The Auditors Are Coming, The Auditors Are Coming!!

After waiting with bated breath for almost a year, the day when full scale HIPPA audits will start is almost here.  During a keynote address the the HIPAA Security Conference co-hosted by the HHS Office for Civil Rights and the National Institute of Standards and Technology (“NIST”), OCR Director Jocelyn Samuels revealed that the day when audits will start is getting closer.

One key to the nearing commencement of audits was the announcement that a vendor was hired by OCR to conduct the audits.  The vendor is FCi Federal, which will provide support management services.  The audits themselves will be within the purview of OCR staff, but expect some assistance from FCi Federal.

In describing the audits, Director Samuels stated that the majority will be remote audits as opposed to site audits.  Arguably it would be more favorable to have a site audit.  Even though a site audit will likely be disruptive and stressful for the staff involved, at least there would be an opportunity to meet with the auditors face to face and provide verbal explanation of what the particular organization was doing to comply.  With a remote or desk audit, the only thing before the auditor will be the paper (or lack thereof) that an organization has in place to show that it complies with HIPAA.  Without knowing the exact protocol for an audit, it is not known whether any written explanation will be requested as well.  Regardless, given the choice, would you rather have the ability to explain in person why you implemented a particular aspect of the Security Rule in a particular way or rely upon an auditor to comprehend any nuances solely from policies or other documentary support.

Additional flavor about the audit process was provided in an interview by Deven McGraw, the new deputy director of health information privacy.  As revealed by Deputy Director McGraw, OCR is working on a new audit protocol that will be more focused than the one used in the pilot audits a couple of years ago.  In terms of timing, OCR anticipates starting the audits either late this year or in early 2016.  While not very specific, it does indicate that organizations still have time, though limited, to bring their houses in HIPAA order.

Announcements about audits were not the only news that came out of OCR last week.  OCR also announced another settlement that again focused on failure to conduct a risk analysis and adequately securely media devices.  This time Cancer Care Group, P.C. (“CCG”), one of the largest radiation oncology groups in the country, failed to comply with applicable HIPAA requirements.  For its non-compliance, CCG is paying $750,000.

As revealed by OCR, CCG notified OCR that an employee’s computer and unencrypted backup media device were stolen from an employee’s care.  The devices combined contained information about approximately 55,000 CCG patients.  During its investigation after the reported breach, OCR determined that CCG as a general matter was not in compliance with the Security Rule.  At the time of the breach CCG had not conducted a full scale risk analysis and did not have any policies in place covering the removal of electronic protected health information.  In light of these systemic failures, OCR issued the fine.

The fine and the results by themselves do not necessarily raise any eyebrows.  However, when combined with the audit announcement, it just serves as one more shot across the bow that a risk analysis must be done and devices must be secured.  While it has been said many times that encryption is an addressable element under the Security Rule, organizations must ask whether it can be skipped as a practical matter.

The key from OCR’s recent announcements is to take HIPAA compliance seriously, focus on it now, and prepare for the government to be knocking on the door soon.  Do not go it alone though, seek help when needed and do not keep putting things off.  Delay will only lead to more pain later and it is a matter of when, not if.

Advertisements

About Matt Fisher

Matt is the chair of Mirick O'Connell's Health Law Group and a partner in the firm's Business Group. Matt focuses his practice on health law and all areas of corporate transactions. Matt's health law practice includes advising clients with regulatory, fraud, abuse, and compliance issues. With regard to regulatory matters, Matt advises clients to ensure that contracts, agreements and other business arrangements meet both federal and state statutory and regulatory requirements. Matt's regulatory advice focuses on complying with requirements of the Stark Law, Anti-Kickback Statute, fraud and abuse regulations, licensing requirements and HIPAA. Matt also advises clients on compliance policies to develop appropriate monitoring and oversight of operations.
This entry was posted in Compliance, Health IT, HIPAA, HITECH, Regulations and tagged , , , , , . Bookmark the permalink.

One Response to The Auditors Are Coming, The Auditors Are Coming!!

  1. Pingback: Compliance With HIPAA Privacy Rule Spotty | The Pulse

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s