by Daniel J. Solove
Are privacy and security laws being enforced effectively? This post is post #5 of a series called Enforcing Privacy and Security Laws.
Under the Health Insurance Portability and Accountability Act (HIPAA), various organizations can be randomly selected to be audited – even if no complaint has been issued against them and even if there has been no privacy incident or breach.
What the audits thus far have revealed is quite alarming. I’ll discuss more on that later.
Auditing Before the HITECH Act
HIPAA is enforced by the Office for Civil Rights (OCR) in the Department of Health and Human Services (HHS). Prior to the HITECH Act, auditing was minimal. The Centers for Medicare and Medicaid Services had begun limited actions to ensure covered entities were in compliance, but had not conducted any complete compliance audit by the end of 2009. In 2011, the HHS Office of Inspector General recommended that OCR continue and expand these auditing practices, and was critical of the fact that OCR had discontinued compliance-audit procedures in favor of its traditional complaint-driven approach to enforcement.
Auditing After the HITECH Act
In 2009, the HITECH Act mandated that HHS conduct periodic audits of both covered entities and business associates to ensure that they are complying with the HIPAA Privacy, Security, and Breach Notification Rules.
In 2011, OCR established a pilot audit program to assess the controls and processes that covered entities have implemented to comply with the Privacy, Security, and Breach Notification Rules.
OCR developed an Audit Program Protocol to measure the efforts of the covered entities who were audited. OCR also instituted the Audit Evaluation Program to evaluate the pilot program’s effectiveness.
The pilot began in November 2011 and December 2011 when OCR and its contractor, KPMG, notified the first 20 covered entities that they would be subject to an audit.
The Anatomy of an Audit
According to OCR’s procedures for its audit pilot program, every audit includes a site visit wherein “auditors will interview key personnel and observe processes and operations to help determine compliance. Following the site visit, auditors will develop and share with the entity a draft report; audit reports generally describe how the audit was conducted, what the findings were and what actions the covered entity is taking in response to those findings. Prior to finalizing the report, the covered entity will have the opportunity to discuss concerns and describe corrective actions implemented to address concerns identified.”
Upon receiving notification of an audit, organizations are given 10 days to respond to initial document requests, which can include privacy policies, procedure manuals, training materials, incident response plans, and risk analysis and mitigation plans.
A site visit by OCR takes between 3-10 business days and involves 3-5 auditors, depending upon the complexity of the organization and the auditor’s ability to access materials and the organization’s staff.
After the site visit, auditors will produce a draft report (usually within 20-30 days) and then provide the covered entity with 10 business days to review and provide written comments.
The auditor will complete a final audit report within 30 business days after the covered entity’s response and submit it to OCR.
For more information on audits, see HHS’s website explaining how the auditing process works.
The First Phase of Audits
The first phase of audits took place during 2011 and 2012.
These audits were carried out by a contractor and involved 115 covered entities. Of the 115 CEs, 47 were health plans, 61 were healthcare providers, and 7 were health care clearinghouses.
No penalties or resolution agreements were the product of any audit.
The Most Alarming Fact
So finally . . . here’s the most alarming fact about the audits:
Of the 61 healthcare providers audited, 59 of them were audited on the HIPAA Security Rule. How many of these 59 had at least one negative finding regarding compliance with the HIPAA Security Rule?
. . .
That’s right – 58!
Under OCR’s pilot audit program,“58 out of 59 health care providers audited had at least one negative finding regarding Security Rule compliance.” That’s more than 98%.
Other Alarming Facts
Two thirds of all entities–47 of out of 59 providers, 20 out of 35 health plans, and 2 out of 7 clearinghouses—had no complete or accurate risk assessment program.
Of what OCR kindly termed the “findings and observations,” most involved the Security Rule. Of the total pilot audit findings, 60% were based on the Security Rule, 30% on the Privacy Rule, and 10% on the Breach Notification Rule.
Of the Privacy Rule findings, 44% involved uses and disclosures of PHI, 20% on lack of notice of privacy practices for PHI, 18% on administrative requirements, 16% on access of individuals to PHI, and the remaining 2% on right to request protection for PHI.
The Fact that Breaks My Heart
The following fact just breaks my heart . . .
Of the Privacy Rule administrative requirements findings, 26% involved lack of or inadequate training.
At a recent HHS-NIST conference, Stephanie Willis observes that HHS “officials who spoke at the conference indicated their belief that inadequate workforce training was a key factor in yielding these audit findings.”
Yet Another Very Alarming Fact
There’s another alarming fact about the audits. Look at this slide from a presentation by OCR:
Essentially, the conclusion is that non-compliance wasn’t due to confusion or misunderstanding of the rules. The rules were clear.
The entity wasn’t aware of the requirement.
A lot of folks need to take a closer look at HIPAA.
The “other causes” are also alarming. Some of the problems identified were due to “complete disregard.”
My sense is that with these findings, OCR must be thinking that it needs to redouble its enforcement efforts.
The Second Phase of Audits
While there is no set start date, the second phase of audits is scheduled to begin this fall and continue into 2016.
Unlike phase 1, phase 2 will be conducted primarily by OCR staff. Another difference is that phase 2 will likely result in compliance reviews, a type of enforcement tool. Moreover, OCR does not intend for phase 2 to include on-site audits.
According to an OCR report, the 2014 audits will focus on covered entities and the following areas: security risk analysis and management, breach notifications, and privacy notices and access issues.
The focus will shift to business associates in 2015, particularly on security risk analysis and management and breach reporting to covered entities.
Later in 2015, covered entities will be audited on device and media controls, transmission security, privacy safeguards, and training.
2016 is projected to be the year when audits will focus on encryption and decryption, facility access controls, and other areas of high risk that were identified during the pilot phase.
The same report projects auditing 350 covered entities and 50 business associates in phase 2, broken down as follows: 100 Privacy Rule audits, 100 Breach Notification Rule audits, and 200 Security Rule audits.
Buckle up . . . this should be interesting!
Analysis and Takeaways
1. Lack of awareness of requirements was the most common cause of Phase 1 findings across all types of entities. It’s time to crack open your dog-eared copy of HIPAA and do some re-reading.
2. Inadequate or lack of training was one of the biggest Privacy Rule findings. There’s an easy fix: Get good training. HIPAA training can be short, practical, and memorable. I create HIPAA training, and I strive to make it fun.
3. Given the findings from phase 1, the likelihood is that OCR will step up its HIPAA enforcement. The findings weren’t pretty, and the conclusions drawn about the causes were largely that HIPAA isn’t being taken seriously enough. Stronger enforcement seems like the only logical response.
* * * *
Enforcing Privacy and Security Laws: Other Posts in this Series
5. The Most Alarming Fact About HIPAA Audits [this post]
* * * *
This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy training, data security awareness training, HIPAA training, and many other forms of training on privacy and security topics. This post was originally posted on his blog at LinkedIn, where Solove is an “LinkedIn Influencer.” His blog has more than 860,000 followers.
If you are interested in privacy and data security issues, there are many great ways Professor Solove can help you stay informed:
* Professor Solove’s LinkedIn Influencer blog
* Professor Solove’s Twitter Feed
* Professor Solove’s Newsletter