Now that the 2015 HIPAA Audits have begun, organizations are reevaluating their HIPAA compliance posture. This is a good thing being that an organization will have very little time to respond to pre-audit and audit inquiries from the Office of Civil Rights (OCR).
On the other hand, some organizations are evaluating the risk of being selected and might conclude that the risk is low. These organizations might decide that the low risk is not worth the effort to ensure HIPAA compliance. The risk of being selected by the IRS to audit your tax return is very low but most people and organizations file their taxes.
Why is this the case? People fear the IRS. They fear the hassle associated with an IRS audit, they fear the penalty associated with an IRS audit and they fear the consequences of failing an IRS audit.
Right now people don’t really fear OCR or HIPAA audits. I am pretty confident that people didn’t fear the IRS audits when they first started. It took a few years and some very high profile cases, including putting people in jail, to get people to worry about IRS audits and ensuring that they are properly filing their tax returns. It is not hard to see an analogy with the start of the HIPAA audits. The question that organizations need to ask themselves is:
Do I want to be a high profile example if my organization is selected for a HIPAA audit?
There is no denying that the chance of being selected for a HIPAA audit is low. But a random audit is only one of the ways that OCR could investigate an organization. Let’s take a look at some of the other ways that an organization can come under the HIPAA microscope.
If an organization has a data breach (lost laptop or hacker steals protected health information -PHI) OCR may decide to investigate the incident. If OCR starts an investigation, they will want to see what safeguards the organization had in place prior to the data breach. It is almost guaranteed that OCR will want to see the following:
- The most recent HIPAA Security Risk Assessment (SRA) and documented work plan to address any issues discovered in the SRA
- Evidence of documented HIPAA Security and Privacy Policies and Procedures (including evidence that the organization has implemented and is following the Policies)
- Evidence that employees have received periodic HIPAA Security and Privacy training (this should be ongoing training that occurs at least once a year)
- Evidence of a security incident response plan
Business Associate Data Breaches
A data breach by a Business Associate may cause OCR to investigate the Covered Entity. If a billing company or IT support organization has a data breach there is a good chance that OCR will investigate both the Business Associate as well as the Covered Entity. The question that organizations need to ask themselves is:
Besides signing a Business Associate Agreement, do I have any proof that my Business Associate is protecting PHI that we disclose to them?
Another way that OCR may open an investigation into an organization’s HIPAA compliance is if a patient or former patient files a complaint. The patient may feel that their privacy or the security of their data has been breached and can file a complaint with OCR. OCR evaluates each of the complaints that have been filed and decides if they will investigate the organization.
Employees or former employees may feel that their employer is not protecting PHI and could file a complaint against the organization.
Organizations that are participating or have participated in the CMS Meaningful Use (MU) Incentive Program can be audited by CMS or the Office of Inspector General (OIG). A common reason of failing a MU audit is the lack of a Security Risk Assessment (SRA) or the lack of a thorough SRA and documented work plan to address any issues discovered in the SRA.
With over 100 million patient record breaches in the last few years it should come as no surprise that the government is increasing HIPAA enforcement. We have an epidemic of patient records breaches and the need to protect this very sensitive information is apparent.
Organizations can no longer ignore HIPAA. Proper safeguards and increased security is needed to protect PHI. It is a lot easier and cheaper to proactively implement HIPAA requirements than it is to respond when OCR comes knocking on your door.