Preparing for HIPAA Enforcement ActionsSurvival Tips for OCR Breach Investigations and Audits
In the wake of the HHS Office for Civil Rights recently issuing its largest HIPAA enforcement action to date - a $4.8 million settlement with New York-Presbyterian Hospital and Columbia University for the same 2011 data breach - healthcare entities and their business associates more than ever need to be ready for potentially intense regulatory scrutiny, says risk management expert Reza Chapman.
"OCR is clearly sending a message that they are taking seriously their responsibility to enforce the [HIPAA] rules," say Chapman, senior manager in the healthcare advisory services practice at consulting firm EY, formerly Ernst & Young. "They're doing this not only as a warning to covered entities and business associates that enforcement is ongoing, but it's also in response to the [HHS] Office of Inspector General audit last year that faulted OCR for not doing enough to enforce the rules," he says in an interview with Information Security Media Group.
A December 2013 inspector general report related to OCR's HIPAA oversight programs criticized the agency for delaying enforcement activities such as launching a permanent HIPAA compliance audit program, as required by the HITECH Act (see OIG: OCR Needs to Improve Compliance).
"We will continue to see enforcement actions and financial settlements by OCR, it's their charter to enforce those rules ... but also to provide the necessary capital to conduct proactive HIPAA audits," he says.
With that in mind, Chapman says organizations looking to avoid the scrutiny of OCR and lower their risk of expensive enforcement actions should take several measures, including conducting or updating a risk analysis "and taking positive steps to remediate the findings."
Entities also should "demonstrate a culture of compliance that shows privacy and security are not new concepts to the organization," he says.
In the interview, Chapman also discusses:
- How to avoid having a reported health data breach turning into a "mega HIPAA settlement" with OCR;
- Steps covered entities and business associates should take if they receive an OCR "pre-audit survey" that indicates they might be chosen for a HIPAA compliance audit;
- Why it's critical for covered entities to consolidate documentation related to their business associate relationships.
Chapman has 18 years of experience in the fields of information security, information technology, and management consulting. During his consulting career, Chapman has supported many Fortune 100 companies in the healthcare, financial services, energy, retail and other industries. Over the past 14 years Chapman has worked primarily with senior level executives to improve their organizations' information security and compliance programs, including HIPAA.
Sending a Message
MARIANNE KOLBASUK MCGEE: What message do you think OCR is sending to healthcare entities and business associates with the recent New York HIPAA settlement?
REZA CHAPMAN: OCR is clearly sending the message that they take seriously their responsibility to enforce the rules. They're doing this not only as a warning to covered entities that enforcement is ongoing, but I also think it's in response to the [HHS] Office of Inspector General audit last year faulting them for not doing enough to enforce the rules.
MCGEE: Do you think it will be likely that OCR will have more big enforcement actions and more large financial penalties?
CHAPMAN: Absolutely, we will continue to see enforcement actions in financial settlement by OCR. It's their charter to enforce those rules. This not only goes to demonstrate that they're enforcing the rules, but also may provide the capital necessary to conduct the proactive HIPAA audits in-house, which is what we understand they plan to do.
MCGEE: What are the key actions that organizations should be taking to avoid OCR enforcement actions like this?
CHAPMAN: Organizations looking to avoid OCR enforcement can take steps to lower the risk of such an action by updating, or in the case of some entities unfortunately, actually conducting a risk analysis and taking positive steps to remediate the findings. They can demonstrate a culture of compliance that shows security and privacy are not new concepts to the organization. They can deal with potential breaches swiftly and take seriously the importance of necessary reporting. And finally, making sure that all policies and procedures are thoroughly documented. As the old saying applies, if you didn't document it, you didn't do it. And for those organizations experiencing an active OCR investigation, and again as breach notification has been going on for some time - there are a number of entities in this situation - it's important to fully cooperate with the agency. Organizations taking an evasive or combative stance have historically been penalized the most it would seem.
MCGEE: What is the best way to avoid having these OCR breach investigations from growing into these mega-HIPAA settlements?
CHAPMAN: If a reportable breach has occurred, in addition to actually following through with the [compliance] process, entities should get to the bottom of the source of the breach and take immediate steps to prevent reoccurrence. This may be in the form of improved training programs or the application of additional physical administrative or technical controls.
Audit Preparation Steps
MCGEE: What are the most important steps that covered entities and business associates should be taking to prepare in case they are chosen for a HIPAA compliance audit?
CHAPMAN: The audits this time will have a different approach then the pilots, in that they will be more targeted and generally not include an onsite component. In particular, the audits will focus on provisions that, with a source of a high number of compliance failures, were identified during the pilot audits. So if we look at each of the rules, the focus areas are as follows. We understand they will focus on risk analysis and risk management, and again not surprising given the preamble we gave earlier. For breach notification, they are going to focus on content and timeliness identifications. And those selected for privacy rule need to be prepared to demonstrate their compliance with notice and access activities.
Steps they can take include refreshing their risk analysis. Two-thirds of entities had incomplete or inaccurate risk analysis. A current risk analysis conforming to industry standard approach is critical. They can also run a risk management plan, and indeed they must be doing this to-date. There must be a plan in place to formally accept, mitigate, or remediate the risks.
Entities should also update their breach notification process, if not done already satisfactorily. Breach notification procedures must be in place and updated in accordance with the final rule. They need to verify that their HIPAA documentation in place, and in this next phase of audits it's important to note that there won't be a lot of back and forth between the OCR and the entities.
It has been made clear that [OCR is] going to request information. The information is going to be then provided by the entity to the OCR, who then will review it offline. The opportunity to provide additional commentary about the documentation or submit documentation after the fact doesn't necessarily appear to be a component of this round of audits. Finally, I think consolidating business associate documentation is important. We understand this time around business associates are going to be identified by the covered entity under audit, and so knowing who those business associates are and having information available to provide the OCR in the event of an audit is going to be crucial.
A Point Person
MCGEE: What's the first thing that these organizations should do before and after responding to the OCR pre-audit survey?
CHAPMAN: We understand the survey gathers largely demographic information about the entity that will help OCR target these entities for audit. We understand that as part of the pilot audits, OCR [officials] even made statements in various conferences that they attended that it was difficult to identify the covered entities to target. The survey process is going to assist them in actually moving forward with those audits. So before responding to the survey, if an organization or entity receives a survey, it's going to be important for the organization to note who's on point to receive a potential notification. Again ... knowing who in the organization is going to be the right person or the right group to receive that notification if it does come down the line [of having an audit] is going to be critical. At the same time, organizations should consider themselves a potential audit target if they've been selected for survey and take steps to prepare accordingly. I think that is something we can all agree they should have been doing for some time now.
Tipping Off Business Associates
MCGEE: If you're a covered entity that receives one of these surveys, do you think you should let the business associates know?
CHAPMAN: I don't know. I think it depends on the nature of the organization and number of associates involved. I mean some of the larger entities deal with thousands of associate agreements. I think it's important though that the covered entities can actually identify the associates. That's a good step, and our experience shows that this is a dealing with the procurement process and vendor management process is a challenge. So getting their business associate 'house' in order, so-to-speak, is going to be crucial.
Cooperating with Investigators
MCGEE: What's your best tip to organizations for surviving an OCR HIPAA audit or a breach investigation?
CHAPMAN: I think one thing I can't stress enough is that if you are facing an audit or investigation with the OCR, be honest, be forthcoming, and work positively with the agency. Again, some organizations tend to take an evasive, more aggressive stance against the audit, and that doesn't really help anybody in the process. So I would say to be transparent, be cooperative and work through the challenges with the real desire to solve the issues moving forward. Dealing with HIPAA and compliance and making sure that our patient information is secure in organizations is something that is going to need to get better over time.