Privacy and Security Audits May Be Moving From Education to Enforcement

Stay ahead of developments in federal and state health care law, regulation and transactions with timely, expert news and analysis.

By James Swann

Ongoing privacy and security health-care audits may be moving from education to enforcement, and providers need to ensure that their compliance and operational teams are working together to detect vulnerabilities.

The second round of Health Insurance Portability and Accountability Act audits began in March 2016, and the Health and Human Services Office for Civil Rights has repeatedly said they are intended to be educational.

However, a shift is likely, Alisa Chestler, a health-care attorney with Baker, Donelson, Bearman, Caldwell & Berkowitz in Nashville, Tenn., told Bloomberg BNA.

“It’s my understanding that, dependent on what they find, they’ll be taking enforcement actions on these audits,” Chestler said. The OCR is likely to find compliance vulnerabilities and take enforcement action due to the increasingly complex world of health-care information technology, Chestler said.

The compliance audits are intended to determine if health-care organizations and their contractors are complying with HIPAA privacy and security rules.

The first phase of the audits was conducted as a pilot program in 2011 and 2012, focused solely on covered entities, while phase two has included both covered entities and business associates.

The HHS defines a business associate “as a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.”

The Internet of Things may be a target for future enforcement, Chestler said. The Internet of Things refers to the growing ability of everyday devices, including medical devices, to collect, send and receive data electronically.

The OCR didn’t respond to a request for comment on the status of the HIPAA audits.

Colin Zick, a health-care attorney with Foley Hoag LLP in Boston, echoed Chestler, telling Bloomberg BNA that while future HIPAA audits will always have educational elements, the period when an adverse audit result won’t yield an enforcement action has passed.

“That’s why self-auditing is so important, just as it has become in the billing context, because these problems must be found and corrected before the government finds them,” Zick said.

Audit Process

The second round of HIPAA audits are still underway, with over 200 audits in process, Susan Nash, a health-care attorney with McDermott Will & Emery in Chicago, told Bloomberg BNA.

The bulk of the audits are focused on providers, with the remainder covering business associates, Nash said.

The OCR has completed most of the remote, or desk, audits, Nash said, and the on-site audits are expected to begin sometime this year. “On-site audits will be more comprehensive than desk audits and cover a wider range of HIPAA requirements,” Nash said, noting that the on-site audits will also focus on smaller data breaches involving fewer than 500 individuals.

Nash said 2016 OCR guidance demonstrated that the agency is focused on cybersecurity issues affecting cloud computing, patients’ right to access information and health information exchanges.

“At this early point in the Trump administration, it’s unclear how much effort [HHS] Secretary [Tom] Price will put into HIPAA audits, but given the large financial settlements, this will likely be an area of continued focus and attention,” Nash said.

Nash said 13 enforcement actions associated with data breaches at covered entities resulted in roughly $23 million in settlements in 2016.

Chestler also said she suspected that the HIPAA audit program would see little change under the Trump administration.

Potential Delays

While the OCR has said on-site audits should begin in 2017, they may not start until the end of the year and could even end up starting in 2018, Eric Fader, a health-care attorney with Day Pitney LLP in New York, told Bloomberg BNA. Fader said the OCR’s Deven McGraw acknowledged the chance of a 2018 audit start date while speaking at the 2017 HIMSS conference in February. The Healthcare Information and Management Systems Society is a nonprofit organization based in Chicago that’s focused on advancing health-information technology.

Fader said a delay will allow the OCR to review the results of the desk audits and get input from HHS Secretary Price before beginning on-site audits.

While the OCR’s official statements have consistently referred to the audits as being primarily educational, Fader said he’s assuming that if the office discovers something egregious in the course of an audit, it will be swiftly converted into an enforcement action.

Fader said he expected the increased number and size of OCR settlements in 2016 would continue through 2017, and said he wouldn’t be surprised to see the OCR increase cooperation with other agencies, like the Food and Drug Administration and the Federal Trade Commission, to expand the breadth of HIPAA enforcement and education.

“If and when the phase two desk audits results reveal other types of problems that OCR hasn’t yet considered, we’re likely to see those problems highlighted in settlements, perhaps with some sort of guidance published by the OCR either previously or concurrently,” Fader said.

Remaining Compliant

The potential for looming enforcement makes it essential that health-care providers review how they update their information technology systems. “When adding new technology or new systems, too many times the compliance function is separate from the operational side,” Chestler said.

The two sides need to work together to ensure that any vulnerabilities can be addressed immediately, Chestler said. The compliance department should also work with the procurement department to review new systems and technologies before they are brought into the organization, Chestler said.

Based on recent OCR enforcement activity, it’s likely there will be more security audits focusing on device and media controls, encryption and audit controls and monitoring, Kevin Page, a health-care attorney with Waller Lansden Dortch & Davis LLP in Nashville, Tenn., told Bloomberg BNA.

Page also said providers should expect an increase in the use of desk audits as the OCR’s primary tool for assessing compliance efforts.

To contact the reporter on this story: James Swann in Washington at

To contact the editor responsible for this story: Kendra Casey Plank at

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Health Care on Bloomberg Law