Stay ahead of developments in federal and state health care law, regulation and transactions with timely, expert news and analysis.
By James Swann
Ongoing federal privacy audits originally slated to end in January have uncovered some glaring health-care compliance issues among physicians and health plans.
The privacy audits have only hit a fraction of eligible organizations so far, but preliminary results have highlighted some problems, such as a failure by health-care providers to assess the risk of patient data being illegally disclosed, and drilled home the importance of an effective compliance plan.
While the current audits are educational in nature and aren’t intended to punish noncompliance, the government hasn’t shied away from penalizing other providers who’ve strayed from complying with federal privacy laws.
Over the past year, for example, the government reached five multimillion-dollar settlements outside of the audit program related to possible privacy violations. In one case, Memorial Healthcare System in Florida reached a $5.5 million settlement after an investigation determined that 115,000 records had been illegally accessed and disclosed by an employee.
Only two providers and health plans were fully in compliance with a requirement to create an organization-wide risk management plan, and none of those audited had conducted any type of risk analysis, according to a Jan. 18 presentation from the Health and Human Services Office for Civil Rights, which enforces federal health-care privacy laws.
It’s up in the air whether the audit program will shift to a more enforcement-based focus, Iliana Peters, a health-care attorney with Polsinelli PC in Washington, told Bloomberg Law Feb. 22.
The OCR has completed 166 remote audits of covered entities (defined as providers and health plans) and 41 audits of business associates (organizations that provide services to providers and health plans) during the second round. Audits conducted remotely are known as desk audits.
The audits assess a provider’s ability to maintain the privacy and security of patient records, and cover everything from whether providers are keeping a tally of all electronic devices that store patient data to whether they’re controlling and monitoring employee access to that data.
Peters, who served as the OCR’s acting deputy director prior to joining Polsinelli, said the current round of audits has been done remotely, and it remains to be seen whether on-site audits move forward.
The OCR is planning to release aggregate findings from the second round of audits later this year, Rachel Seeger, a spokeswoman for the OCR, told Bloomberg Law Feb. 22. Seeger said the OCR would also update its website with guidance resulting from the audit findings.
Seeger said the OCR is continuing to develop the design of a permanent audit program based on what’s been uncovered during the first two rounds of audits.
The audits began in 2011 and are intended to determine if health-care organizations and their contractors are complying with HIPAA’s Privacy and Security rules. A second round of audits started in 2016 and is still ongoing.
Physicians, health plans, and contractors—also known as covered entities and business associates—facing an OCR audit should familiarize themselves with the audit protocol, Peters said.
The protocol, which is available on the OCR’s website, identifies the specific areas the audit will cover. “The protocol is very thorough, it will give you an idea of what the OCR is looking for,” Peters said.
Audit targets should also make sure to respond quickly to requests from auditors and provide all available documents, Peters said.
Covered entities and business associates should also be prepared to make some compliance changes once an audit is over, Peters said.
There’s an initial investment of time and money when creating a privacy compliance plan, including paying fees to consultants or attorneys who can help with the process, but the overall expenditure isn’t large, Eric Fader, a health-care attorney with Day Pitney LLP in New York, told Bloomberg Law Feb. 21.
“A more significant ongoing burden [for providers] is training employees in HIPAA matters and retraining them at least annually, performing periodic risk assessments, and other compliance requirements that in my experience are often overlooked,” Fader said, referring to the Health Insurance Portability and Accountability Act.
The HIPAA compliance standards are flexible and scalable, but there are still baseline elements that must be in place, including a formal, written security risk analysis and associated risk management plan, W. Reece Hirsch, a health-care attorney with Morgan, Lewis & Bockius LLP in San Francisco, told Bloomberg Law Feb. 21.
“For a small practice that doesn’t have a dedicated IT or security person on staff, those sorts of requirements can seem daunting,” Hirsch sad.
A lack of help from the OCR has also contributed to a knowledge gap among physicians about how to comply with the HIPAA rules, Robert Tennant, director of health information technology policy at the Englewood, Colo.-based Medical Group Management Association, told Bloomberg Law Feb. 21.
Results from the initial round of HIPAA audits, plus the preliminary results from the current round, have indicated that some providers and health plans weren’t meeting the OCR’s definition of HIPAA compliance, but the OCR hasn’t responded with an extensive educational campaign based on the audit results, Tennant said.
Cyberattacks and data breaches are growing threats to physician practices, Tennant said, and the OCR should leverage the audit results to educate physician practices, especially smaller organizations, on how to meet HIPAA requirements.
Providers who have been through a HIPAA audit tend to come out of it with a list of compliance upgrades and a sense of urgency about getting them done, Hirsch said.The Phase 2 audits have focused on a narrow list of compliance areas, but the OCR hasn’t been sparing in its criticisms, Hirsch, a Bloomberg Law advisory board member, said.The continuing exodus of senior leadership from the OCR, including Peters and Deven McGraw, the former deputy director for health information privacy, makes it difficult to predict enforcement trends, Colin Zick, a health-care attorney with Foley Hoag LLP in Boston, told Bloomberg Law Feb. 21. “In the mid-to-long term, however, the OCR will continue to move away from the education audit and toward the so-called enforcement model,” Zick said.
To contact the reporter on this story: James Swann in Washington at firstname.lastname@example.org
To contact the editor responsible for this story: Kendra Casey Plank at email@example.com
Copyright © 2018 The Bureau of National Affairs, Inc. All Rights Reserved.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to firstname.lastname@example.org.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to email@example.com.
Put me on standing order
Notify me when new releases are available (no standing order will be created)