HIPAA Compliance Rules are Changing and Audits are Headed YOUR Way

The Department of Health and Human Services Office for Civil Rights' (OCR) HIPAA audit protocol lays out procedures for documenting everything, from authentication rules and security risk assessment to policies for employee access to electronic protected health information (ePHI). Each compliance area is keyed to the relevant section of the HIPAA law.

"It's fairly clear. The Office for Civil Rights just wants to make sure providers are aware of all their obligations under HIPAA and are performing the minimum requirements under HIPAA," said Dan Brown, a healthcare lawyer with the firm Taylor English Duma LLP, based in Atlanta.

The HIPAA audit protocol guidelines differ significantly from rules released in 2012 for an earlier pilot round of audits, because they spell out for the first time compliance obligations for business associates, such as billing, transaction processing and medical supply companies.

This HIPAA audit protocol is also the first since the 2013 HIPAA Omnibus Rule, which gave significantly more HIPAA enforcement authority to OCR and expanded patients' rights to their health data.

HIPAA audit protocol widens target

Also, with this HIPAA audit protocol, OCR is "signaling that it will also look at small physician practices, not just the big boys," Brown said.

Brown and other HIPAA experts said many smaller physician practices may not be adequately prepared for HIPAA audits -- or even aware of them -- though most big healthcare systems should be able to navigate them, with little trouble.

However, the OCR protocol takes into account the size and resources of an organization. For example, there is no requirement that providers encrypt ePHI, only that health data is protected from theft, unauthorized access or loss.

Nevertheless, for small physician practices, "It can definitely be overwhelming" to respond to an audit, said Chuck Burbank, CISO at FairWarning Inc., a provider of healthcare information security and consulting services based in Clearwater, Fla.

Burbank noted the new protocol is much longer and more far-reaching than the last one. It also has many apparently overlapping sections, so if an organization is deficient in one area, it could likely fall short in several others as well, Burbank said.

Also, one big challenge organizations of all sizes might confront is being able to quickly provide all required documents, because they may not all be digitized, or even if they are, do not reside in a centralized location.

"If it were me, I'd be trying to pull together all the documents rights now," Burbank, a former information security manager for a physician practice with 400 doctors, said. "OCR has given out all the instructions. It's like an open-book test."

What to expect from HIPAA audits

Experts said the bulk of the protocol deals with ensuring that HIPAA-covered entities have updated policies and procedures for matters such as training, access to ePHI, risk assessment and breach notification, rather than strictly technology issues.

Best Practices for Secure Texting in Healthcare

Also, the audits will focus much more on the risk of compromise of data, rather than risk of harm from data breaches -- the main emphasis of the pilot audits.

"I can have the best perimeter access protection and firewalls, but if employees click on phishing emails, I'm sunk," Burbank said.

"What the OCR is looking for is something they term a culture of compliance," said Michael Brody, HIPAA compliance specialist for Webair Internet Development Inc., a New York-based cloud hosting company. "They want to see that organizations are doing everything reasonable to protect data."

With the April 1 publication of the audit protocol -- the development of which OCR has cited as a reason for delays in this first formal round of audits -- the HIPAA audit process is now underway in earnest. Observers expect 200 to 500 organizations to be audited.

Key areas OCR will be scrutinizing in audits expected to start this year, and likely continue into 2017, include:

• Breach notification procedures. Do organizations have policies and procedures for notifying patients and the public after a breach?
• Protocols for protecting data in the event of a breach.
• Risk assessment. Have providers and other covered entities performed thorough analyses of the risk of data breaches or losses?
• Whether business associates are in compliance with HIPAA. In the pilot audit round, OCR only asked providers for lists of business associate contracts.
• Employee training policies.
• Whether organizations have security officers in place.
• Mechanisms and procedures for promptly providing health data to patients.
• Policies for controlling employee access to ePHI.