HIPAA audits are back! The Office of Civil Rights (OCR), a branch of the U.S. Department of Health and Human Services (HHS) which oversees enforcement of HIPAA compliance, announced the return of their HIPAA audit program due to an exponential rise in cyber-attack in the healthcare sector.
According to IBM, the average cost of a data breach in the healthcare sector is the highest among all industries, costing upwards of $11 million. HHS is insisting that “all providers,” including “technology vendors, and members of the health care ecosystem to double down on cybersecurity, with urgency.”
A brief history of HIPAA audits
The first phase of large-scale HIPAA audits were conducted through 2011 and 2012 because the HITECH Act of 2009 mandated that OCR run audits on regulated entities. OCR then ran a Phase 2 between 2016 and 2017 in which 166 entities were randomly audited (103 on privacy requirements, 63 on security requirements).
In their Phase 2 Audit report, OCR highlighted a major non-compliance from regulated entities, mentioning how audited entities demonstrated compliance in only two of seven requirements. The report stated that the entities struggled to implement HIPAA’s risk analysis and risk management requirements.
Pre-Audit survey to precede Phase 3 audits
In their recent newsletter, the HHS announced they will be conducting a survey to all covered entities that participated in the phase 2 audits to assess the audit program’s efficacy and to gather feedback from audited entities.
What is this survey about?
The OCR survey will provide audited entities the opportunity to provide feedback on the previous audit processes, materials and communications, on the utility and usefulness of the online submission portal, and whether the Audit was helpful in improving their compliance standards.
The survey will also ask entities to report on changes implemented post the audit-report’s findings and recommendations. It will also collect feedback on the burden the audit imposes on related document collection and responding to questions and requests. The survey also aims to take feedback on the effects the HIPAA program imposes on day-to-day operations.
In total, the online survey will consist of 39 questions designed to help the OCR gather information and opinions for use in improving future OCR HIPAA audits. The newsletter mentions that the questionnaire will be sent to 207 entities.
Phase 3 audit process and timelines
Although the audit scope, processes and timelines have not been revealed yet, the OCR director confirms that random audits will commence in the later part of the year. While the exact Audit processes or protocols are not yet established, if one reads the Phase 2 process, it’s clear that Phase 3 candidates will be randomly selected from the pool of the pre-audit survey. It is also possible that entities who fail to respond to the Audit survey will automatically become audit subjects. Next, selected auditees will likely undergo a desk-based audit and then a smaller group potentially may be selected for a more comprehensive on-site review.
How providers can prepare for Phase 3 audits
The audit announcement is a wakeup call for healthcare institutions, providers, insurers, etc. that they must ready themselves for a random HIPAA audit (or a survey) sometime in the current year. Here are some recommendations that can help:
1. Review your current state of HIPAA compliance
Organizations should run a full gap analysis of their current state of compliance versus mandated HIPAA requirements. If feasible, run a comprehensive risk assessment plan and prioritize corrective actions. If you have been previously audited, ensure that you have implemented all the recommendations provided to you from the Audit report findings.
2. Ensure that appropriate security controls are in place
HIPAA privacy and security rules require regulated organizations to have administrative, technical, and physical safeguards for securing protected health information (PHI). Ensure your organization is adhering to these mandatory HIPAA guidelines and requirements.
3. Undertake a review of business associates
In Phase 2 audits, strict regulations were imposed on business associates, including vendors, suppliers, and partners, that handle Protected Health Information (PHI) or Electronic Protected Health Information (ePHI). It is critical to prepare a comprehensive list of all such associates and establish contractual agreements that hold parties accountable for protecting PHI. Additionally, measures should be taken to verify that these associates log and store data for all activities involving PHI, encrypt data in transit and at rest, among other requirements.
4. Focus on policies and procedures
The OCR will likely ask you to document a formal, well thought-out HIPAA program. Ensure that your security and privacy policies accurately reflect your best practices. Invest in training and communicating these policies and procedures to your workforce. There are certain breach notification requirements that entities must also adhere to at all times.
The above is by no means an exhaustive list of recommendations — Phase 3 guidelines are yet to be announced. We know that OCR will rekindle the HIPAA Audit Program. In case you receive a pre-audit survey from the OCR, consider it mandatory; a non-response may be viewed as a red flag.
If you need help complying with HIPAA requirements or conducting a pilot assessment to determine your compliance level, Towerwall is at your service. Team Towerwall is well-versed with HIPAA requirements and has helped several of our clients through HIPAA audits and surveys.
Michelle Drolet
Michelle Drolet is CEO of Towerwall, a pure-play cybersecurity consulting firm offering security and compliance services with clients such as Foundation Medicine, Boston College, and UMass Medical Center. Founded in 1999 in Framingham, MA, Towerwall focuses exclusively on providing organizations with customized cybersecurity programs.
Contact [email protected]. Tel. (774) 204-0700.
Linkedin: https://www.linkedin.com/in/michelle-drolet;
X (Twitter) @towerwall.