OCR's phase-two audits are here, and compliance ain't easy

Health information is valuable. Estimates place a medical record at 10 times the value of financial data on the black market, with a street price often $50-$65 per record.

The Office for Civil Rights is currently conducting the second round of audits to assess covered entity and business associate compliance with the Health Insurance Portability and Accountability Act. These audits represent the first time the OCR has included business associates in the process. The phase-two audits began in July 2016, when 167 randomly selected covered entities received a notice from OCR that they were selected to participate in a HIPAA desk audit. A number of business associates will be randomly selected to participate as well. The phase-two audits include a number of onsite audits but those will not occur until early 2017.

Even though the recently updated audit protocol is very lengthy, the desk audits are focused on only three sections including:

• From the privacy rule — Notice of privacy practices focused on content, provision of notice and patient right of access to protected health information (PHI).
• From the security rule — Security risk analysis and risk management
• From the breach-notification rule — Timeliness and content of any breach notifications

In a Q&A webinar for the covered entities conducted on July 13, OCR Director Jocelyn Samuels emphasized that the phase-two audits are intended to permit OCR to gather information about the state HIPAA compliance in order to develop new compliance tools and guidance documents rather than being a punitive process to catch non-compliant entities. Samuels stated that if the covered entities can show reasonable, good faith efforts to comply with HIPAA, that the phase-two audits will not result in enforcement action. However, she added that if “significant threats” to the privacy and security of PHI are identified, OCR may initiate enforcement.

Enforcement actions and audits are much different. OCR will investigate complaints that are filed by patients, whistleblowers or others. OCR may also conduct a compliance review in response to an entity’s self-reported breach which is required under the Breach Notification Rule. If the OCR finds issues, corrective actions plans and resolution agreements are drafted. As of October 13, 2016, the OCR has entered into resolution agreements with 40 entities with fines ranging from $50,000 to $5,500,000. Suffice it to say, the OCR is serious about protecting patient privacy rights and patient data and they are holding those who use and share the data accountable.

 Ultimately, the covered entity is the one responsible for the data, regardless of another company’s transgression.

The Government Accounting Office (GAO) released a report (GAO-16-771) on September 26 regarding OCR. The report basically slams OCR for a variety of non-performance issues. The GAO recommended several recommendations, including that 1) OCR update the guidance it provides entities for protecting ePHI; 2) that OCR address key security elements; 3) that OCR improve technical assistance it provides to covered entities; 4) that OCR does a better job of following up on corrective actions; and, 5) that OCR establishes metrics as required for gauging the effectiveness of its audit program. What this means for the future is that we can expect a much more robust program for HIPAA compliance from the OCR.

HIPAA is not going away.

Some history

HIPAA, otherwise known as the Kennedy Kassenbaum Act, was passed by Congress on August 21, 1996. The act contains provisions to protect the privacy and security of protected health information (PHI) and to improve the portability of group health insurance. HIPAA also includes provisions for administrative simplification, to adopt standards for electronic data exchange and to address the prevention of fraud and abuse. Another section of the rule established the medical savings account which no longer exists.

The original regulations have undergone a little tweaking but have not changed substantially over time. Remember that the law was passed in 1996, so the regulations were written well before that time. The government allowed for implementation flexibility and scalability with knowledge that healthcare is such a broad universe with all shapes and sizes of providers, health plans, etc.

This good intention has turned out to be a double-edged sword.

There is no checklist approach to compliance, making it difficult to determine the actual activity to be conducted or monitored. Specific guidance from OCR has been sparse over the years. In fact, for several years following the implementation of privacy in 2003 and the implementation of security in 2005, there was very little conversation regarding HIPAA and compliance. Enforcement was virtually at a standstill. The enforcement authority for HIPAA privacy was originally granted to OCR and Center for Medicaid and Medicare Services for the security rule. In 2009, the Health Information Technology for Economic and Clinical Health Act (HITECH) expansion under ARRA (otherwise known as "The Stimulus Plan") gave enforcement authority to one agency: OCR. 

Once the enforcement regulations changed and enforcement responsibility was moved solely to OCR, then emerged some helpful data from enforcement actions. The OCR publishes resolution agreements, allowing for insight into the transgression and remediation. A so called “Wall of Shame” website that is used for breach notification in cases involving over 500 individuals is public on the HHS website and it gives us insight into current breaches. Almost 1,700 covered entities and business associates have posted breaches on the site as of October 13.

Under HIPAA, data is key. Specifically, data known as (electronic) Protected Health Information (ePHI) is "individually identifiable health information" that relates to 1) an individual’s past, present or future mental or physical health or condition; 2) the provision of health care to an individual, or 3) the payment for the provision of health care. A medical record contains so many sets of data that could be used for all kinds of beneficial and unfortunately, nefarious purposes.

Health information is valuable. Estimates place a medical record at 10 times the value of financial data on the black market, with a street price often $50-$65 per record.

But herein lies the problem.

The covered entity that creates, receives, maintains, or transmit the data is responsible for ensuring its protection. Covered entities must use trusted business associates who in turn must utilize services or products from other companies, and so on. Ultimately, the covered entity is the one responsible for the data, regardless of another company’s transgression. Covered entities must have policies and procedures in place, and be able to provide the evidence that the policies and procedures are being followed, to ensure that the PHI is being properly protected. Covered entities are also responsible for ensuring that their business associates are properly protecting the data and the business associates must ensure that anyone they subcontract with is also properly protecting the data.

What might we see in the future? Remember that everyone wants health data. Many folks are pushing interoperability of health applications. Many government agencies see regulating health data as part of their domain. The ONC wants control of health data in electronic medical records. The FDA wants to control health data when it falls in their domain such as in clinical investigations and medical devices. The FTC wants to play and has already tested the waters in FTC v. LabMD. The FTC also starting enforcing its own Health Breach Notification Rule on February 22, 2010, regarding health data breaches for certain entities not covered by HIPAA such as personal health records providers.

Best advice: if you are working with health data, ensure that you are familiar with the regulations that pertain to you and that you accept the responsibility and abide by your obligation to protect the data accordingly.