HIPAA Audits: Be Prepared
As privacy requirements become more stringent, so should your compliance plan.
By Jennifer Swindle, RHIT, CPC, CPMA, CEMC, CFPC, CCS-P, CDIP
Healthcare audits come in many types, identified by a dizzying array of acronyms—including CERT, RAD-V, RAC, and ZPIC. Also very real, very present, and on the increase are Health Insurance Portability and Accountability Act (HIPAA) audits.
The American Recovery and Reinvestment Act of 2009 requires periodic audits to ensure covered entities are compliant with HIPAA Privacy and Security Rules. The initial pilot program—kicked off in late 2011 by the Office for Civil Rights (OCR), which has oversight responsibility for HIPAA—was to include audits of 115 covered entities. HIPAA audits have since expanded, and are now mandatory as a result of the Health Information Technology for Economic and Clinical Health (HITECH) Act.
HIPAA Is Everyone’s Responsibility
All healthcare providers, hospitals, facilities, and business associates are covered entities under HIPAA and have a role in the handling of protected health information (PHI). Healthcare reform has reinforced HIPAA requirements. Make no mistake: Using stepped-up enforcement, the OCR plans to ensure adherence to the Privacy and Security Rules.
Significant dollars have been recovered in settlements over HIPAA violations. Here are some notable examples:
The University of California, Los Angeles, was ordered to pay $865,000 for allowing unauthorized access to PHI.
- Cignet Health paid $4.3 million for refusing patients’ access to their medical records.
- Blue Cross Blue Shield of Tennessee agreed to pay $1.5 million to settle a potential security breach of PHI belonging to more than 1 million individuals.
- Massachusetts Eye and Ear Infirmary (MEEI) agreed to pay $1.5 million to settle allegations that the Harvard Medical School affiliate knowingly failed to take necessary steps to comply with HIPAA requirements, such as adopting and implementing policies and procedures to address security incident identification, reporting, and response.
- A small hospice in North Dakota paid a $50,000 settlement, becoming the first entity to pay a settlement for PHI breach involving fewer than 500 individuals.
Areas of Interest
The HITECH Act audit protocol is organized around elements of security, privacy, and breach notification. Privacy audit protocol includes notice of privacy practices, rights to request privacy protection for PHI, access to PHI, uses and disclosures of PHI, requests for amendments of PHI, administrative requirements, and accounting of all disclosures. Security Rule requirements allow for physical, technical, and administrative safeguards. The combination of elements may vary based on specific audits and findings, or the type of entity.
Frequently investigated issues include impermissible uses, lack of safeguards, lack of patient access to information, and disclosure of more than the minimum necessary information. One of the largest risk areas is lack of encryption, which includes multiple areas of risk including unencrypted emails containing PHI, data published on websites, remote access sessions, and data stored on mobile devices.
The Breach Notification Rule is also covered. The final Breach Notification Rule was modified slightly; however, a breach is presumed unless the PHI was unusable, unreadable, or indecipherable, which all goes back to the need for encryption. Fines and penalties for “willful neglect” can be extensive.
No Time to Waste!
The final omnibus rule under HIPAA was published Jan. 25, 2013. All organizations must review HIPAA-related policies and procedures, and make necessary changes to be compliant with the updated final rule by Sept. 25, 2013. The U.S Department of Health & Human Services (HHS) provided an additional one-year transition period to modify certain business associate agreements (BAAs): Organizations may operate under the current agreement as long as it was in effect prior to Jan. 25, 2013 and was compliant with the old standards.
View the final rule.
Prepare Through Internal Audits
The best way to deal with HIPAA audits is to be prepared for them, and the best way to do that is to perform and document internal audits. At a minimum, your practice should conduct an annual risk assessment.
The Office of Inspector General (OIG) has identified 124 high-impact vulnerabilities (which place PHI at a higher risk for unauthorized access), based on the findings of the pilot HIPAA audit program for security controls. These areas were categorized into administrative, physical, and technical issues in the Security Rule; and were considered based on cost, potential significant harm, and risk to quality of care.
As you assess your risk, consider the OCR’s protocols. The list that follows is not exhaustive, but it gives you a place to begin:
Are written policies and procedures updated and compliant? Are policies and procedures accessible by all staff? What is the review mechanism to ensure staffs are aware of changes?
Is there a written compliance plan and/or risk assessment plan? Are staffs aware of the compliance plan? Is the compliance plan adhered to and vetted for effectiveness? Are compliance logs maintained of all reported problems and tracked to resolution?
Are there employee training materials? Have staffs participated in employee training? How often is training maintained? Are training logs kept?
What are the policies for mobile devices? What is the encryption policy and encryption technology accessibility? Stolen laptops, tablet computers, and smart phones account for many security breaches; policies around accessibility and encryption in this area are highly important. Internal controls to prevent data breaches should be well vetted to ensure they work.
Are you periodically reviewing access rights of existing employees? Are there safeguards in place for terminating access to employees who leave?
How do you identify business associates, and what kind of agreements are in place? Review all business associate agreements (BAAs) and make sure they are updated to meet the needs of compliance, based on healthcare reform.
The big change is the definition of who must be recognized as a business associate. Vendors requiring routine access must be considered a business associate. If a vendor or subcontractor has a persistent opportunity to access data, rather than a transient opportunity, BAAs must be obtained. Entities that act as conduits for PHI are not business associates, but the change in the rule stresses that this exception is very narrow.
The content of BAAs require:
- Covered entities to comply with the Privacy Rule that are applicable
- Covered entities to comply with the Security Rule in all dealings of PHI
- Covered entities to ensure subcontractors enter into a contract to protect the security of PHI
- Covered entities to mandate that business associates follow the Breach Notification Rule in the incidence of security incidents
For more information on BAA requirements see the article “Redefined Business Associate Agreements Create Concern,” featured in AAPC Cutting Edge, August 2013, pages 49-53.
Compliance Isn’t About Paperwork
HIPAA Privacy and Security Rules, and the safeguards necessary to maintain compliance, establish standards that affect everyone. Safeguards must be assessed internally for ongoing and continuous adherence and risk assessments. It isn’t enough to make sure all the right paperwork is in place. A well-written, comprehensive compliance program with binders of policies and procedures collecting dust on a shelf does not support compliance and adherence. It’s necessary to review, educate, track, monitor, and maintain findings.
All leadership and staffs need to buy in to the program and understand their role—not only in adhering to the needs of HIPAA, but also in assisting with enforcement. HIPAA and compliance are the responsibility of all within the organization; and everyone in the organization has the responsibility to report a verified or suspected violation.
Jennifer Swindle, RHIT, CPC, CPMA, CEMC, CFPC, CCS-P, CDIP, is vice president of coding and compliance with Salud Healthcare Solutions. She is a member of the Indianapolis, Ind., local chapter.