The Anesthesia Insider Blog

800.242.1131
Ipad menu

Blog

Subscribe to this blog post

Should Anesthesia Practices Be Concerned about Phase 2 of the Government HIPAA Audit Program?

HHS’ Office for Civil Rights (OCR) is about to begin a new round of audits to determine the extent of providers’ and their business associates’ compliance with the HIPAA privacy, security and breach notification rules.

OCR conducted the Phase I “pilot” audits mandated by the HITECH Act in 2011 and 2012.  Among the findings, from audits of 115 covered entities (CEs), among them, 61 providers, were the following:

  • Only 11 percent of the CEs audited had no negative observations;
  • The smallest CEs had the greatest difficulties in complying with all three of the HIPAA Standards;
  • More than 60 percent of the findings or observations were Security Standard violations, and 58 of 59 audited health care provider CEs had at least one Security Standard finding or observation even though the Security Standards represented only 28 percent of the total audit items;
  • More than 39 percent of the findings and observations related to the Privacy Standards were attributable to a lack of awareness of the applicable Privacy Standards requirements, and
  • Only 10 percent of the findings and observations were attributable to a lack of compliance with the Breach Notification Standards.

OCR and its contracted auditors assessed compliance with 169 distinct requirements corresponding to provisions of the HIPAA rules.  Based on the general findings above, and on specific HIPAA problem areas uncovered, the newly-announced Phase 2 Audit Program will focus on issues of greater risk, rather than a comprehensive review of all of the HIPAA Standards.  The Phase 2 Audits are also intended to identify best practices and uncover risks and vulnerabilities that OCR has not identified through other enforcement activities.  OCR will use the Phase 2 Audit findings to identify technical assistance that it should develop for covered entities and business associates.  Only in circumstances where an audit reveals a serious compliance concern, OCR may initiate a compliance review of the audited organization that could lead to civil money penalties.

The areas on which OCR intends to focus in the Phase 2 audits include the following:

  • risk analysis and risk management;
  • content and timeliness of breach notifications;
  • notice of privacy practices;
  • individual access to protected health information (PHI);
  • Privacy Standards’ reasonable safeguards requirement;
  • training on policies and procedures;
  • device and media controls (access, encryption), and
  • transmission security.

OCR plans to select 350 CEs for the Phase 2 Audits -- 232 health care providers, 109 health plans and 9 health care clearinghouses.  The 350 will ultimately come from a pool of 550,8000 CEs through the National Provider Identifier database and America’s Health Insurance Plans’ databases of health plans and health care clearinghouses.  OCR will winnow the pool by issuing a mandatory pre-audit screening survey this summer.

In the fall, OCR plans to notify and send data requests to the 350 selected covered entities this fall, requesting, among other data, identities and contact information for the CEs’ business associates.  Business associates are being targeted for the first time in the Phase 2 audits.  OCR will audit approximately 150 of the 350 selected covered entities and 50 of the selected business associates for compliance with the Security Standards, 100 covered entities for compliance with the Privacy Standards and 100 covered entities for compliance with the Breach Notification Standards.

Phase 2 will involve desk audits only and will not be conducted on-site at the providers’ locations.  CEs and their business associates will have just two weeks to respond to an audit request from OCR.  The data requests will specify the content, file name and other documentation requirements, and the auditors may contact the CEs and business associates for clarifications or additional documentation.  The downside of a desk audit is that CEs and business associates will not be able to clarify their policies and procedures.  OCR will only consider current documentation that is submitted on time.  Failure to respond to a request could lead to a referral to the OCR Regional Office for a compliance review.

The likelihood that any one anesthesia group will be selected for a Phase 2 audit is minimal.  The prospect may provide an opportunity if not the impetus for practices to check that they are HIPAA-compliant and that their documentation is up to par.  The process begins with a risk assessment, which OCR and multiple advisors and consultants recommend that practices undertake annually as a matter of course.  In the Phase 1 Program, two-thirds of the CEs audited had no complete and accurate risk assessment, and therefore there is a good chance that this will be an area of interest in the Phase 2 audits.  Other HIPAA requirements on which OCR auditors are likely to focus will appear in the Phase 2 audit protocol which OCR has promised to post on its website.

The next steps for a practice that chooses to update its HIPAA policies and procedures and documentation would be, according to a helpful checklist from McDermott Will & Emery’s OCR to Begin Phase 2 of HIPAA Audit Program.

  • Confirm that all action items identified in the Risk Assessment have been completed or are on a reasonable timeline to completion;
  • Ensure that the organization has a complete inventory of business associates for purposes of the Phase 2 Audit data requests [and to keep a handle on potential liabilities – ed.];
  • If the organization has not implemented any of the Security Standards’ addressable implementation standards for any of its information systems, confirm that the organization has documented (i) why any such addressable implementation standard was not reasonable and appropriate and (ii) all alternative security measures that were implemented;
  • Ensure that the organization has implemented a breach notification policy that accurately reflects the content and deadline requirements for breach notification under the Breach Notification Standards;
  • Health care provider and health plan covered entities should ensure that they have a compliant Notice of Privacy Practices and not only a website privacy notice;
  • Ensure that the organization has reasonable and appropriate safeguards in place for PHI that exists in any form, including paper and verbal PHI;
  • Confirm that workforce members have received training on the HIPAA Standards that are necessary or appropriate for a workforce member to perform his/her job duties;
  • Confirm that the organization maintains an inventory of information system assets, including mobile devices (even in a bring your own device environment);
  • Confirm that all systems and software that transmit electronic PHI employ encryption technology or that the organization has a documented the risk analysis supporting the decision not to employ encryption;
  • Confirm that the organization has adopted a facility security plan for each physical location that stores or otherwise has access to PHI, in addition to a security policy that requires a physical security plan; and
  • Review the organization’s HIPAA security policies to identify any actions that have not been completed as required (e.g., physical security plans, disaster recovery plan, emergency access procedures, etc.)

If the above list looks like a colossal undertaking, we can take comfort in the fact that there have been no new HIPAA requirements since early 2013.  Many of the tasks should be easy to confirm. 

The greatest risk to most CEs, including anesthesia practices, is a breach of PHI.  The numbers of patient records affected is large and still growing.  Between 2009 and 2014, there was a 138-percent increase in the number of reported breaches, with nearly 30 million records affected.  Actual numbers are much higher.  In May, two New York teaching hospitals agreed to pay the largest amount to date to settle charges that they potentially violated HIPAA by failing to secure PHI on their shared data network—$4.8 million for a breach affecting 6,800 patients that occurred when a physician attempted to deactivate a personal computer on the network.  Because of a lack of technical safeguards, deactivation of the server resulted in electronic PHI being accessible on internet search engines.  (HHS Press Release, Data breach results in $4.8 million HIPAA settlements, May 7, 2014).

Breaches can and will happen, but we hope that you will have minimized your risk—whether or not you are audited in OCR’s Phase 2.

Tweet
The Role of Anesthesiologists in the Intensive Car...
Changes Involving Payment for Post-Operative Pain ...
 
Please see our new Privacy Policy