With the start of Phase 2 HIPAA Audits, health care organizations are facing more scrutiny than ever before. Although the Office for Civil Rights (OCR) audited some healthcare providers in Phase 1 Audits, it was an exploratory study with very little risk for organization. In general, the government has left providers alone until they receive a complaint.
Now, they’re taking an in-depth look at a broad sampling of the healthcare industry, exposing organizations with lax security practices. Enforcement will only get tougher from here, as the OCR moves toward periodic audits designed to prevent HIPAA violations — not address them after the fact.
Phase 2 HIPAA Audits and the HITECH Act
The current audits actually trace back to the Health Information Technology for Economic and Clinical Health Act (HITECH), passed in 2009. Although HITECH is best known for its meaningful use requirements, it also strengthened HIPAA in several ways, including:
- Requiring providers to report any breach that may pose a risk
- Extending the term “business associate” to cover all partners with PHI access
- Mandating Business Associate Agreements (BAAs) with all associates
- Strengthening patients’ control over their data
The law also created a 3 Phase program to audit HIPAA and HITECH compliance, with the goal of establishing a protocol for periodic audits. From 2011-2012, the OCR, part of the Department of Health and Human Service (HHS), conducted Phase 1 Audits of 115 healthcare providers to evaluate the state of HIPAA compliance. Because it was a pilot program, there was little enforcement risk for audited entities.
HIPAA Phase 2 Audits — which began March 21st — are much more serious, because they cover business associates as well as healthcare organizations, include site audits, and may result in follow-up visits or compliance penalties.
Phase 2 HIPAA Audit Structure: Who Gets Chosen?
The OCR participants are chosen at random to represent the whole range of covered entities, including:
- Health care providers
- Health care clearinghouses
- Health plans
- Business associates of healthcare companies/entities
The OCR is sending some healthcare organizations a questionnaire, eliciting information such as their size, public/private status, affiliations and their revenue. They’re also requesting detailed information about their business associates.
The OCR will randomly select organizations from this pool for the first round of desk audits. Auditees will be required to submit documentation of privacy, security and breach notification compliance as listed in the Audit Protocol. They will then receive draft findings, and have 10 business days to return written comments, which will be reviewed before a final report is issued.
A second round will be subsequently conducted, targeting business associates. Both are supposed to be completed by December 2016. After that, the OCR will start a round of Phase 2 HIPAA Site Audits, which will involve more in-depth on-site examination.
OCR Signaling Tougher HIPAA Compliance Enforcement
The Phase 2 HIPAA Audits were launched on March 21, in the middle of a HIPAA enforcement blitz. From February through March, the OCR announced six enforcement actions, all but one of which resulted in 6-7 figure penalties. Two of them — including a $1.55 million penalty with North Memorial Health Care — were for failing to execute a BAA, after a partner suffered a security breach.
It’s clear that the OCR is becoming stricter about enforcement, and penalties are rising. Additionally, health care organizations are now being held responsible for breaches caused by improperly-vetted business associates. After Phase 2 audits reveal the security practices (and flaws) of associates, it’s likely that business associates will also face compliance audits, should they fail to secure health data as dictated by their BAAs.
Phase 2 Audits May Lead Directly to Non-Compliance Penalties
The OCR has characterized the audits as “primarily a compliance improvement activity… [that] will enable OCR to better understand compliance efforts with particular aspects of the HIPAA Rules.” However, they’ve also stated that some desk audited organizations may be required to undergo site audits, and that they’re willing to take enforcement action if they uncover serious HIPAA violations
Even if an organization does not face enforcement, violations could harm its reputation. OCR has specifically noted that, although they won’t identify auditees in their findings report, a Freedom of Information Act (FOIA) would obligate them to release this information publicly.
BAAs are a Weak Point for Phase 2 HIPAA Auditees
The fact that HIPAA is specifically focusing on BAAs poses significant compliance concerns for a wide range of healthcare organizations. The industry has been slow to adopt adequate medical data security controls, and major providers routinely fail to implement measures which the OCR has been enforcing for years. There’s every reason to believe that the situation with BAAs — where enforcement is new — is even worse.
It’s crucial to make sure all your BAA paperwork is in order before you are audited. The audit protocol makes it clear that your organization needs to understand and document which associates have access to PHI, and what PHI they have access to. You need BAAs with all those partner organizations, clearly explaining their obligations. In particular, the OCR requires that “security requirements are in place to address the confidentiality, integrity, and availability of ePHI.”
You also need to have clear requirements in place regarding breach notification. Business associates should be promptly reporting any security incidents to you — not just major PHI breaches. You should prepare documentation detailing any security incidents involving business associates, and how they were handled.
Passing the HIPAA Phase 2 Audits
Don’t panic: the OCR is not out to punish every organization which has a less-than-perfect HIPAA compliance program. Review the audit guidelines, gather and organize your documentation and concentrate on the things you can improve before your actual Phase 2 HIPAA audit.
Without the right technology, however, good documentation can only do so much. Requiring your employees and associates to handle ePHI securely won’t mean anything unless you’re encrypting ePHI to protect it from hackers. Similarly, your organization can’t effectively spot and address potential breaches without tools to log access to confidential data.
Virtru Pro provides a complete HIPAA compliant email solution, designed to protect ePHI both inside your organization and outside. Users can encrypt emails and attachments with a single click, and send them to anyone — not just organizations using the same portal.
In addition to providing military-grade encryption, Virtru Pro also allows you to see who has viewed an email, rescind sent messages, disable forwarding, and set expiration dates on messages (meaning that after a certain period of time, they will no longer be accessible).
Virtru’s HIPAA Compliance Rule Pack provides the final piece of the puzzle, enforcing the HIPAA rules even when your users forget them. It can detect ePHI and take action to prevent disclosure when the user hits “send,” such as:
- Warning the user
- Stripping attachments
- Automatically encrypting the email
- Forwarding the message to a supervisor
And because Virtru works with email from your existing account, it’s easy to implement internally and with your business associates. Using the HIPAA Compliance Rule Pack, you can ensure encryption of ePHI while providing automatic, continuous training to ensure data security practices don’t slip.
Stay safe beyond Phase 2 HIPAA Audits. Even if you’re not selected for Phase 2, HIPAA compliance audits are only going to get tougher from here. Organizations need to think beyond the next round of audits, and implement tools and policies that will keep PHI secure, permanently. Virtru’s data-centric encryption allows healthcare organizations to keep data encrypted by default, without sacrificing convenience or efficiency.