As security breaches rise, and the US government takes stronger positions on cybersecurity, it is timely that the Office of Civil Rights at the U.S. Department of Health and Human Services reported findings of their audit of Peachstate, a clinical laboratory. Peachstate was saddled with a fine of $25,000 and the brand impact of public disclosure of their non-compliance. It is important to remember, the Office of Civil Rights (OCR) at the U.S. Department of Health and Human Services may audit and fine organizations for failure to comply with HIPAA Regulations. Here is what you need to know.
Background of Phase Two of the HIPAA Audit Program
According to the Health and Human Services website, hhs.gov, HIPAA established important national standards for the privacy and security of protected health information and the Health Information Technology for Economic and Clinical Health Act (HITECH) established breach notification requirements to provide greater transparency for individuals whose information may be at risk in 2009. HITECH requires the HHS Office for Civil Rights (OCR) to conduct periodic audits of covered entity and business associate compliance with the HIPAA Privacy, Security, and Breach Notification Rules. In 2011 and 2012, OCR implemented a pilot audit program to assess the controls and processes implemented. OCR conducted an extensive evaluation of the effectiveness of the pilot program. Based on that experience, OCR implemented Phase Two in 2016. This which will audit both covered entities and business associates meet selected stands and implementations of the Privacy, Security, and Breach notification rules.
The most significant change Phase 2 Audit Program is the chance of OCR contact and audit without a previously lodged complaint. These audits will consist of what is known as “desk” audits and on-site audits, therefore expanding the types of audits organizations may undergo.
What Happens During a OCR HIPAA Audit
As mentioned above, the audits consist of “desk” audits and on-site audits. A comprehensive audit protocol that reflects the Omnibus Final Rule is used and can be found publicly here on the hhs.gov website.
Consequences of an OCR HIPAA Audit
According to HHS.gov website, these audits are meant primarily as a compliance improvement activity with the results providing the OCR better understanding of compliance efforts. That said, if an audit report indicates a serious compliance issue, OCR may initiate a compliance review, which could include OCR coming onsite and threat of significant fines.
In the case of Peachstate Health Management, LLC, the OCR initiated a compliance review in 2017 to determine its compliance with the HIPAA Privacy and Security Rules and subsequently found systemic noncompliance. OCR determined Peachstate failed to conduct an enterprise-wise risk analysis, implement management and audit controls, and maintain documentation of HIPAA Security Rule policies and procedure. Peachstate agreed to pay $25,000 in fines and to implement a “robust corrective action plan” which includes three years of monitoring, to settle potential violations of HIPAA.
Peachstate, along with the $25,000 fine, agreed to a “robust corrective action plan” which includes three years of monitoring.
How to Ensure You HIPAA Compliance
1. Formal and implemented policies and procedures;
2. Documented evidence of required tasks being performed (e.g., access reviews);
3. Current and recorded HIPAA and Information Security training for all appropriate staff; and
4. Annual risk analysis and other technical and non-technical evaluations of the environment.
Working with an experienced HIPAA consultant like Myna Partners can help you avoid audit violations and fines potentially even more expensive than this one. When choosing a vendor, make sure the consultant has expertise in HIPAA compliance specifically.
