In September, several representatives of the U.S. Department of Health and Human Services Office for Civil Rights (OCR) made presentations that provide important guidance for covered entities and their business associates on the next phase of OCR’s HIPAA Audit Program, which has been delayed. The key takeaways:
- Take advantage of the delay in Phase 2 of the Audit Program to address and enhance compliance with the requirements of the Privacy, Security and Breach Notification Rules.
- Make sure to have conducted and/or updated a comprehensive Security Rule risk assessment.
- Take the Audit Program seriously–HIPAA audits may be used as an enforcement tool.
Previously Announced Plans for Phase 2
Earlier this year, OCR had announced that Phase 2 of the Audit Program would begin this year and would target specific high risk issues. It indicated that, beginning this past summer, it would conduct a pre-audit survey of 800 covered entities and 400 business associates to determine suitability for the Audit Program.[1] OCR stated it would use the survey to select 350 covered entities and 50 business associates to be audited in Phase 2, with audits distributed across health plans, health care providers and clearinghouses (for covered entities) and across IT-related and non-IT related business associates. At the same time, OCR’s plans were to begin Phase 2 audits of covered entities in the fall of 2014, with 2014 audits of covered entities focused on the following:
- Risk analysis and risk management (Security Rule)
- Notice of privacy practices and access rights (Privacy Rule)
- Content and timeliness of breach notification (Breach Notification Rule)
The 2015 audits of covered entities would focus on device and media controls and transmission security (Security Rule) as well as safeguards and training on policies and procedures (Privacy Rule). Audits of business associates were scheduled to start in 2015, focused on risk analysis and risk management (Security Rule) and breach reporting to the covered entity (Breach Notification Rule).
At the time, OCR had also indicated that most audits would be “desk audits” (i.e., document-only audits, without follow-up) in which the entity would be required to respond to data request letters within two weeks of receiving the request. The audits would be conducted with audit protocols updated to reflect the HIPAA/HITECH Act Omnibus Rule changes, as well as to provide more specific test procedures. The protocols would also use a sampling methodology to assess compliance with a number of provisions. OCR promised that the updated audit protocols would be made available on its website so that covered entities and business associates could use the protocols to assess their compliance efforts.
A New Web Portal and Expanded Plans for Phase 2
OCR has recently announced that Phase 2 of the Audit Program has been delayed and that, when it starts, there will be more on-site, comprehensive audits and fewer desk audits than previously planned.
Early in September, the OCR senior health information privacy advisor who heads the Audit Program announced that OCR has delayed the pre-audit survey, as well as Phase 2 of the Audit Program, until OCR is able to implement a new web portal through which entities can submit information. OCR is planning to use its new portal to conduct the pre-audit survey screening tool as well as have entities enter data for the audits. According to OCR, the portal technology will help it streamline the audit process by collecting, collating and analyzing audit data. The portal is intended to save OCR time and allow it to conduct more audits.
While OCR had previously planned to begin Phase 2 of its Audit Program (the permanent audit program) in 2014, OCR now is not specifying when the surveys will be issued or when Phase 2 will begin, although some pre-audit surveys could be distributed in the near future. Accordingly, covered entities and business associates are advised to stay tuned.
In addition to delaying the start of Phase 2 of the Audit Program, OCR has changed its plans for the audits. While it appears that most audits will still be desk audits, OCR, with the new web portal and possibly some additional funding, is planning to conduct more on-site, comprehensive audits (including audits of business associates) than previously planned and may conduct many fewer desk audits.
OCR still plans to conduct a pre-screening survey of covered entities and business associates that are potential candidates for audits in Phase 2 of the Audit Program. This survey is likely to occur “in the near future,” and responses will be collected by means of OCR’s new portal.
OCR advises covered entities to be ready with a list of their business associates, contact information for the business associates and the services provided by the business associates. It appears that the list of business associates to be surveyed and/or audited will be derived from the lists of business associates provided by surveyed and/or audited covered entities.
While the Audit Program pilot was conducted by contractors, Phase 2 will be staffed and conducted by OCR personnel. Covered entities will be responsible for demonstrating compliance with the Security Rule (including a risk analysis), the Privacy Rule (including access issues) and breach notification under the Breach Notification Rule. Among other things, OCR will be looking for comprehensive, periodic risk analyses and documentation of appropriate follow-up risk management plans and activities. Business associate audits may focus on compliance with requirements such as security risk assessments and breach notifications.
In conducting its audit work, OCR will look not only for written policies and procedures, but also for evidence of compliance, such as evidence that the policies and procedures have been implemented and are being enforced, e.g., by the imposition of sanctions (consistent with the entities’ sanctions policies) for violations. It is also likely to be important for covered entities and business associates to be able to demonstrate that they have periodically reviewed and updated their policies and procedures in light of their experience, changes in their operations and information technology environment and/or changes in applicable law. Because OCR plans to move the audits quickly and many of the audits will remain desk audits, covered entities and business associates may not be able to supplement or clarify their initial responses to audit inquiries, unlike in the Audit Program pilot. Accordingly, the content of the initial response is crucial. Covered entities and business associates should contact legal counsel for assistance in preparing written submissions to OCR, especially their initial responses to OCR.
OCR will update its HIPAA audit protocols before this next round of audits begin.
HIPAA Audits: Part of OCR’s Arsenal of Enforcement Tools
Earlier this month, an OCR representative had indicated, in response to questions concerning how OCR decides whom to audit, that OCR does not see audits as a direct enforcement arm and that audits would not be performed on organizations that are the subject of an open breach or HIPAA compliance investigation. This does not mean that such audits hold no enforcement implications. More recently, another OCR representative made it clear that “[the Audit Program] will be an enforcement tool,” indicating that HIPAA audits will become a means to begin compliance investigations of covered entities and business associates.
During the Audit Program pilot, OCR had indicated that it viewed HIPAA audits mainly as a compliance improvement activity, designed to help OCR determine the types of technical assistance that need to be developed and the types of corrective action that are most effective. OCR had also indicated that it would seek to audit a wide range of covered entities in terms of size, geographic distribution and type (individual and institutional health care providers, a wide variety of health plans and health care clearinghouses).[2]
As the Audit Program progresses and continues to evolve, covered entities and business associates should expect that OCR will use audits as an enforcement tool and may pursue compliance reviews and/or investigations of entities for serious compliance issues or violations identified during an audit. Keep in mind that compliance reviews and investigations can lead to the imposition of civil money penalties or resolution agreements involving the payment of resolution amounts. Consequently, covered entities and business associates should currently expect–at a minimum–that:
- A failure to respond appropriately to an audit request may lead to a compliance review or enforcement action; and
- If an audit reveals a significant or serious compliance issue, OCR may undertake a more comprehensive
compliance review.
Coming HIPAA Guidance
- OCR is working on guidance for covered entities and business associates on a number of HIPAA topics, including:
- Breach notification safe harbors
- Breach risk assessment tool
- HIPAA minimum necessary requirements
- HIPAA marketing rules
Be Prepared
Given the number of audits OCR plans to conduct in Phase 2 of the Audit Program, the likelihood that any particular covered entity or business associate will be audited in Phase 2 is relatively low. However, as noted above, OCR views audits as a tool in its compliance and enforcement arsenal. Covered entities and business associates should consequently be prepared for HIPAA audits and consider taking advantage of the delay in Phase 2 to review their HIPAA compliance programs and:
- Ensure that privacy and security policies and procedures reflect current HIPAA requirements (including the HIPAA/HITECH Act Omnibus Rule)[3] and update such policies and procedures, as needed, taking into consideration any changed circumstances.
- Conduct or update comprehensive Security Rule risk assessments and ensure that risk mitigation and management plans are up to date, including with respect to new technology implemented since the prior risk assessment. If needed, create a corrective action plan to address HIPAA compliance issues.
- Review compliance in other high risk areas, especially those on which OCR is likely to focus audit attention, including:
- Privacy Rule: Notice of privacy practices, individual access rights, implementation of the minimum necessary requirements and authorizations.
- Security Rule: Media and device movement and disposal, transmission security, audit controls
and monitoring. - Breach Notification Rule: Content and timeliness of breach notification.
- Consider encryption of electronic transmissions, mobile devices and media containing electronic protected health information, particularly USB/thumb drives. This is a safeguard specifically mentioned by OCR representatives.
- Review covered entity/business associate relationships for HIPAA compliance.
- Review training materials and ensure workforce training is up to date and documented.
- Ensure proper documentation of compliance with policies and procedures, including training, complaint handling and resolution, application of sanctions policy, etc.
While the HIPAA audit delay announcements may cause a sigh of relief among some covered entities and business associates, now is the time to prepare. OCR will conduct more on-site audits and fewer desk audits than previously planned, the audits are part of OCR’s enforcement arsenal and the outcomes could lead to sanctions and monetary fines. Alston & Bird stands ready to assist with reviewing and updating HIPAA policies and procedures; enhancing HIPAA compliance; responding to OCR during a HIPAA audit, compliance review or investigation; and interacting with OCR regarding audit, corrective action and/or enforcement efforts. Please let us know how we can help you get ready.
[1] See our blog post on OCR’s pre-audit survey at: http://www.alstonprivacy.com/blog.aspx?entry=5231.
[2] For background on OCR’s Audit Program pilot, see our November 30, 2011, blog post at: http://www.alstonprivacy.com/blog.aspx?entry=4498.
[3] For a discussion of the HIPAA/HITECH Act Omnibus Rule, please see our January 25, 2013, Health Care Advisory, Overview of the HIPAA/HITECH Omnibus Final Rule, and our February 1, 2013, HIPAA/HITECH Act Omnibus Rule Checklist, both of which are available on our website.
This advisory is published by Alston & Bird LLP’s Health Care practice area to provide a summary of significant developments to our clients and friends. It is intended to be informational and does not constitute legal advice regarding any specific situation. This material may also be considered attorney advertising under court rules of certain jurisdictions.