“The single biggest and most common compliance weakness is the lack of a timely and thorough risk analysis.”
-Leon Rodriguez, Director of the Office for Civil Rights of the Department of Health and Human Services
When the U.S. Department of Health and Human Services’ (“HHS”) Office for Civil Rights (“OCR”) auditor drops by your health facility to check if you are HIPAA (Health Information Portability and Accountability Act of 1996) compliant, one thing is for certain: he will be asking for evidence of a Risk Assessment. Do you have one? Has it been used? Have you designated a Privacy Officer? A Security Officer? Has your facility developed and implemented appropriate policies and procedures to protect patient confidentiality and mitigate the risk of an unauthorized disclosure?
Audits Are Here To Stay
For a long time, Congress complained that HIPAA was all bark and no bite. In an effort to create real enforcement mechanisms, the Health Information Technology for Economic and Clinical Health Act (“HITECH”) was passed in 2009. HITECH mandates that the OCR conduct periodic audits of covered entities and their business associates (“BAs”). In 2011, a pilot audit program was established by OCR to assess the controls and processes covered entities implemented to comply with the HIPAA Privacy, Security, and Breach Notification Rules. The pilot program ended in 2012, but the audits are far from over. The agency is now working to complete its assessment of the pilot, announce findings and establish a permanent program. The program is tentatively set for Fiscal Year 2014, which begins on Oct. 1, 2013.
Not only are audits here to stay, they are going to no doubt become more stringent and extensive. In 2012, the OCR published the 169 protocols they relied on for their audits. However, these protocols are subject to change and expansion. Take, for example, the long-awaited HIPAA Omnibus Rule. Released in January 2013, the rule has a compliance deadline of September 23, 2013. The rule consolidates a myriad of procedural and policy changes mandated by the HIPPA Privacy, Security, Breach Notification, and Enforcement Rules and can be quite overwhelming for providers who are not already closely familiar with existing HIPAA Rules and HITECH because it will require that nearly all covered entities update their privacy policies and security programs. Once audits resume in the Fall 2013, OCR auditors will be checking for compliance with the Omnibus Rule’s regulations.
The Stakes Are High
You may think that even if you are subject to an audit, then the penalty will be a slap on the wrist. Think again. The maximum penalty for a HIPAA violation is now $1.5 million. In 2011, for example, the UCLA Health System paid $865,000 in a settlement for allowing unauthorized access to personal health information (“PHI”).
Maybe you are too small of a provider to be the target of an audit? Think again, again. In April 2012, Phoenix Cardiac Surgery – a four-physician practice based in Arizona – entered into a $100,000 settlement with HHS following an investigation of alleged breaches of the HIPAA Privacy and Security Rules.
Okay, so what if the breach is a minor one? In January of 2013, Hospice of North Idaho agreed to pay HHS $50,000 to settle potential HIPAA violations stemming from a 2010 incident involving a stolen, unencrypted laptop. This was the first HIPAA settlement involving an electronic PHI breach that affected less than 500 people.
But wait, you are a business associate, and enforcement actions are not really instituted against BAs, right? Wrong. In 2012, the first enforcement action against a BA was filed by the Minnesota State Attorney General. The suit was against Accretive Health, Inc., a company which assumed managerial responsibilities for hospital employees, for several HIPAA violations. A good Business Associate Agreement includes, among other things, detailed duties and responsibilities to ensure that only the minimum necessary PHI is used by the BA in performing its contracted service, that it is kept secure, and that in the event of a breach, the BA takes proper steps to notify affected parties and mitigate the risks of re-disclosure and damage.
It appears that no one can hide from the OCR any longer. And if a covered entity is non-complaint with HIPAA, the consequences are very real.
Risk Assessments Are Not Optional
A HIPAA risk assessment is a thorough investigation and analysis of areas where there is potential risk of violating HIPAA laws. A risk assessment is not optional and it is not just a checklist. Covered entities and business associates are required to have an assessment done. Specifically, entities must:
Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.
An assessment should include questions addressing Administrative, Physical, and Technical Safeguards, and the Breach Notification Rule. An OCR audit visit may include interviews with organizational leaders, checks of physical controls (such as the storage area of PHI), inspections of wireless networks and software, and review of response procedures. Risk assessments must consider all these things in advance, from a stolen laptop to damaging flood water, so as to be prepared for any event and any audit.
Many assessments are created in the form of a table and not only analyze the level of the risk, but also whether there is a policy in place and who should be responsible for ensuring each provision is implemented.
Risk Assessments Are Just the Beginning
Assessing risks is only the first step. Facilities must use the results of a risk assessment to develop and implement appropriate policies and procedures to prevent and respond to unauthorized disclosures of protected patient information. A Privacy Officer and Security Officer should be appointed for effective oversight of a facility’s privacy protection program. This includes, but is not limited to, employee training and retraining and administering a system where privacy concerns and breaches may be reported anonymously and responded to immediately.
You cannot turn an OCR auditor away when he is at your door, so make sure that his visit is a pleasant one by being prepared with a thorough risk assessment.
Molly Nicol Lewis is an Associate of McBrayer, McGinnis, Leslie & Kirkland, PLLC. Ms. Lewis concentrates her practice in healthcare law and is located in the firm’s Lexington office. She can be reached at firstname.lastname@example.org or at (859) 231-8780.
This article is intended as a summary of state law and does not constitute legal advice.