Recent enforcement activities of the Department of Health and Human Services’ Office for Civil Rights (OCR) have shown an increase in fines and penalties assessed against smaller providers for failing to comply with the privacy, security, and breach notification requirements of the Health Insurance Portability and Accountability Act (HIPAA). Historically, OCR has focused on larger providers, such as hospitals and health systems, and breaches involving more than 500 individuals; however, OCR is now aggressively enforcing HIPAA compliance of smaller providers, including sole practitioners, and investigating smaller breaches affecting fewer than 500 individuals. As a result, 2016 is expected to be a critical year for HIPAA enforcement and a record year for fines and penalties for noncompliance.
Explore this issue:May 2016
Reason for the Change
In fall 2015, the Office of Inspector General (OIG) issued a report regarding OCR’s HIPAA enforcement practices. The report found that OCR actively investigated all large breaches (affecting more than 500 individuals), but failed to document investigations of small breaches (affecting fewer than 500 individuals), suggesting that small breaches are often overlooked. This variance is largely due to limited federal resources and the fact that OCR simply does not have the time or manpower to investigate small breaches.
The OIG’s report also suggests that certain covered entities routinely violate HIPAA regulations and exhibit compliance issues that warrant increased fines and penalties. In response, OCR is increasing its enforcement activities by reviewing covered entities with previous breaches to reassess compliance and markedly increasing the fines assessed against repeat offenders. In addition, on March 21, 2016, OCR announced that phase 2 of its HIPAA audit program had begun, which is undoubtedly an effort to overcome any scrutiny cast on OCR by the OIG’s report.
Phase 2 HIPAA Audits
Although the second round of HIPAA audits has been expected for some time, OCR is now actively selecting covered entities and business associates for Phase 2 HIPAA audits. The goal of the audit program is to assess compliance with the HIPAA Privacy, Security, and Breach Notification Rules. OCR intends to use the data it obtains during the audit process to examine compliance mechanisms, determine best practices, and discover program risks and vulnerabilities.
Phase 1 took place in 2011 and 2012, and focused on the compliance of covered entities. Phase 2 will differ from phase 1 in that the audits will be expanded to include business associates. This phase will consist of three series of desk and onsite audits. The first series of audits will be desk audits of covered entities, and the second series will be desk audits of business associates. Desk audits are conducted off site and will examine specific compliance requirements of the Privacy, Security, and Breach Notification Rules by reviewing policies, procedures, and compliance plans of each entity selected for the audit. OCR expects the first and second series of desk audits to be completed by the end of 2016. The third series of audits will be on site and focus on a broader scope of HIPAA requirements than the desk audits. Selection for the first or second round of desk audits does not preclude selection for the onsite audits conducted during the third round, so some entities may be subject to both.
Any covered entity or business associate can be audited, regardless of size or type of provider. Audit selection criteria include the size and type of the entity, affiliation with other healthcare organizations, whether the entity is public or private, and geographic factors. The only entities exempt from an audit are those with an open complaint investigation or those currently subjects of compliance review.
Advance Preparation Is Critical
Fines and penalties assessed by the OCR due to noncompliance with HIPAA requirements can put a small provider out of practice. For this reason, it is imperative that you evaluate your HIPAA compliance now and not wait until you are selected for an audit or are—even worse—a party to a breach.