8 ways healthcare leaders can prepare for a HIPAA compliance audit.
Phase 2 of the Office of Civil Rights (OCR) Health Insurance Portability and Accountability (HIPAA) Audit Program gives healthcare providers 10 days to prepare. Phase 3’s on-site audits give you no time to prepare; auditors show up without warning to review how well you are complying with HIPAA policies and practices. And even if you aren’t chosen for a random HIPAA audit, you can still face penalties for noncompliance if you experience a patient complaint or a breach.
Taking the opportunity to proactively strengthen your privacy and compliance program will help you maintain control of your patient data and avoid compliance headaches that are costly and time-consuming. In other words, the best time to prepare for an audit is before you’re in one.
For Phase 2 of the Audit Program, both covered entities and business associates had to meet selected standards and implementation specifications under HIPAA’s Privacy, Security and Breach Notification Rules. The HHS’s Official Audit Protocol was updated in July 2018. In addition, the aforementioned Phase 3 audits are the compliance equivalent of an on-site pop quiz.
Because the data security landscape has become so complex and fluid, compliance regulations will become more stringent. But rather than dreading an OCR audit, care providers can approach the prospect of an audit as a foundation for making the best choices when adopting new tools, technologies, personnel and workflows.
HIPAA defines a breach as the acquisition, access, use or disclosure of unsecured protected health information (PHI) in a manner not permitted by HIPAA. This activity must pose a significant risk of harm to the affected individual, whether it’s financial, reputational or other damages. Under the HIPAA Breach Notification Rule, covered entities and business associates are required to notify affected individuals if unsecured PHI is breached.
The HIPAA violations that result in the largest fines are:
These are just the violations that cost the most. In addition, many other events can result in a HIPAA violation or breach, and therefore fines and settlements — including drug diversion, cybersecurity attacks, insider threats, fraud and identity theft.
HIPAA audits have both a bark and a bite. Since the regulation went into effect in 2003, the OCR has discovered 56 Privacy Rule violations and handed out close to $100 million in fines. And as of 2018, the OCR has received more than 184,000 HIPAA complaints and initiated more than 902 compliance reviews.
The compliance issues most often investigated by the OCR are, in order of frequency:
The covered entities that most often violate HIPAA are general hospitals, health plans, outpatient facilities, private practices and physicians, and pharmacies. More than 37,670 complaints were investigated by the HHS as of July 2018, 69 percent of which have received corrective action.
You may receive an audit letter — or auditors may just show up at your doorstep one day. Either way, if you’re following HIPAA’s requirements, there is no need to worry. Below are eight recommendations for staying proactively prepared for an OCR audit.
HIPAA stipulates that covered entities and business associates must ensure the confidentiality, integrity and availability of all electronic PHI (ePHI). In addition, electronic systems holding ePHI must allow access to those persons who have been granted access rights.
A best practice is to monitor all systems holding ePHI, including electronic health records (EHRs), cloud applications and mobile devices. By monitoring with a full lifecycle platform, they can detect, investigate, mitigate and remediate inappropriate activity to address incidents. This can also help organizations identify employees who need training, sanctioning or retraining — and foster a culture of privacy and compliance that prevents future incidents from occurring.
Covered entities must make the necessary policies and procedures for a privacy and compliance program that adheres to the final Breach Notification Rule. To do so, identify your high-risk assets and ensure that your risk analysis of these assets is current. These should include both technical and non-technical assets that are business-critical.
Data are highly valuable to the good guys and the bad guys alike — even if the “bad” guys are well-meaning but uninformed employees. Unless there are proper policies and procedures in place, employees and insider threats may do things to put PHI in jeopardy. Under HIPAA 164.316, organizations are required to implement “reasonable and appropriate policies, procedures and standards.” Furthermore, organizations are required to document those policies and procedures to prove they’ve set boundaries and made expectations and standards transparent.
You are required to conduct risk assessments to determine the probability of compromised health information. The main goal is to determine whether you need to report a PHI breach. The Office of the National Coordinator for Health Technology (ONC) and the OCR recently updated their Security Risk Assessment Tool to guide organizations through the compliance process.
Organizations can improve compliance by implementing identity correlation technology in their EHRs and cloud applications. This is important, as FairWarning sampled 1 million users of EHRs and cloud applications and found that 26 percent were poorly known or unknown to the care provider. This means that these users are unable to be monitored and audited, making it difficult to train or sanction them in the event of a HIPAA violation.
Fifty-eight percent of healthcare breaches involve insiders. To make sure employees are fully absorbing the policies and regulations of their day-to-day work, training should be treated as an ongoing process, not a one-time event. Once you identify employees who need training through your monitoring program, you should clearly communicate expectations about your organization’s policies and procedures and train accordingly through an learning management system program.
Covered entities and vendors are both required to create, receive and transmit PHI in a secure and intended manner. Therefore, it is a critical best practice to enter into business associate agreements (BAAs) with any vendors handling PHI. If either party violates the BAA, they may face penalties from the HHS. Most importantly, find a vendor who takes the BAA very seriously. Any organization can sign one, but do they have the proper protocols in place to responsibly handle PHI? Ask questions and investigate to assess how secure their processes really are.
An incident response plan (IRP) helps your organization contain security incidents that would otherwise become breaches requiring regulatory involvement. The HIPAA Security Rule requires covered entities to have IRPs. The HHS provides a free Incident Response Plan template to help organizations handle incidents with more agility. Once created, an IRP requires frequent evaluation and changes as the organization naturally evolves.
When you have policies and procedures in place to remain compliant, an OCR audit won’t strike fear into your heart. You’ll have confidence knowing you’ve done everything necessary to keep your data and that of your patients private and secure. You’ll also be laying the groundwork that will keep you prepared for new regulations and new technology.
Shane Whitlatch works with FairWarning’s largest and most sophisticated customers in order to ensure these customers get the greatest value possible from their solutions. Shane also plays a major role in alliance development.
Get the best insights in healthcare analytics directly to your inbox.