HIPAA Phase 2 Audits Continue


In an assessment of its first round (Phase 1) of audits, the U.S. Department of Health and Human Services’ Office of Civil Rights (OCR), which is responsible for enforcing patient privacy rules, found that many healthcare entities, including smaller practices, are having difficulty not only with implementing security technology to protect patient data, but with implementing plans and selecting personnel to manage HIPAA compliance at their practice.

Struggling with HIPAA protocols In fact, 66% of entities lack complete and accurate risk assessments in a review of Phase 1 audits, according to Zinethia Clemmons, OCR’s HIPAA compliance audit program director. Research from SecurityMetrics, a data security company in Orem, Utah, suggests that protecting digitized patient health information continues to be a low priority for small practices. A poll of 150 healthcare professionals responsible for HIPAA compliance at organizations with fewer than 500 employees found that:

51% don’t test employees on HIPAA ­related training;

50% of respondents don’t know if their organizations use multi­factor authentication;

41% don’t know how often their firewall rules are reviewed;

27% don’t encrypt emails containing patient data;

and 26% don’t use mobile encryption.

There are a variety of reasons why small practices find it difficult to make their systems HIPAA ­compliant. One is finding information on how to prepare. OCR and the Office of the National Coordinator for Health Information Technology (ONC) have a HIPAA Security Risk Assessment tool available online to assist small and medium sized practices.

Many small practices also haven’t implemented measures to prepare for a potential HIPAA audit. In a recent study by cloud-­based practice management software provider NueMD, 30% of healthcare professional said they didn’t have a compliance plan. Fifty-­four percent said they did 6/15/2017 2/4 not have a security or privacy officer, and 60% were unaware of the planned increase in audits under OCR’s Phase 2 HIPAA Audit program, which began last year and is ongoing.

Small practices preparing for the new round of audits should use the federal government’s HIPAA audit protocol, which provides specific guidance on what is required. It is available on the Health and Human Service department’s website

Steps to help prepare

HIPAA conducts two types of audits, on­site and desk. The Phase 1 HIPAA Audit Program, which occurred in 2012, included on­site audits by auditors who interviewed key personnel and observed processes and operations to determine compliance with the HIPAA Privacy and Security Rules.

The Phase 2 HIPAA audit program, now underway, consists of desk audits. During a desk audit, practices are asked to provide documentation of their privacy, breach notification and security practices electronically via a secure web portal.

Mark Swearingen, JD, a lawyer with the Indianapolis, Indiana, law firm Hall, Render, Killian, Heath & Layman, PC, has several recommendations for small practices as they prepare for a potential HIPAA audit: 6/15/2017 3/4

Develop and implement policies and procedures that address HIPAA requirements.

For example, practices need to develop HIPAA-­compliant protocols for responding to outsider requests for patient medical records. Among the questions to be answered are:

Who handles the request—the doctor or the office manager?

How will the office authenticate that the requester is authorized to receive the records?

What documents from the requester should be presented, photocopied and kept on file?

What paperwork is required to process that request? How much can be charged for the records?

Implement practices that adhere to HIPAA privacy requirements for physical safeguards.

For example, make sure that conversations during patient registration can be held in private. Also, ensure computer screens can’t be seen by patients and visitors to the practice.

Designate an individual to oversee privacy and security activities.

There is no prohibition on the privacy or security officer performing other activities or functions, which means small practices don’t necessarily have to hire a person solely dedicated to doing this job, but HIPAA requires that they identify someone within the practice to manage HIPAA compliance activities.

The individual in charge of privacy and security activities must demonstrate that the practice has made good faith efforts to meet HIPAA requirements, including obtaining and regularly reviewing HIPAA policies, ensuring that employees are trained on the policies, making sure that an IT risk analysis is performed and problems are addressed and ensuring that business associate agreements are in place as necessary.

Always have an agreement.

Where a third party performs a service or function on behalf of the practice that involves access to patient information, that third party is a business associate under HIPAA and the practice should not disclose such information to the business associate until a business associate agreement has been signed.

Practices utilizing cloud computing technology to host their patient data should ensure a business associate agreement is in place with the cloud service provider.

These practices also should have an agreement with the provider addressing issues such as security responsibility and data backup and recovery in the event of an emergency such as a ransomware attack, apportionment of liability and how data will be returned to the customer after service use ends.

Make sure mobile devices are encrypted.

Implement policies that address how these devices are managed. For example, policies should state whether or not laptop computers can leave the premises. Practices should make sure apps doctors use to manage patient care have sufficient safeguards to protect the confidentiality, integrity and availability of patient information.

Keep the evidence.

Prepare and maintain documentation of HIPAA compliance activities so that information is readily available in the event of an audit. Not only will this improve the overall function of the practice’s 6/15/2017 4/4 compliance program, it will better position the practice to respond to a government request in a timely manner. (Practices selected for a HIPAA desk audit, have only 10 days to prepare and send the requested documentation to OCR.)

CPMA Members can find helpful HIPAA compliance materials here

(Source: Nicole Lewis; Medical Economics [6/10/2017])