HIPAA Privacy, Security, and Breach Notification Audit Program; Resolution Agreement: Oregon Health & Science University; HHS Press Release (July 18, 2016)
HHS’s Office for Civil Rights (OCR) recently announced that phase 2 of its audit program to review compliance with HIPAA’s privacy, security, and breach notification rules has “kicked into high gear” with the release of desk audit notifications to selected covered entities. Separately, OCR announced a resolution agreement settling potential HIPAA privacy and security violations following the agency’s investigation of widespread and diverse compliance lapses by a covered entity.
Phase 2 HIPAA Audits. OCR launched phase 2 of the audit program, which consists of desk and on-site audits of both covered entities and their business associates (see our Checkpoint article), in March 2016. Phase 2 audits will be conducted in three rounds. OCR has indicated that round 1 is underway; covered entities selected for a desk audit received email notifications on July 11, 2016. Business associates will be included in the second round of desk audits—expected to begin in the fall. (OCR has indicated that all desk audits will be completed by the end of December 2016.) The third round of audits will be on-site and will examine a broader set of HIPAA requirements than the desk audits. Both covered entities and business associates, including those that already underwent a desk audit, may be subject to an on-site audit. OCR continues to remind entities that it is using email for its phase 2 communications; overlooking OCR’s emails because they landed in a spam folder will not excuse covered entities and business associates from audit. An updated audit protocol along with other information and documents (including an audit pre-screening questionnaire) are available to help entities better understand the mechanics and scope of the audit program (see our Checkpoint article).
Resolution Agreement. OCR’s latest resolution agreement is with a large public academic health center and research university in Oregon. The agency’s investigation began after the covered entity submitted multiple breach notifications affecting thousands of individuals, including two reports involving unencrypted laptops and another large breach involving a stolen unencrypted thumb drive. The investigation uncovered evidence of widespread vulnerabilities within the covered entity’s HIPAA privacy and security compliance program, including the storage of electronic protected health information (ePHI) of 3,000 individuals on a cloud-based server without a business associate agreement, which resulted in significant risk of harm to many of these individuals due to the sensitive nature of their diagnoses. Although the covered entity had performed several risk analyses, these analyses did not cover all ePHI within the entity. In addition, the covered entity did not act in a timely manner to implement measures to address the documented risks and vulnerabilities to a reasonable and appropriate level. The entity also lacked policies and procedures to prevent, detect, contain, and correct security violations and failed to implement a mechanism to encrypt and decrypt ePHI (or an equivalent alternative measure) for ePHI maintained on its workstations, despite having identified lack of encryption as a risk. The resolution agreement requires a $2.7 million payment and compliance with a three-year corrective action plan (CAP). Under the CAP, the covered entity must (1) undertake an accurate and thorough security- management process, including developing and submitting its risk analysis and risk management plan to OCR for review and approval prior to implementation; (2) provide OCR with updates on its encryption efforts to safeguard ePHI; (3) develop security awareness and training materials to reduce the risks and vulnerabilities to ePHI as identified in its security management process, with implementation following OCR’s review and approval; and (4) prepare and submit to OCR detailed annual and event-based reports during the term of the CAP.
EBIA Comment: Among other takeaways, the latest resolution agreement illustrates the importance of not just performing a risk analysis but also heeding the findings in the analysis—in particular, addressing security management processes that may be insufficient. As the press release notes, “[t]his settlement underscores the importance of leadership engagement and why it is so critical … to take HIPAA compliance seriously.” And the stakes are now even higher with OCR conducting proactive audits of covered entities (including group health plans) and business associates. Diligence in documenting compliance efforts and in maintaining practices that enable early detection and correction of compliance problems is more important than ever. For more information, see EBIA’s HIPAA Portability, Privacy & Security manual at Sections XX.C (“HIPAA Compliance Audits by OCR”) and XX.D (“Resolution Agreements”).
Contributing Editors: EBIA Staff.