How would your organization fare under the 169 audit protocols used to perform the assessments in a HIPAA audit? “High understanding and strong implementation” or “no serious effort taken”?
Health and Human Services’ Office for Civil Rights (OCR) recently released its findings of the Phase 2 HIPAA audits conducted in 2016 and 2017. The audits are required periodically to gauge compliance with the HIPAA rules for safeguarding protected health information and electronic protected health information (PHI/ePHI).
Achievements and weaknesses
Most covered entities rated high in meeting the requirements for breach notification reporting and posting Notices of Privacy Practices (NPPs) to their respective websites.
But the greatest causes for concern are failing to adequately protect PHI/ePHI, ensuring individual right to access, and posting NPPs containing all the appropriate information. According to the report, “Almost all NPPs were missing required content, often related to individual rights.” Even more worrisome, particularly given the rise in cyber-attacks, is that both covered entities and business associates alike struggled to meet HIPAA’s Security Rule requirements specific to risk analysis and risk management initiatives.
Our own Buck HIPAA Readiness Survey, conducted two years after the HIPAA Phase 2 audits ended, almost mirrors OCR’s audit results. In our survey, 42% of the participants (mostly group health plan sponsors) did not know when a risk analysis was conducted or hadn’t conducted one in 5 years.
Although HIPAA’s Guidance on Risk Analysis calls for a periodic risk assessment (bi-annual, every three years, or as needed), HIPAA experts suggest that an annual risk assessment and review of risk management policies and procedures should be adopted as a best practice for HIPAA compliance. Failure to take either of these actions continues to be one of the most common HIPAA violations discovered during breach investigations.
Not going away
The primary takeaway from the HIPAA audit report is that there is opportunity for covered entities and business associates to improve their HIPAA compliance initiatives, and the report offers several resources to help achieve that compliance.
Make no mistake, Investigations will continue. Certain waivers were made by OCR for the duration of the pandemic, but only as a temporary measure. Likewise, HIPAA audits are not going away. In fact, HIPAA experts predict they will make a permanent comeback at the end of this year or early in 2022.
What’s more, proposed modifications to HIPAA’s Privacy Rule and recent amendment to the HITECH Act (affecting certain Security Rule provisions) will add to the compliance complexity confronting covered entities and business associates.
Steps to better compliance
Now is a good time to thoughtfully consider how your organization will fare if audited or investigated by OCR and determine if there’s “room for improvement” in your HIPAA compliance program.
Document your HIPAA policies and procedures – The first step toward HIPAA compliance is to fully document how you will comply with the law’s privacy and security rules in practice. This includes drafting notices such as the Notice of Privacy Practices and breach notification templates, designating privacy and security officers, identifying those with access to this sensitive data, and outlining how you will protect it.
Perform a security risk analysis – Plan sponsors must undertake this exercise to “assess the risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by the entity.” It involves conducting a through inventory of the ePHI your group health plan, as a HIPAA covered entity, creates, maintains, receives, or transmits.
Take action to mitigate identified security gaps – Your security risk assessment may uncover areas of increased risk to ePHI security that, as much as possible, will need to be reconciled or mitigated.
Conduct training – Workforce members who interact with PHI must receive training in the proper handling, use, and disclosure of this sensitive information. While the law doesn’t dictate how training should be delivered, it is a good practice to do so in a uniform way, at a regular interval, and to ensure that new employees who will handle PHI receive training at the time of hire.
HIPAA compliance being put to the test
Many of the report’s conclusions provide cautionary tales for all covered entities and business associates to consider, including sponsors of group health plans. With the possibility of HIPAA audits becoming a permanent part of OCR’s enforcement program, now is the time for plan sponsors to revisit the ABCs of HIPAA compliance requirements.
Clear, well-developed, and effectively-implemented policies, procedures, and risk analyses are vital and required under HIPAA. The best way to significantly reduce the likelihood of a breach of the rules is to maintain up-to-date policies and procedures and periodically conduct operational reviews to determine that the policies are being followed.