HIPAAHIPAA audits and what you need to consider to keep your organization compliant

By Todd Sexton

Published 2 June 2016

HIPAA has long been a regulation which has been confusing, in many aspects requiring a legal degree to understand the complexity and exactly how to become and remain complaint.HIPAA was enacted in 1996, and it has taken twenty years for it to become the elephant in the room it is today.The regulation has become more sophisticated based on the overwhelming increase in data breaches with the medical industry experiencing the greatest impact.

Todd Sexton, CEO, Identillect Technologies // Source: identillect.com

HIPAA has long been a regulation which has been confusing, in many aspects requiring a legal degree to understand the complexity and exactly how to become and remain complaint. HIPAA was enacted in 1996, and it has taken twenty years for it to become the elephant in the room it is today. The regulation has become more sophisticated based on the overwhelming increase in data breaches with the medical industry experiencing the greatest impact.

In 2011, phase 1 audits were initiated in a pilot program encompassing 115 covered entities to evaluate the effectiveness and the correct approach for future audits. This takes us to phase two audits by the OCR which incorporates enhanced protocols. These audits began in March 2016 and are picking up intensity throughout 2016. The purpose of this article is to assist in understanding who will be a target and if your organization resides in the crosshairs. 

Question 1. Will my organization be effected by phase 2 audits? If your organization is a covered entity then you are the direct target of these audits (e.g., if your organization is a health plan or health plan provider, health care clearinghouse, or any organization which is bound by HHS adopted standards due to the transmission of protected health information. Additionally, if you are an associate to a covered entity, which means any business transmitting or having direct access to PHI electronically or physically, then get ready and be prepared).
http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/index.html

Question 2. What is the process if I do get audited? Round 1 of phase 2 will be concentrated on the covered entities. Round 2 of phase 2 will be concentrated on business associates of covered entities which will be initiated in a letter with a required fourteen days to respond to the questionnaire to comply with the audit. If you’re not prepared when the OCR contacts you, it will be close to impossible to get up to speed in a week (e.g., there is no time to waste; you need to become compliant today).

Question 3. What type of information will the audit entail? The audit will encompass privacy, security, and breach notifications. These audits will look at the policies your organizations have put in place and the documentation you have to ensure adherence to each specific area of the policy. 

Questions 4. What is the purpose of the audit? Plain and simple, the purpose of the audits is to prevent a data breach from occurring. The OCR is using the audits to “assess for compliance, identify best practices, and discover potential risk and areas of vulnerability.” This will hopefully mitigate breaches which could occur if these areas were not addressed.

Questions 5. What happens post audit? If your organization has taken the appropriate steps to comply with HIPAA then nothing. However, if it is determined there is a serious compliance issue, then the OCR will initiate the phase 3 audit. The phase 3 audit encompasses a broader scope of requirements and in many cases would entail an onsite investigation.  I am sure it is safe to say none of us would like to be subjected to phase 3.
http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/index.html

Question 6. What happens if I have a phase 3 audit and it is determined significant violations exist? Well, well, well, this is what you do not want to happen. If there is indeed a significant violation present there would be fines associated to the violation, and the OCR would determine the category the violation is suited for based on the care or the lack of care the covered entity exhibited. The categories break down as follows for a covered entity: 

  • Category 1: violation occurred and the covered entity was unaware and could not have easily avoided — minimum fine of $100 per violation up to $50,000
  • Category 2:  violation occurred and the covered entity was aware of but could not have avoided even with reasonable care - minimum fine of $1,000 per violation up to $50,000
  • Category 3: violation occurred and the covered entity was “willfully neglect” — Minimum fine of $10,000 per violation up to $50,000
  • Category 4: A violation occurred and the covered entity was “willfully negligent” and made no effort to correct the violation - Minimum fine of $50,000 per violation
    http://www.hipaajournal.com/what-are-the-penalties-for-hipaa-violations-7096

Looking for a silver lining? OCR caps the fines per year at $1.5 million dollars yearly. So what are the next steps and what is the takeaway from this article?

  1. Get HIPAA compliant and put a policy in place yesterday.
  2. If you put a policy in place, make sure it is followed by everyone in your company.
  3. The main goal is to guard all PHI; you are the steward of the information and it is your fiduciary responsibility to protect it.
  4. Don’t selectively implement a system; this could show willful neglect on the area you are not covering.

Todd Sexton is President and CEO, Identillect Technologies