New Breaches, New Technology and New Audits: Health Care Providers Need to Revisit and Assure HIPAA Compliance

The need for health care providers to review their privacy and security programs cannot be overemphasized, as significant breaches in the health care industry continue to make front page news. The value of information maintained by health care providers, both health information and identifying information such as patient identification numbers, social security numbers, addresses and other information that can easily be used for identity theft, is substantial and has a high value on resale markets. According to the New York Times, "Medical identify theft is on the rise, experts say, because it pays. In black-market auctions, complete patient medical records tend to fetch higher prices than credit card numbers. One security expert said that at one auction a patient medical record sold for $251, while credit card records were selling for 33 cents."

At the same time, the United States Department of Health and Human Services Office of Civil Rights (OCR) is stepping up enforcement and audit efforts, following a September 2015 report of the United States Department of Health and Human Services Office of the Inspector General, recommending that OCR strengthen its oversight of covered entities' compliance with the Privacy Rule. OCR was criticized for its oversight being "primarily reactive" with investigations based on complaints. OCR expressed concerns over OCR's failure to follow-up on corrective actions and its database tracking system. It recommended that OCR: (1) fully implement a permanent audit program; (2) maintain complete documentation of corrective action; (3) develop an efficient method in its case-tracking system to search for and track covered entities; (4) develop a policy requiring OCR staff to check whether covered entities have been previously investigated; and (5) continue to expand outreach and education efforts to covered entities. OCR concurred with all five recommendations.

As such, OCR announced Phase 2 of its HIPAA Audit Program to occur this year. OCR promises to review the policies and procedures adopted and employed by covered entities and their business associates to meet selected standards and implementation specifications of the Privacy, Security, and Breach Notification Rules. At this point, OCR has stated that the audits will primarily be desk audits, although it stated that some on-site audits would be conducted. OCR stated that an email is being sent to covered entities and business associates requesting that contact information be provided to OCR in a timely manner. OCR will then transmit a pre-audit questionnaire to gather data about the size, type, and operations of potential auditees, which will be used with other information to create potential audit subject pools. Ignoring the request for information will not prevent an audit and OCR has stated that it expects entities to be checking junk and spam folders for the e-mail.

OCR has explained that it will choose auditees through random sampling of the developed audit pools. Selected auditees will then be notified of their participation. For those desk audits that are chosen, OCR states that they will complete those audits by the end of December 2016. Another set of audits will be onsite and will examine a broader scope of requirements from the HIPAA Rules than the desk audits. Some desk auditees may be subject to a subsequent onsite audit.

Many providers have feared security compliance over the years, as it has sometimes appeared to be overwhelming and highly technical. In addition, in the ever changing and evolving world of technology, many providers have found it difficult to have their security policies and procedures keep up with changing technology. However, given the number of breaches by health care providers, the risk of successful hacking, the risk of lawsuits, fines and penalties, licensing concerns and the horrific press that befalls providers who are the subject of a breach, it behooves all providers to: 1) audit their own privacy and security policies and procedures internally or through the use of an outside entity familiar with the requirements (note OCR's audit tool is available on its website); 2) ensure appropriate updated training for all staff; and 3) revisit Business Associate Agreement requirements and ensure appropriate agreements are in place.