A representative of the U.S. Department of Health and Human Services Office of Civil Rights (OCR) recently presented at a compliance forum to provide comments regarding the roll out of OCR’s Phase 2 HIPAA audits. The presenter cited recent settlements and emphasized that OCR seeks to hold entities accountable, and although OCR prefers to be proactive, it will be aggressive when needed.

The upcoming Phase 2 HIPAA audits were discussed in depth, as well as OCR’s policy work in providing guidance and technical assistance in an effort to assist entities in being proactive in protecting the privacy and security of health information. (Both of these items were found to be lacking by the OIG in its September 2015 report and were highlighted as areas of OCR’s focus in its written response to the OIG report.)

Key takeaways from the presentation included:

  • The long-awaited updated audit protocol is now available on the OCR website, and a downloadable version of the protocol will be available soon. In addition to being used to assess readiness for the upcoming audits, the audit protocol can be used as a proactive risk assessment to determine whether PHI is being protected in accordance with regulatory requirements and OCR expectations;
  • Much of the commentary regarding the audit process are in keeping with OCR’s previous guidance on the topic, in that the audits will include a combination of desk audits of documentation such as risk assessments, BAAs and breach notifications and comprehensive on-site audits. The desk audits will be conducted first, with covered entities being audited before business associates, and the on-site audits will follow;
  • Just as the findings from the Phase 1 pilot audits guided the OCR’s focus for the upcoming audits, overall findings from Phase 2 will be used to inform a permanent audit program as well as industry guidance and best practices;
  • OCR has begun sending out address verification forms, but not all entities which receive those notices will be audited. Entities will receive a follow-up request with questions about entity size, affiliations and demographics that will allow OCR to select a broad cross-section of entities for auditing. This will allow OCR to obtain a comprehensive view of industry, make assessments of trends and receive information about each entity before the audit begins. Entities that do not respond to the questionnaire will not necessarily avoid an audit. In keeping with prior OCR pronouncements, entities that are currently under investigation by OCR will not be audited this year;
  • With respect to OCR’s educational outreach efforts, OCR has released extensive guidance to individuals, covered entities and business associates relating to the patient’s right of access to health information, and this guidance is readily available on OCR’s website. Additional guidance may arise from changing technology. For example, the FTC recently released a guide for mobile-app developers along with a portal for developers where questions can be posted to the agency or other vendors and guidance can be requested. Other emerging areas include health apps such as Fitbits, and how the health information contained in those apps should be treated;
  • Cybersecurity is a threat that confronts everyone. While entities should work to proactively prevent hacking, they must respond immediately if a hack does occur. OCR has issued guidance in the form of a NIST crosswalk with the Security Rule, which is also available on OCR’s website. NIST compliance is not mandated but may be useful for identifying compliance practices, and the crosswalk details how those practices may apply to HIPAA; and
  • OCR will also be issuing guidance regarding ransomware and how to treat ransomware for purposes of breach notification rules.

The representative noted that the audits will target specific common areas of noncompliance or vulnerabilities identified in OCR’s pilot audits and subsequent enforcement actions. Entities will have a very short time frame (10 days) to respond to OCR’s initial document request for the audits. As a result, entities must be prepared in advance to be able to respond in a comprehensive and meaningful way.

In addition to the Phase 2 audits, the representative underscored other areas of focus for OCR, including:

  1. Entities must conduct (and update or implement changes resulting from) security risk assessments;
  2. Entities should have BAAs in place, and should also look at their Business Associates’ downstream use and protection of data;
  3. Entities must either encrypt PHI or show equivalent levels of protection;
  4. Research entities must also protect PHI; and
  5. Entities must have a robust, comprehensive data security plan that can respond quickly to hacks and breaches if and when they do occur.

Organizations are encouraged to assess their HIPAA policies and processes and compare them to the HIPAA audit protocols, as well as conduct risk analyses and ensure that all employees are appropriately trained in HIPAA compliance matters. Organizations should be proactive in their efforts to be compliant so as to be prepared for an audit and to otherwise minimize their exposure to an enforcement action or penalties in connection with any potential breaches that may occur.