After waiting with bated breath for almost a year, the day when full scale HIPPA audits will start is almost here. During a keynote address the the HIPAA Security Conference co-hosted by the HHS Office for Civil Rights and the National Institute of Standards and Technology (“NIST”), OCR Director Jocelyn Samuels revealed that the day when audits will start is getting closer.
One key to the nearing commencement of audits was the announcement that a vendor was hired by OCR to conduct the audits. The vendor is FCi Federal, which will provide support management services. The audits themselves will be within the purview of OCR staff, but expect some assistance from FCi Federal.
In describing the audits, Director Samuels stated that the majority will be remote audits as opposed to site audits. Arguably it would be more favorable to have a site audit. Even though a site audit will likely be disruptive and stressful for the staff involved, at least there would be an opportunity to meet with the auditors face to face and provide verbal explanation of what the particular organization was doing to comply. With a remote or desk audit, the only thing before the auditor will be the paper (or lack thereof) that an organization has in place to show that it complies with HIPAA. Without knowing the exact protocol for an audit, it is not known whether any written explanation will be requested as well. Regardless, given the choice, would you rather have the ability to explain in person why you implemented a particular aspect of the Security Rule in a particular way or rely upon an auditor to comprehend any nuances solely from policies or other documentary support.
Additional flavor about the audit process was provided in an interview by Deven McGraw, the new deputy director of health information privacy. As revealed by Deputy Director McGraw, OCR is working on a new audit protocol that will be more focused than the one used in the pilot audits a couple of years ago. In terms of timing, OCR anticipates starting the audits either late this year or in early 2016. While not very specific, it does indicate that organizations still have time, though limited, to bring their houses in HIPAA order.
Announcements about audits were not the only news that came out of OCR last week. OCR also announced another settlement that again focused on failure to conduct a risk analysis and adequately securely media devices. This time Cancer Care Group, P.C. (“CCG”), one of the largest radiation oncology groups in the country, failed to comply with applicable HIPAA requirements. For its non-compliance, CCG is paying $750,000.
As revealed by OCR, CCG notified OCR that an employee’s computer and unencrypted backup media device were stolen from an employee’s care. The devices combined contained information about approximately 55,000 CCG patients. During its investigation after the reported breach, OCR determined that CCG as a general matter was not in compliance with the Security Rule. At the time of the breach CCG had not conducted a full scale risk analysis and did not have any policies in place covering the removal of electronic protected health information. In light of these systemic failures, OCR issued the fine.
The fine and the results by themselves do not necessarily raise any eyebrows. However, when combined with the audit announcement, it just serves as one more shot across the bow that a risk analysis must be done and devices must be secured. While it has been said many times that encryption is an addressable element under the Security Rule, organizations must ask whether it can be skipped as a practical matter.
The key from OCR’s recent announcements is to take HIPAA compliance seriously, focus on it now, and prepare for the government to be knocking on the door soon. Do not go it alone though, seek help when needed and do not keep putting things off. Delay will only lead to more pain later and it is a matter of when, not if.