Beginning in the Fall of 2014, a substantial number of covered entities and business associates will receive a notification and data request from the Health and Human Services’ (HHS) Office for Civil Rights (OCR). According to Rachel Seeger, an OCR spokeswoman, “we hope to audit 350 covered entities and 50 business associates in this first go-around…Selected entities will receive notification and data requests in fall 2014, with business associate audit subjects being included in 2015.” The lucky recipients will be the first participants in the OCR’s effort to adopt a more aggressive approach to investigating compliance with HIPAA standards for privacy, security and breach notification. This initiative comes just months after a December 2013 report from the HHS’s Office of Inspector General (OIG), which criticized the OCR for falling behind on HIPAA enforcement and recommended that the OCR implement an audit-type function rather than relying solely on complaints as a means of assessing compliance. In response, OCR officials have expressed agreement with this recommendation and continued steps toward maintaining a permanent audit program.
Over the past six years, the OCR has favored voluntary compliance or corrective action, as opposed to monetary settlements, but many fear that’s about to change. The looming permanent audit program could translate into open season on covered entities and business associates. Since 2008, the OCR has sought and obtained 19 settlements related to HIPAA privacy and security issues, typically for some kind of data breach. Recently, the second largest settlement on record was reached with Concentra Health Services, a Humana subsidiary, despite there having been no indication that any information was accessed or used inappropriately. The $1.7 million settlement was obtained after Concentra self-reported data breaches, including the theft of two unencrypted laptops. Many privacy and security experts believe large settlements will become increasingly common as a result of the OCR’s increased enforcement efforts.
So, how can covered entities prepare for the upcoming audits and continue to operate in an environment of increasing regulatory enforcement? In March, the HHS released a security risk assessment tool to help providers with HIPAA compliance. Significantly, this is a resource provided by HHS, and it is on the agency’s website. While use of the tool does not guarantee that a covered entity will survive an audit unscathed, it’s use very likely will be a factor in how the government views a provider’s overall compliance efforts. Just how much of a factor remains to be seen, but a prudent HIPAA compliance program would be well served to use the tools provided by HHS.