The second phase of OCR’s (the U.S. Department of Health and Human Services Office for Civil Rights) HIPAA (Health Insurance Portability and Accountability Act) is beginning. Building on the HITECH (Health Information Technology for Economic and Clinical Health) Act passed in 2009, the audits have expanded and modified many of the original HIPAA requirements for the privacy and security of PHI (protected health information). As part of this update, HITECH required that OCR establish a program to periodically audit for HIPAA privacy, security and breach notification rules.
Initially launched with pilot audits in 2011 and 2012, to date, OCR has reviewed 115 covered entities for compliance. Having evaluated the success of its review mechanisms, the upcoming second phase of HIPAA will expand its audit protocol to both covered entities and their businesses associates. According to HIPAA Standards, these covered entities include health care clearinghouses that process and reformate health information, health care providers that transmit PHI, and health plans—including individual health plans, employer-sponsored group health plans, health insurers and health maintenance organizations.
Individuals, organizations and agencies that meet the definition of a covered entity will now be audited to ensure that they comply with requirements to protect the privacy and security of health information, as well as provide individuals with certain rights in regards to their health information. The audit protocol has a set of procedures for documenting everything—from authentication rules and security risk assessments to policies for employee access to PHI—which will be the subject of review.
The OCR will be scrutinizing a few key areas in the second phase of audits, which will likely continue into 2017. These key areas include:
Breach Protocols: Does the organization have protocols in place for protecting data in the event of a breach? Is there a set policy or procedure for notifying patients, and the general public, after a breach? Organizations should take a good look at their current breach notification policies to ensure that they accurately reflect the content and deadline requirements for notification under the HIPAA standards.
Risk Assessments: Have health providers and other covered entities performed a thorough analysis of their potential data breaches and loss risk? Is there a security officer in place to reduce risk? If a comprehensive risk and vulnerabilities assessment has not been recently completed, organizations should initiative a risk review. The results from this risk assessment should be used to create a robust risk management program that covers all necessary action items and outlines a reasonable timeline for completion.
Organizational Processes and Practices: Are there training policies that cover PHI compliance requirements? Does the organization have policies in place for controlling and limiting employee access to PHI? All covered entities should confirm that the required HIPAA privacy and security policies are in place and up-to-date and that procedures are in place safeguard all PHI—including verbal, paper and electronic. Employee training should be documented and an inventory of all information system assets, including mobile devices and bring-your-own-devices, should be maintained in order to track potential breach opportunities.
All organizations that fall under the HIPAA covered entity designation should be ready to answer these questions. With some forward-thinking, these organizations will be better prepared in case of a phase two audit. In addition, these careful reviews will go a long way in ensuring that vital health information is protected and safeguarded.
Is your organization prepared for a potential phase two HIPAA audit? If not, what are your areas of biggest concern?