HHS HIPAA Audit Requirements

OCR enforcement will find many HIPAA violations among physician practices.

‍Have you been notified yet? Phase 2 of the HHS/OCR audits are happening this year. In addition to the investigations launched by reported breaches, complaints from patients and whistleblowers within healthcare entities, the Office for Civil Rights (OCR) is planning on auditing roughly 350 covered entities during the second half of 2014.

See also: My OCR Audit, and How I Survived‍

According to 2012’s pilot audits, a vast majority of the healthcare industry is not prepared for an inspection of their compliance to HIPAA requirements, especially small physicians. Linda Sanches, an OCR senior adviser, reports that only two of the 64 healthcare providers audited passed without problems.

What are the main HIPAA compliance problems?

‍Of the compliance issues found, 65% were related to HIPAA security rules. Smaller practices struggled with all three HIPAA rules, namely the HIPAA Privacy Rule, HIPAA Security Rule, and HIPAA Breach Notification Rule.

The frightening thing is, 50% of small providers were found to be noncompliant in their use and disclosure of PHI because they were simply unaware of HIPAA requirements.‍

See also: Stay Off the HHS Naughty List

Penalties of noncompliance

OCR’s director Leon Rodriguez said that in 2012, the OCR collected $4 million in HIPAA violation settlements, and expected to generate $5.5 million in 2013.

Perhaps you’ve seen the well-publicized HIPAA financial penalty matrix. It explains that fines associated with a patient data breach may be up to $50,000 per HIPAA violation. If you read between the lines you learn that those retrospective HIPAA violation penalties are enacted daily. For example, you could be fined up $750,000 for a single violation that occurred each day during a 15-day period. Fines add up fast, especially considering the HHS has the authority to fine an entity $1.5 million per violation, per year.

Depending on the number of entities in violation, those fines could mean an exponential increase in the number of audits conducted each year.

See also: SecurityMetrics HIPAA Guide

Will I be audited?

There are five main ways your entity could be chosen for a HIPAA compliance audit.

• At random – The OCR is conducting random audits to test the levels of compliance among all entity varieties and sizes.
• HIPAA do-gooders – If a customer believes a covered entity violated his/her (or someone else’s) health information rights, they can file a complaint with the OCR, who then investigates.
• Employee activist – Your own staff could be irritated with the level of unprotected PHI at your office and anonymously contact the OCR to get an investigation initiated.
• Disgruntled ex-employee – Angry ex-employees have been known to file a breach complaint in an attempt to get back at their ex-employer.
• Self-reported breach – Any breach reported to HHS (and it is a requirement to report ALL breaches) will likely trigger an audit.

How to avoid a HIPAA compliance audit

The OCR expects healthcare providers to be actively working on their HIPAA compliance and tests them through audits.

Entities can best prepare for an audit by having an aggressive and fully functional HIPAA compliance program already in place. The key is to show demonstrable progress.

Here is what every healthcare provider is expected to do as per HIPAA requirements.

• Complete a risk analysis – Two-thirds of all pilot-audited covered entities had no complete and accurate risk assessment. A risk analysis evaluates potential risks and vulnerabilities for your entity. Your risk analysis can create a culture of compliance as long as it is a comprehensive and ongoing process.
• Create and implement a risk management plan – Prioritization works by reducing organizational risks to a reasonable level and working through the most grievous offenses first. It’s easiest to think of a risk analysis as the diagnosis of the problem, and the risk management plan as the treatment of that problem.
• Implement a business associate HIPAA compliance program – This may mean revisiting current business associate agreements and following up on each business associate’s PHI actions. A little known fact: covered entities are just as liable if their business associate is found to be in breach of HIPAA requirements.
• Conduct regular HIPAA employee training – Training helps remind employees what they should and shouldn’t be doing with PHI. Create an organized filing of when and where your employees last received employee training.
• Update and implement HIPAA policies and procedures – Policies should outline all ways PHI should be protected in your entity, and should be readily available to all employees for easy reference

Prove yourself with thorough documentation

Don’t forget to document every HIPAA compliance effort as evidence to present to the OCR if your entity is chosen for auditing. Documentation should cover all the extensive efforts you’ve taken to address PHI risks.‍

See also: What Are Addressable HIPAA Requirements?‍

The OCR indicates that 69% of all HIPAA violations of 500 or more patient records are a result of human error. It’s good practice to double-check your HIPAA work by enlisting the help of a third party. Many have HIPAA compliance plans that discover program faults before they are pointed out to you by the OCR.