E-News Exclusive |
By Stephen Cobb
A new round of HIPAA audits is expected this fall, but hopefully this is not news to you or your organization. And hopefully you won’t be surprised to see multiple headlines this fall announcing multimillion-dollar fines imposed by the Office for Civil Rights (OCR). There have been several hints that these are in the pipeline, notably the comment made by Jerome B. Meites, a chief regional civil rights counsel at Health and Human Services: “The past 12 months of enforcement will likely pale in comparison to the next 12 months.”
Frankly, nobody should be surprised that the OCR, the agency charged with getting organizations to meet privacy and security requirements that have been in place for many years, is getting a little ticked off at this point. Reading between the lines, you get the impression some folks at the OCR think all health care organizations have had enough time to become fully compliant—by “all” they mean covered entities and, thanks to the HIPAA Omnibus Rule, business associates.
How much time? Well, I gave my first conference presentation on the importance of getting ready for HIPAA’s privacy and security requirements in March 2001. One of the slides, titled “The Writing on the Wall,” said, “We are looking at a federally mandated standard for security practices within companies involved in health care or handling health-related information. Note that these are considered practices necessary to conduct business electronically in the health care industry today. In other words, normal business costs, things you should be doing today. …”
Note the emphasis on “today” because by 2001, I had already spent many years working with companies that were doing all of the things necessary to protect sensitive personal information, such as risk assessments to determine the controls needed to secure sensitive data and controls such as two-factor authentication, antivirus management, and encryption. These companies were mainly in the financial services and telecommunications sectors. What I had not seen prior to 2001 was a lot of health care providers leading the way in the adoption of IT security and digital privacy best practices. When I started presenting HIPAA seminars to organizations that were about to become covered entities, I was shocked at what some of them told me about their existing IT practices.
Fast forward 13 years, and there have been massive improvements. Many covered entities and business associates have embraced the moral and legal obligations to protect medical data. In some cases, they were doubtless encouraged to do this by the OCR, which investigated 27,466 complaints from 2003 to 2012, resolving 18,559 of those “by requiring covered entities to take corrective actions and/or provided technical assistance to covered entities to resolve indications of noncompliance,” according to the agency’s annual report. Nevertheless, I doubt anyone can feel good about the number of incidences being documented on the OCR’s “wall of shame.”
The OCR’s public reporting of breaches of unsecured protected health information affecting 500 or more individuals began in October 2009. Thus far, approximately 33 million individuals have had their medical information compromised. This total does not include those affected by breaches involving less than 500 patients.
In 2013 alone, 24,806 Americans per day had their protected health information exposed. Such metrics are behind both the hefty fines, of which we will soon see more, and the new audits, of which we have been promised more.
The following are important points about the next wave of audits:
• Audit subjects now include business associates as well as covered entities.
• Audits will be conducted by OCR staff through document submission rather than site visits.
• Adverse findings could lead directly to enforcement action.
• Audits are likely to focus on specific areas of concern, informed by previous findings (which were published in June in the “Annual Report to Congress on HIPAA Privacy, Security, and Breach Notification Rule Compliance For Calendar Years 2011 and 2012”).
As for business associates, it is not clear whether all organizations, particularly subcontractors, that fall into this category are aware of their designation. Some may be in denial, others simply unaware. Frankly, every business that comes into contact with protected health information would do well to confirm its status. For example, the thousands of HIT firms that now fall under the OCR’s purview must realize they are directly liable for HIPAA compliance. Just like every covered entity, they must conduct and document a comprehensive risk assessment, one of the first items on the OCR’s audit checklist. Business associates and their subcontractors also are subject to audits, investigations, and penalties.
A broad picture of what may be covered by an audit can be found on the OCR’s Audit Program Protocol page, which offers an interactive guide and a downloadable spreadsheet. However, there is currently a disclaimer that “the protocol has not yet been updated to reflect the Omnibus Final Rule, but a version reflecting the modifications will be available in the future.” Look for that update to appear soon.
In the meantime, keep in mind the items that are likely to be of particular interest in this fall’s audits. At the top of the list will probably be risk assessments, which need to be thorough, current, and well documented. Do not expect to get by with any documents created after the request date. You only have to look at past cases where the OCR has levied fines to know that shortcomings in the area of risk assessment are taken very seriously.
Two other hot buttons for auditors are likely to be encryption—the failure to do it or document why you don’t—and portable media, which Meites has called “the bane of existence for covered entities” and the cause of “an enormous number of the complaints that OCR deals with.” ESET North America will be following this issue closely and welcomes comments and dialogue.
— Stephen Cobb is a senior security researcher at ESET North America.