The Office for Civil Rights ("OCR") has been promising a second phase of audits since the first phase was completed in early 2012. But this time there is pressure on the OCR to perform. Audits of covered entities and business associates will begin in early 2016. Covered entities and business associates should take proactive steps now to ensure they withstand OCR scrutiny in 2016 and avoid penalties for HIPAA violations.
In September, the Office of Inspector General for the Department of Health and Human Services ("OIG") issued two reports criticizing the OCR for failing to adequately follow up breaches of protected health information ("PHI") and failing to provide sufficient oversight of compliance with the HIPAA Privacy Standards.
A review was performed of privacy violations from September 2009 to March 2011 to determine how the OCR resolved them and the extent to which corrective action plans were documented. The findings were as follows:
In its report, the OIG issued the following recommendations to the OCR:
The findings were similar regarding follow up of breaches of PHI. Although all large breaches (involving 500 or more individuals) were investigated, less than 2% of reported small breaches were investigated. Of the breaches, 93% of the covered entities had violated at least one HIPAA Standard which typically involved failing to implement safeguards for privacy and/or security of the PHI. Documentation of corrective action plans was incomplete and there was failure to determine prior histories of HIPAA violations.
The OIG Work Plan for fiscal year 2016 includes the new project of determining the adequacy of the OCR’s oversight for the security of electronic PHI. So the OCR is under extreme scrutiny from the OIG to perform.
The OCR Director, Jocelyn Samuels, has repeatedly stated in the past few months that the Phase 2 audits will begin in early 2016. A third-party vendor will conduct the audits that will include both covered entities and business associates. It is projected that 200 desk audits and 24 on-site audits will be completed by the end of 2016. An update to the audit protocol from 2011-2012 has been promised but has yet to be published. However, it is expected to include the HITECH laws and emphasize breach notification, patient access to ePHI, and compliance with other patient rights. When an entity receives an audit request, it will have only 10 business days to respond.
It is also expected that many business associates will be included in the audit. The OCR has identified business associates as one of its top three enforcement priorities in 2016. Business associates are now subject to the same penalties as covered entities which range from $100 - $1.5 million per identical violations in a calendar year.
The OCR has become more aggressive in imposing penalties for HIPAA violations. The first penalty wasn’t imposed until 2008, and only seven penalties were imposed through 2011. From 2012-2015, twenty-one penalties were imposed ranging from $50,000 to $3.5 million, with seven penalties greater than $1 million. Such penalties are not typically covered by insurance unless a cyber-insurance policy has been purchased that specifically covers these penalties.
For any questions related to preparing for or responding to an OCR audit, please contact any of the authors of this Health Care Client Alert.