With the pinnacle of patient breaches hopefully behind us (e.g. Anthem/WellPoint breach, Premera, Blue Cross, and others in 2015), it is clear the industry has struggled with proper security of our electronic health information (ePHI). As such, the federal government has stepped in to ensure measures are in place to secure ePHI, abide by privacy rules granting all of us access to our health information, and making it illegal to discover a breach and not take appropriate steps to notify those affected.
The Office for Civil Rights (OCR) is a division of Health and Human Services with the responsibility to ensure industry compliance with an individual’s rights to Privacy, safeguards to electronic PHI and to investigate an organization’s diligence when breaches occur. Part of the OCR’s focus is also to develop audit rules in its activities ensuring the industry is adopting compliance efforts, reducing risk of breaches and improving health care. This is called the HIPAA Audit Program, and leverages the instructions, called the Audit Protocol, to test compliance.
Phase 1 of the HIPAA Audit Program officially ended and Phase 2 of the HIPAA Audit program was announced on March 21, 2016 by Health and Human Services. In April 2016 they announced the updated HIPAA Audit Protocol. To clarify, the HIPAA law itself has not changed since the Omnibus update in 2013, but the government’s auditing of compliance has been updated and expanded.
The HIPAA Audit Protocol is something the Healthcare Information Technology compliance and audit communities have been asking for a long time, which is more guidance on HIPAA regulations. In addition to NIST-based risk analysis methodologies, this new set of protocols (instructions) are the most comprehensive guidance we have for HIPAA security (safeguards around electronic protected health information, or PHI), privacy (rights and restrictions to PHI) and breach notification requirements (what to do when a breach of PHI happens). This graphic shows the number of top-level HIPAA citations covered under the OCR’s checklist, color-coded by discipline:
To summarize the changes between Phase 1 and Phase 2 of the Audit Program:
What it was – Phase 1 of the OCR’s Privacy, Security and Breach Notification Audit Program:
- HITECH added Breach Notification to HIPAA and endorsed the OCR‘s Audit Program.
- Contained 169 total protocols.
- Pilot program included 115 covered entities.
What it is now – the HIPAA Audit Program-Phase 2:
- OCR is implementing Phase 2 to include both CEs and business associates (every covered entity and business associate is eligible for an audit)
- Provides an opportunity for the OCR to identify best practices, risks and issues before they result in bigger problems (e.g. resulting in a breach) through the expanded random audit program.
- 180 Enhanced protocols (groups of instructions) which contain the following updates:
- Privacy – 708 updates (individual lines of instructions)
- Most notable changes are more policies and procedures surrounding the HIPAA Privacy Officer as well as some changes for Health Plans and Business Associates.
- Security – 880 updates (individual lines of instructions)
- Most notable changes are that Health Plans must have assurances from their plan sponsors and all companies now have to get proof of HIPAA compliance from their business associates, vendors and subcontractors.
- Privacy – 708 updates (individual lines of instructions)
With so many recent changes, it is clear that checklists, spreadsheets, the ONC’s SRA tool , HITRUST and most commercial compliance software companies are now out of date with the new HIPAA Audit Protocol. As we get to the end of the Meaningful Use incentive program, we risk having a high number of covered entities potentially using outdated software tools for modern HIPAA compliance requirements.
Regarding the HIPAA Audit Protocol’s compliance date, says Brad Trudell of MetaStar, “Remember it’s intended to detail the specific questions OCR plans to ask in Phase 2 audits to determine compliance with the previously existing HIPAA/HITECH requirements. If possible, CEs/BAs should use the protocol as the basis for conducting their own internal audits to make sure compliance is whipped into shape before the REAL auditors come knocking.”
In other words, the compliance date would match the release date – April of 2016 (about 2 months before this article was written).
Specific steps to take in light of the new HIPAA Audit Protocol:
- Check your “Clutter”, “Junk” or “Spam” folders to ensure that an email sent from OSOCRAudit@hhs.gov (OCR office) is forwarded to the appropriate person (e.g. Compliance Officer, legal counsel, etc.) and responded to accordingly. Example of the email is here.
- Conduct an accurate and thorough HIPAA Security Risk Analysis. Be sure to include Privacy and Breach notification assessments since these are often overlooked
- Review your organization’s policies and procedures along with the associated processes, compliance programs and other supporting documentation proving compliance. For gaps, update processes, policies and procedures to address identified issues.
- Address risks found in previous risk analysis efforts. This requires documented progress of gaps in compliance and associated vulnerabilities (e.g. installing enterprise-wide encryption, implementing a training and awareness program, updating policies and procedures). This also includes having supporting documentation tracking these updates.
- Identify who your business associates (BA) are (or subcontractors a BA would give PHI to in order to facilitate a particular service for the upstream BA). Get a copy of each signed BA Agreement, ensure your agreements are updated per the HIPAA Omnibus update (after March, 2013), and collect proof (e.g. reasonable assurances) that the BA or Subcontractor actually has a HIPAA Security, Privacy and Breach Notification assessment and/or other proof of compliance (e.g. proof of encryption, training and awareness, policies and procedures).
- Ensure any software tools used are updated with the new release of the OCR’s updated HIPAA Audit Protocol (e.g. as part of OCR’s Phase 2 of their Audit Program); therefore, your risk management and compliance program will become compliant today (not months from now).
Why invest in yesterday’s Audit Protocol? HIPAA One® announced on June 15, 2016 they are current with the OCR’s Phase 2 of the Audit Program. To learn more on how your organization can simplify and automate HIPAA Security, Privacy and Breach Notification Assessments, Mock-Audits and Risk Analysis in compliance with the HIPAA Audit Protocol, HITECH and NIST-based methodologies contact us or email firstname.lastname@example.org.