It’s been almost 15 years since Congress passed the Health Insurance Portability and Accountability Act (HIPAA), which provides national standards to protect the privacy of U.S. citizens’ personal health information. While most healthcare facilities and physician practices are doing their best to keep patient health data private and secure, the harsh reality is that many are in violation of one or more HIPAA regulations. Robert Tennant is a senior policy adviser at the Medical Group Management Association who studies the effects of emerging technology like smart phones and EMRs on HIPAA compliance. “I would say a significant number [of practices] are at risk [of a HIPAA violation]…technology is ever more in use in practices and with the use of technology I think the risk of a breach increases dramatically.”
While the Office of Civil Rights (OCR) – the government entity responsible for enforcing HIPAA compliance – has in the past been criticized for not policing standards vigorously enough, there is recent news that the tide will turn in 2016. The OCR has announced that it will audit approximately 400 entities for the most common compliance failures and assess their level of security breach defense. And for the first time ever, organizations will also be assessed on their historical efforts to achieve compliance – not just their current state of play.
Financial penalties are being issued with increasing frequency and the message from the OCR is now clear; HIPAA Privacy and Security Rules are being strictly enforced and there are no longer any excuses for non-compliance.
The OCR audit team will soon be sending out emails to Covered Entities requesting various documents, such as your last HIPAA Security Risk Analysis and a list of your Business Associate Agreements, to name a few. The emails might erroneously end up in your spam folder and if so, OCR will still expect you to respond. The information gathered during this initial outreach will determine who the OCR will audit and will help them identify gaps in breach notification and Privacy Practices. They will use the audit results to create tools to address the gaps in HIPAA compliance that they find. Neglecting to respond to the audit requests will not prevent a covered entity from being audited. OCR will use public records and other methods to find and contact organizations, if they do not receive a response. Responses are expected within ten days via a secure portal for document upload.
Covered entities are required to have a yearly HIPAA Security Risk Analysis or Review; keep this handy and remediate all HIGH risks as soon as possible. Eliminating the MEDIUM and LOW risks in a scheduled timetable is advisable. As this is a requirement for Meaningful Use, this should be easy for most eligible providers and eligible hospitals that have been attesting to the CMS Incentive Programs. And finally, add the following email to your email contact list to prevent audit requests from landing in your spam folder: OSOCRAudit@hhs.gov.