCR’s lax investigation efforts have allowed some businesses to continue operating without adjusting their policies or procedures to meet the Omnibus Rule’s standards. Covered entities should address the following elements of their organization and make any updates to former documents and procedures to ensure they will be adequately covered in case of an audit.

Business associate agreements

All business associate agreements should be revised and updated to include the standards outlined in the HIPAA Omnibus Rule. Whereas before, covered entities shouldered compliance responsibilities, now business associates are equally liable if a data breach or security error occurs on their end. Business associates must sign a Business Associate Agreement before their services are used by a healthcare provider and are subject to the same penalties and fines as a covered entity.

Privacy policies

The Omnibus rule includes several HIPAA definition changes and a provider’s privacy policy should be updated to reflect these adjustments. Policies should include the amendments made in regards to deceased persons, the rights of patients to access the ePHI, and access request responses. They must also take into consideration the new restrictions regarding the disclosure of information to Medicare and insurance providers, the distribution of ePHI and school immunizations, and the use of ePHI for marketing, fundraising, and research efforts.

Employee training

An organization’s employees can be either a risk or an asset to its network and information security. Sufficient training should be held to inform staff of the definitions and procedures changed as a result of the Omnibus Rule. Business associates are required to implement training for their employees and all instruction efforts must be documented.

How to prepare for an audit

For any organization, managing HIPAA compliance can be daunting. A business and its employees should understand what a HIPAA compliance audit entails and what steps should be taken to adhere to HIPAA standards. When an organization is audited, they will be evaluated on aspects like patient privacy requests rights for PHI, individual access to PHI, administrative, technical and physical safeguards, the use and disclosure of PHI, HIPAA Breach Notification Rule policies and changes to PHI.

If an organization is subjected to an audit, it will likely be required to supply a plethora of documents to the OCR. An organization has 10 business days to supply the requested information and if it does not have the proper documentation and procedures in place when the audit occurs, it will likely be unable to supply the necessary information in the allotted time.

Generally, an audit will require an organization to provide records of its compliance efforts dating back several years. If this information is unavailable or nonexistent, the company could incur a number of legal and financial penalties. Businesses bound by HIPAA regulations should hold regular security reviews to assess the ability of the organization and its technology to meet compliance standards. In addition, changes made to suit these regulations should be regularly documented and updated to prove a remediation plan is in effect.

When performing a security review, businesses should ask themselves:

• What written policies and procedures are in place to address HIPAA regulations?
• Is there an established incident response plan to address a breach if it occurs?
• Are regular risk assessments being performed and documented?
• What policies are in place to address data security?
• Are security and use policies for BYOD and mobile devices in effect?
• Are business associates complying with HIPAA standards?
• Is there a regular training program in place to educate both old and new employees about HIPAA compliance regulations?
• Do patients receive a Notice of Privacy Practices and where is this notice available? (on-site, online, etc.)

It’s vital an organization’s security review be held and updated at least annually as businesses often restructure processes or add additional technology to their IT environment. Such changes can leave holes in the organization’s security strategy and render it vulnerable to a data breach.

While much of the HIPAA legislation remains unchanged in 2016, the OCR is bolstering its efforts to monitor and remediate PHI security risks throughout the nation. And as more organizations will be prone to an audit or investigation, it’s important that business understand HIPAA so they can remain compliant and protect their clients.