Federal Privacy Audits Continue to Scare Health-Care Providers

Stay ahead of developments in federal and state health care law, regulation and transactions with timely, expert news and analysis.

By James Swann

Ongoing federal privacy audits originally slated to end in January have uncovered some glaring health-care compliance issues among physicians and health plans.

The privacy audits have only hit a fraction of eligible organizations so far, but preliminary results have highlighted some problems, such as a failure by health-care providers to assess the risk of patient data being illegally disclosed, and drilled home the importance of an effective compliance plan.

While the current audits are educational in nature and aren’t intended to punish noncompliance, the government hasn’t shied away from penalizing other providers who’ve strayed from complying with federal privacy laws.

Over the past year, for example, the government reached five multimillion-dollar settlements outside of the audit program related to possible privacy violations. In one case, Memorial Healthcare System in Florida reached a $5.5 million settlement after an investigation determined that 115,000 records had been illegally accessed and disclosed by an employee.

Five Largest HIPAA Settlements in the Last Year

Only two providers and health plans were fully in compliance with a requirement to create an organization-wide risk management plan, and none of those audited had conducted any type of risk analysis, according to a Jan. 18 presentation from the Health and Human Services Office for Civil Rights, which enforces federal health-care privacy laws.

It’s up in the air whether the audit program will shift to a more enforcement-based focus, Iliana Peters, a health-care attorney with Polsinelli PC in Washington, told Bloomberg Law Feb. 22.

The OCR has completed 166 remote audits of covered entities (defined as providers and health plans) and 41 audits of business associates (organizations that provide services to providers and health plans) during the second round. Audits conducted remotely are known as desk audits.

The audits assess a provider’s ability to maintain the privacy and security of patient records, and cover everything from whether providers are keeping a tally of all electronic devices that store patient data to whether they’re controlling and monitoring employee access to that data.

Peters, who served as the OCR’s acting deputy director prior to joining Polsinelli, said the current round of audits has been done remotely, and it remains to be seen whether on-site audits move forward.

The OCR is planning to release aggregate findings from the second round of audits later this year, Rachel Seeger, a spokeswoman for the OCR, told Bloomberg Law Feb. 22. Seeger said the OCR would also update its website with guidance resulting from the audit findings.

Seeger said the OCR is continuing to develop the design of a permanent audit program based on what’s been uncovered during the first two rounds of audits.

The audits began in 2011 and are intended to determine if health-care organizations and their contractors are complying with HIPAA’s Privacy and Security rules. A second round of audits started in 2016 and is still ongoing.

Best Practices

Physicians, health plans, and contractors—also known as covered entities and business associates—facing an OCR audit should familiarize themselves with the audit protocol, Peters said.

The protocol, which is available on the OCR’s website, identifies the specific areas the audit will cover. “The protocol is very thorough, it will give you an idea of what the OCR is looking for,” Peters said.

Audit targets should also make sure to respond quickly to requests from auditors and provide all available documents, Peters said.

Covered entities and business associates should also be prepared to make some compliance changes once an audit is over, Peters said.

Ongoing Burdens

There’s an initial investment of time and money when creating a privacy compliance plan, including paying fees to consultants or attorneys who can help with the process, but the overall expenditure isn’t large, Eric Fader, a health-care attorney with Day Pitney LLP in New York, told Bloomberg Law Feb. 21.

“A more significant ongoing burden [for providers] is training employees in HIPAA matters and retraining them at least annually, performing periodic risk assessments, and other compliance requirements that in my experience are often overlooked,” Fader said, referring to the Health Insurance Portability and Accountability Act.

The HIPAA compliance standards are flexible and scalable, but there are still baseline elements that must be in place, including a formal, written security risk analysis and associated risk management plan, W. Reece Hirsch, a health-care attorney with Morgan, Lewis & Bockius LLP in San Francisco, told Bloomberg Law Feb. 21.

“For a small practice that doesn’t have a dedicated IT or security person on staff, those sorts of requirements can seem daunting,” Hirsch sad.

A lack of help from the OCR has also contributed to a knowledge gap among physicians about how to comply with the HIPAA rules, Robert Tennant, director of health information technology policy at the Englewood, Colo.-based Medical Group Management Association, told Bloomberg Law Feb. 21.

Results from the initial round of HIPAA audits, plus the preliminary results from the current round, have indicated that some providers and health plans weren’t meeting the OCR’s definition of HIPAA compliance, but the OCR hasn’t responded with an extensive educational campaign based on the audit results, Tennant said.

Cyberattacks and data breaches are growing threats to physician practices, Tennant said, and the OCR should leverage the audit results to educate physician practices, especially smaller organizations, on how to meet HIPAA requirements.

Sense of Urgency

Providers who have been through a HIPAA audit tend to come out of it with a list of compliance upgrades and a sense of urgency about getting them done, Hirsch said.The Phase 2 audits have focused on a narrow list of compliance areas, but the OCR hasn’t been sparing in its criticisms, Hirsch, a Bloomberg Law advisory board member, said.The continuing exodus of senior leadership from the OCR, including Peters and Deven McGraw, the former deputy director for health information privacy, makes it difficult to predict enforcement trends, Colin Zick, a health-care attorney with Foley Hoag LLP in Boston, told Bloomberg Law Feb. 21. “In the mid-to-long term, however, the OCR will continue to move away from the education audit and toward the so-called enforcement model,” Zick said.

To contact the reporter on this story: James Swann in Washington at jswann1@bloomberglaw.com

To contact the editor responsible for this story: Kendra Casey Plank at kcasey@bloomberglaw.com

Copyright © 2018 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Health Care on Bloomberg Law