Guest post by Jay Hodes, president, Colington Consulting.
A little more than a year ago the former Director of the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS), Leon Rodriquez, referred to covered entities that did not realize they have business associate relationships in place. He went on to say that some business associates did not know that they were actually business associates. Rodriquez stressed it was both the responsibility of the covered entity and the business associate to understand this relationship does exist.
Regarding ramped up HIPAA enforcement and compliance, Rodriquez indicated future audits will be narrower in scope and include more organizations than ever before. Covered entities and their business associates also will be audited under the new permanent program, and audits will focus on vulnerabilities that could change year to year as new issues arise. This appeared to be the start of an intended awareness program and fair warning.
With Rodriquez’s departure to Homeland Security in June, it seemed like the task of continuing the drum beat message of ramped up HIPAA enforcement fell to Linda Sanches.
Sanches is OCR’s senior health information privacy advisor. In that position, she oversees the HIPAA security and breach notifications audit program and may know a thing or two about the direction OCR wants to take with future audits. Sanches recently spoke at the Health Information and Management Systems Society (HIMSS) Privacy and Security Forum. However, she did not provide any striking revelations or critical insights about these new audits, just more of what the industry seems to know already, that these audits are coming.
Much like Rodriquez did in the past, Sanches spoke more in generalities than specifics. She indicated OCR was looking at a broader view of the entire healthcare industry as possible criteria for selection of who would be targeted for an audit. Using the National Provider Identifier (NPI) database is a method being considered to select entities like hospitals, practices and dental providers for audits.
Large and small providers with random geographic locations will be part of the selection formula. Dental providers were specifically mentioned, a concern since smaller dental practices historically have struggled to meet their compliance requirements because of lack of understanding the regulations.
I recently attended the HHS – NIST (National Institute for Standards and Technology) HIPAA Security Conference in Washington, D.C. There was an impressive array of speakers and plenary sessions. The anticipation, from a number of attendees I spoke with, was after two days there would be a clear vision about the future of HIPAA enforcement. Well, that was just not the case.
One of the speakers in the know was the new OCR Director Jocelyn Samuels who was confirmed by the Senate in late June. Regrettably, she did not provide additional specifics about what the government is looking for during an audit or review. It was more of the same rhetoric of the obvious: Healthcare providers and business associates must do a better job with their HIPAA risk assessments and supporting documentation. Samuels said those tasked with compliance responsibilities must be proactive in addressing these requirements.
Sanches was part of a panel discussion on the first day of the conference that focused on Executive Order 13636, which addresses the government’s overall efforts to improve critical infrastructure cybersecurity. According to the statistics, only 8 percent of healthcare data breaches are cyber-attacks; 47 percent are the results of theft. In keeping with the theme, Sanches said providers must do a better job in conducting risk assessments. A good assessment balances IT related safeguards with physical security and administrative requirements.
The last speaker at the conference was Iliana Peters, an OCR Senior Advisor for HIPAA compliance and enforcement. I had high expectations, but Peters provided just more of the same generalities. The one takeaway I gleaned came when Peters indicated that the first document OCR would ask for during an onsite compliance review was the HIPAA risk assessment. She went on to say that “documentation is key,” but gave no insight as to what is critically important besides the risk assessment.
As a former Assistant Inspector General for Investigations at HHS, I was involved in many operational aspects for the Healthcare Fraud Prevention and Enforcement Action Team (HEAT) initiative. I had hands-on experience running a nationwide healthcare fraud enforcement operation. Now, as a HIPAA consultant on the other side of the enforcement table, and as someone assisting healthcare clients and business associates with compliance requirements, I am continuously trying to interpret what the government is looking for. I guess it was naïve of me to think I was going to get new, useful information about the future of enforcement after two days at this conference. As one attendee told me, “I wanted to walk out of here with 18 to 20 items I can use to help my clients.” He said he left with nothing new and the conference was a total waste of his time and travel expense.
But what I did hear at the conference is similar to advice I give to all clients — make sure you have an up-to-date HIPAA risk assessment and risk management plan. Go on the offensive, be prepared and maintain current policies and best practices when it comes to required security safeguards. Make sure you have a robust sanction policy and process.
The reality is, OCR wants to ramp up enforcement efforts either through desk audits or onsite compliance reviews. Their enforcement priority will continue to be those covered entities or business associates who experience a breach of electronic health records. With the number of healthcare data breaches growing every year, OCR will need to be proactive in their efforts. Congress will mandate it, but more importantly, patients will demand trust in safeguarding their electronic health information.
Being compliant is the best way to sleep at night and not be concerned if you are subject to a random audit or a compliance review. The longer OCR keeps kicking the can down the road when it comes to enforcement, the more time it gives you to review, update and be prepared if the notification comes that you were selected for a compliance review or an audit.
As Sanches said, “Everyone is going to have a breach.” It is just a matter of when.