The HIPAA Audit Program

The HIPAA Audit Program Anna C. Watterson Davis Wright Tremaine LLP The U.S. Department of Health and Human Services (HHS) was given authority, and a mandate, to conduct periodic audits of HIPAA 1 compliance with the passage of the Health Information Technology for Economic and Clinical Health Act (HITECH), part of the American Recovery and Reinvestment Act of 2009. 2 Within HHS, the Office for Civil Rights (OCR) is responsible for administering and enforcing HIPAA. 3 In response to the HITECH audit mandate, OCR began a pilot audit program in 2010 and used a contractor to conduct 115 pilot audits of covered entities in 2011 and 2012. 4 While OCR found widespread compliance issues in the pilot audits, OCR has not indicated an intention to seek enforcement action against those covered entities. Following the pilot audits, OCR engaged a different contractor to evaluate the pilot audit program and provide recommendations for the program going forward. 5 In spring of 2014, an OCR official released information about the evaluation recommendations and made announcements about the audit program for 2014 through 2016. 6 Unlike the pilot audits, OCR will conduct future audits using internal staff. 7 OCR 1 Health Insurance Portability and Accountability Act of 1996, as amended, and implementing regulations (collectively, HIPAA ), 42 U.S.C. 1320d - 1320d-9. 2 Health Information Technology for Economic and Clinical Health Act, Title XIII of the American Recovery and Reinvestment Act of 2009 (ARRA) 13411; 42 U.S.C. 17940 (2009). 3 Office for Civil Rights; Statement of Delegation of Authority, 65 Fed. Reg. 82381 (Dec. 28, 2000). 4 HIPAA Privacy, Security, and Breach Notification Audit Program, available at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/index.html (last accessed Sept. 14, 2014). 5 OCR Audits of HIPAA Privacy, Security and Breach Notification, Phase 2, HCCA Compliance Institute, March 31, 2014. 6 Id. 7 Id. 1

also announced plans to begin auditing business associates in 2015. 8 OCR indicated that it will select business associates by having covered entities identify their business associates. 9 OCR confirmed that covered entities will be selected for the next round of audits using random selection within certain types or categories. 10 OCR has indicated that it intends to audit a wide range of types of covered entities including: group health plans, physicians and group practices, behavioral health, dental, hospitals, and laboratories. 11 The following contains an overview of the pilot audit program, a summary of OCR s projections for the next round of audits, and materials to assist in preparing for a HIPAA audit, including checklists for the Privacy, Security, and Breach Notification Rules. OVERVIEW OF THE PILOT AUDIT PROGRAM The pilot audit program was a multi-step process conducted from 2010 2013 that included an initial study, identification of covered entities, development of audit protocol, conducting the audits, and an evaluation of the program. 12 initial twenty covered entities to conduct test audits in late 2011. 13 OCR selected an These were followed by audits of an additional ninety-five covered entities, which concluded in December 2012. 14 The pilot audits were all onsite audits and evaluated covered entities compliance 8 Id. 9 Id. 10 Id. 11 Id. 12 Id. The initial study and identification of covered entities were done by Booz Allen Hamilton and completed in 2010 and 2011, respectively. The audit protocol was developed by KPMG in 2011 followed by the audit, also done by KPMG, in 2011 and 2012. The program evaluation was done by PWC, LLP and concluded in 2013. 13 Lessons Learned from OCR Privacy and Security Audits, Program Overview and Initial Analysis, Presentation to IAPP Global Privacy Summit, March 7, 2013. 14 Id. 2

with the HIPAA Privacy, Security, and Breach Notification Rules. Covered entities generally had between thirty to ninety days after the initial notification before the audit began. 15 OCR describes the pilot audits as a compliance improvement activity, 16 but notes that an audit that reveals serious compliance issues could be referred for enforcement. 17 OCR s covered entity selection for the pilot audits was designed to capture covered entities of a variety of sizes and types, as demonstrated in Figures 1 and 2 below. From the initial covered entity pool, OCR used specific criteria to select the covered entities to be audited. 18 This included, but was not limited to, whether the covered entity was a public or private entity, the entity s size, based on revenue and assets, number of patients, number of employees, use of health information technology, the entity s affiliation with other health care organizations, geographic location, and the type of entity and relationship to patient care. 19 OCR classified all covered entities into four groups, as shown in Figure 1. Level 1 entities were the largest providers and health plans, with more than $1 billion in revenue and/or assets. Level 2 entities included large regional hospital systems (with three to ten hospitals per region) and regional insurance companies. These entities had $300 million to $1 billion in revenue and/or assets. Level 3 entities included community hospitals, outpatient surgery facilities, regional pharmacies, and self-insured entities, all with $50 million to $300 million in revenue. 15 Audit Pilot Program, http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/auditpilotprogram.html (Sept. 9, 2014). 16 Id. 17 Under HIPAA, 45 C.F.R. Part 160, OCR has the authority to investigate complaints filed with the Secretary pursuant to 45 C.F.R. 160.306 and to conduct compliance reviews of covered entities and business associates pursuant to 45 C.F.R. 160.308. 18 Lessons Learned from OCR Privacy and Security Audits, Program Overview and Initial Analysis, Presentation to IAPP Global Privacy Summit, March 7, 2013. 19 Id. 3

Small providers (practices with ten to fifty providers, and community or rural pharmacies, for example), fell within Level 4. These entities had less than $50 million in revenue. The categorization of covered entities into these levels allowed OCR to ensure the pilot audits looked at a variety of types and sizes of covered entities. Figure 2 illustrates the number of entities selected in the pilot audit program by both type (health plans, health care providers, and health care clearinghouses) and size. Figure 1: Breakdown of Auditees 20 20 Id. 4

Figure 2: Auditees by Type and Size 21 SCOPE OF THE PILOT AUDITS OCR s pilot audits, while comprehensive, did not evaluate all provisions of the HIPAA Privacy, Security and Breach Notification Rules. The pilot audits evaluated covered entities compliance with the following provisions: 22 HIPAA Privacy Rule Provisions Evaluated in the Pilot Audits Notice of Privacy Practices - 45 C.F.R. 164.520 Notice of Privacy Practices Provision of Notice Health Plans Provision of Notice Certain Covered Health Care Providers Provision of Notice Electronic Notice 21 Id. 22 Id. 5

Joint Notice by Separate Covered Entities Right to Request Privacy Protection for PHI - 45 C.F.R. 164.522 Confidential Communication Requirements Access of Individuals to PHI - 45 C.F.R. 164.524 Right to Access Review of Denial of Access Administrative Requirements - 45 C.F.R. 164.530 Privacy Training Complaints to the Covered Entity Sanctions of Workforce Regarding Failure to Comply with the Privacy Policies and Procedures Policies and Procedures Uses and Disclosures of PHI: General Rules - 45 C.F.R. 164.502 Deceased Individuals Personal Representatives Uses and Disclosures: Organizational Requirements - 45 C.F.R. 164.504 Business Associate Contracts Requirements for Group Health Plans Uses and Disclosures to Carry Out Treatment, Payment, or Health Care Operations - 45 C.F.R. 164.506 Permitted Uses and Disclosures Uses and Disclosures for which an Authorization is Required - 45 C.F.R. 164.508 Obtaining Authorization as Required for Internal Use and Disclosure of PHI 6

Authorization for Use or Disclosure - Required Uses and Disclosures Requiring an Opportunity for the Individual to Agree or to Object - 45 C.F.R. 164.510 Limited Uses and Disclosures when the Individual is Not Present Uses and Disclosures for which an Authorization or Opportunity to Agree or Object is Not Required - 45 C.F.R. 164.512 Disclosures for Judicial and Administrative Proceedings Uses and Disclosures for Research Purposes Re-Identification Other Requirements Relating to Uses and Disclosures of PHI - 45 C.F.R. 164.514 Minimum Necessary Uses of PHI Minimum Necessary Disclosures of PHI Uses and Disclosures for Fundraising Uses and Disclosures for Underwriting and Related Purposes Verification of the Identity of Those Requesting PHI HIPAA Breach Notification Rule Provisions Evaluated in the Pilot Audits Notification to Individuals - 45 C.F.R. 164.404 Notification to Individuals Timeliness of Notification Methods of Individual Notification Burden of Proof - 45 C.F.R. 164.414 HIPAA Security Rule Provisions Evaluated in the Pilot Audits Administrative Safeguards - 45 C.F.R. 164.308 7

Risk Analysis Policies and Procedures for Authorizing Access Policies and Procedures for Access Establishment and Modification Development and Implementation Procedures to Respond and Report Security Incidents Contingency Planning Policy Physical Safeguards - 45 C.F.R. 164.310 Identification of Methods of Physical Access to Workstations Implementation of Methods for Final Disposal of ephi Accountability for Hardware and Electronic Media Data Backup and Storage Procedures Technical Safeguards - 45 C.F.R. 164.312 Encryption and Decryption Determination of Activities that Will be Tracked or Audited Implementation of Audit/System Activity Review Process Identification of All Users Authorized to Access ephi Mechanism to Authenticate ephi RESULTS OF THE PILOT AUDITS Only 11% of entities audited in the pilot audits did not have a finding or observation. 23 By entity size, Level 4 entities, the smallest entities, accounted for 41% of the findings and observations. 24 Both Level 1 entities and Level 2 entities accounted for 23 Id. 24 Id. 8

20% of findings and observations, with Level 3 entities at 19%. 25 By entity type, health care providers accounted for 65% of the total findings and observations, followed by health plans at 32% and health care clearinghouses at 3%. 26 Despite auditing on twice as many Privacy Rule provisions, the Security Rule provisions accounted for more than 60% of the total findings and observations. 27 Specifically, 58 out of 59 providers had one or more Security Rule findings and 47 out of the 59 providers failed to provide a complete and accurate risk analysis. 28 OCR has indicated that it used the pilot audits and the evaluation to inform the structure of future audits. 29 OCR also states that it will release best practices and targeted guidance based on what it learned in the pilot audits. 30 Following the pilot audits, HHS released a Security Risk Assessment, a tool designed to help covered entities comply with the risk analysis requirement of the HIPAA Security Rule. That tool can be downloaded here: http://www.healthit.gov/providers-professionals/security-risk-assessment. THE NEXT PHASE OF HIPAA AUDITS THE FIRST PROPOSAL In March 2014, OCR announced that it projected the next phase of its audit program would include offsite or desk audits of 350 covered entities. 31 OCR anticipated initially contacting covered entities in the spring and in the summer sending a 25 Id. 26 Id. 27 Id. 28 Id. 29 Id. 30 Audit Pilot Program, available at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/auditpilotprogram.html (last accessed Sept. 14, 2014). 31 Lessons Learned from OCR Privacy and Security Audits, Program Overview and Initial Analysis, Presentation to IAPP Global Privacy Summit, March 7, 2013. 9

pre-audit survey to approximately 550-800 covered entities. 32 OCR planned to select the covered entities it would audit from that pool and notify the selected entities in fall of 2014. 33 OCR anticipated giving auditees two weeks to respond to data requests, allowing it to conduct the audit reviews from October 2014 through June 2015. 34 OCR also announced that it would begin auditing business associates in 2015. 35 OCR stated that onsite audits were being planned on a resource-dependent basis. 36 Figure 3 represents a breakdown of the targeted offsite audits, by covered entity type, as presented by OCR in March 2014. Figure 3: OCR Projected Breakdown of 2014-2015 Covered Entity Audits 37 Privacy Rule Audit Breach Notification Rule Audit Security Rule Audit Total Number of 100 100 150 Covered Entities Health Plans 33 31 45 Health Care Providers Health Care Clearinghouses 67 65 100-4 5 THE CURRENT PROPOSAL In September 2014, OCR announced modifications and a delay to its previous proposal for the next round of HIPAA audits. 38 OCR now plans to conduct less than 200 targeted offsite audits, but will conduct a large number of comprehensive onsite audits. 39 32 Id. 33 Id. 34 Id. 35 Id. 36 Id. 37 Id. 38 L. Sanches speaking at the HIMSS Privacy and Security Forum, Sept. 9, 2014. 39 OCR Senior Advisor: Stay Tuned on HIPAA Audit Timeline, HealthITSecurity, available at http://healthitsecurity.com/2014/09/09/ocr-senior-advisor-stay-tuned-on-hipaa-audit-timeline/ (Sept. 9, 2014). 10

OCR will also conduct comprehensive onsite audits for business associates. 40 OCR stated that it is in the process of updating its technology, which has delayed starting the next round of the audits. 41 OCR could not comment on when the audits will start. 42 The new technology will assist OCR in analyzing data and will include an online portal that entities will use to submit data, both for the pre-audit survey and for the actual audits. 43 OCR predicts this will allow it to conduct more audits. 44 Although many of the audits in the next round may be comprehensive, OCR notes that in particular, it will look for a periodic risk analysis and documentation of policies and procedures that have been updated and implemented. 45 OCR provides that in the comprehensive audits, when looking at an entity s sanction process, we ll want to see instances where you ve sanctioned people and whether it was consistent with your sanctions policy. 46 Additionally, OCR will be asking covered entities for a complete list of all business associates with contact information and the services that they provide. 47 This will be the basis of OCR s selection of business associates for audits. 48 40 Id. 41 Id. 42 Id. 43 Id. 44 Id. 45 Id. 46 Id. 47 Id. 48 Id. 11

PREPARING FOR A HIPAA AUDIT As covered entities and business associates prepare for HIPAA audits, and the reality that HIPAA audits are likely permanent feature of OCR s mechanisms to ensure compliance, resources should be focused on several key areas of compliance failures. This checklist is not meant to be comprehensive and covered entities and business associates should take appropriate steps to ensure compliance with all requirements of the HIPAA regulations. Before an OCR audit: Consider conducting mock audits both paper reviews and onsite audits can be helpful in identifying compliance gaps Identify and communicate who in your organization is responsible for HIPAA compliance Review your vendor management process If you are selected for an OCR audit: Determine whether the audit will be onsite or offsite Depending on your organizational structure, verify what part of your organization OCR will audit and verify if OCR will audit subsidiaries or affiliates Begin preparing your response immediately OCR may not give additional time to respond to a data request Evaluate the requirements for transmitting the documentation to OCR communicate with OCR early if you do not believe you can submit in the requested format 12

Ensure responsive submissions do not submit extraneous information, but recognize that there may not be an opportunity to submit supplemental information Ensure documentation clearly demonstrates compliance, especially for offsite audits 13

SECURITY RULE AUDIT CHECKLIST The Security Rule aims to ensure the confidentiality, integrity and availability of all electronic protected health information (ephi) created, received, maintained, or transmitted by covered entities or business associates. To do this the Security Rule requires covered entities and business associates to protect against reasonably anticipated threats or hazards to the security or integrity of the ephi, to protect against any reasonably anticipated uses or disclosures of ephi that are not permitted by the Privacy Rule, and to ensure its workforce complies with the requirements of the Security Rule. The Security Rule is designed to be flexible and scalable, not prescriptive. Top Security Tasks to Tackle Before an OCR Audit: Risk Analysis and Risk Management: Ensure a complete, accurate, documented enterprise wide risk analysis, conducted in at least the last three years, ideally in the past year, and updated as required by environmental or operational changes and a corresponding risk management plan setting reasonable timelines to address threats and vulnerabilities identified in the risk analysis Encryption and Decryption: Identify all devices and media containing ephi and all instances in which ephi is transmitted; document that data is encrypted or document analysis of why encryption is not reasonable and appropriate and whether an equivalent alternative measure was reasonable Device and Media Controls: Ensure appropriate policies and procedures for disposal, re-use, back-up, storage, and tracking of all devices and media containing ephi; ensure policies and procedures are consistently followed by workforce 14

Security Incident Response and Reporting: Policies and procedures should require documentation of all security incidents and response taken, timely action to mitigate harm, where appropriate, and escalation when an incident is a potential breach; ensure consistent implementation and appropriate documentation Security Awareness and Training: An ounce of prevention is worth a pound of cure ensure workforce are properly trained on all security policies and procedures, including incident response reporting and provide periodic awareness training 15

PRIVACY RULE AUDIT CHECKLIST The Privacy Rule can be divided into three sections: 1. Uses and Disclosures of PHI (Permitted, Required, and Prohibited); 2. Individual Rights; and 3. Administrative Requirements For each type of use or disclosure of PHI, a covered entity should have a corresponding policy and procedure. Covered entities should periodically verify that these policies and procedures are being implemented correctly. Individuals generally have the right to: request a restriction of uses and disclosures, request confidential communications, access and obtain a copy of all PHI maintained in one or more designated record sets, an amendment of PHI, and an accounting of disclosures of PHI. The Privacy Rule administrative requirements include: designating a privacy officer, workforce training, safeguards, process for individual complaints to the covered entity, sanctions, mitigation of harmful effects, refraining from intimidating or retaliatory acts, prohibition on waiver of certain rights, policies and procedures, and documentation requirements. Top Privacy Tasks to Tackle Before an OCR Audit: Notice: Update Notice of Privacy Practices to reflect material changes required by the Omnibus Rule or other material changes Access: Review policies and procedures for providing individuals with access to their PHI, including the process for denying access and providing reviews of denials, as required; ensure documentation of access provided or reason for denial 16

Training: Review training materials, ensure training includes any recent changes to policies and procedures; ensure documentation (tracking) of workforce training Policies and Procedures: Review all policies and procedures related to uses and disclosures of PHI; ensure these are being implemented as written; revise and update as needed or retrain and/or sanction workforce members not following policies and procedures Business Associates: Ensure a process for identifying all contractors and vendors that qualify as Business Associates under HIPAA and entering into appropriate agreements Business Associate Agreements: Update all Business Associate agreements, if needed, to reflect Omnibus Rule changes. 17

BREACH NOTIFICATION RULE AUDIT CHECKLIST It is important to ensure complete documentation for each impermissible use or disclosure of PHI. This includes incidents where the covered entity, or business associate, if applicable, determined that the impermissible use or disclosure was a breach, and made notifications to individuals, media, and HHS. Documentation is equally important when the covered entity or business associate, if applicable, determines that the impermissible use or disclosure did not require notifications, because it fell within an exception, it met the safe harbor, or the covered entity or business associate, if applicable, determined a low probability of compromise based on a risk assessment of at least the four enumerated factors. Top Breach Tasks to Tackle Before an OCR Audit: Policies and Procedures: Ensure policies and procedures have been updated to reflect Omnibus Rule changes and address all elements of notification; implement updated policies and procedures and train workforce Breach Notifications: Ensure documentation of all types of notification (individual (written and substitute), media, if applicable, and HHS), including documentation for any delays (e.g., law enforcement request), where appropriate Documentation of Risk Assessment or Exception: Covered entities have the burden of proving that an impermissible use or disclosure of PHI did not meet the definition of breach ensure these determinations are thoroughly documented, made in good faith, and reasonable 18

Business Associate Breaches: Ensure business associate agreements require business associate or subcontractors, if applicable, to report breaches (and security incidents, which may exceed the definition of breach) 19