HIPAA Audit Program Phase II – Have You Been Selected?

HIPAAAuditProgram

Phase II of the HIPAA Audit Program has begun, with many covered entities and business associates receiving a “Audit Entity Contact Verification” message from the Department of Health and Human Services (HHS) and the Office of Civil Rights (OCR). The communication requires the individual recipient to verify that he or she is the primary contact for the HIPAA Audit Program.

Does the receipt of this form mean that your entity has been selected for an audit? Not necessarily.

Although receipt of the communication is not a guarantee of an audit,  it is the first step in a process that may lead to a comprehensive HIPAA compliance audit of your entity.  According to OCR, the process for the HIPAA Audit Program is as follows:

  1. Contact Verification: OCR will send the Audit Entity Contact Verification to a covered entity or business associate to determine the entity’s primary contact for HIPAA purposes. Covered entities and business associates who receive the form should respond and not ignore the OCR’s request for verification.  The OCR has made it clear that entities who do not respond could still be subject to an audit.
  1. Questionnaire: After the entity’s contact information is verified, the OCR will send a questionnaire to each covered entity and business associate to determine the size, type, and operations of the entity.  Covered Entities will also be required to identify each of their business associates. OCR will use this data to develop the pool of potential auditees for the HIPAA Audit Program.
  1. Selection: OCR will then randomly select entities from the pool for audit.  If selected, the entity will have to visit an OCR web site and upload its HIPAA privacy policies, security policies, and most recent risk assessment. Based on the information uploaded, it is possible that OCR will arrange for an on-site visit of the entity.

The bottom line is that your receipt of the Audit Entity Contact Verification message does not necessarily mean that your entity will be selected for a HIPAA audit.  However, your entity will likely be placed into the pool from which OCR will select entities to audit.

If nothing else, the receipt of the Audit Entity Contact Verification communication should motivate your entity to review current HIPAA privacy and security policies and ensure that they conform to the requirements of HIPAA and the HITECH Act.  In addition, your entity should perform an updated risk analysis to uncover and address gaps in your HIPAA security policies and procedures.

A basic risk analysis should include the following components:

  1. Inventory: An inventory listing all of your information assets that contain health information (e.g. computers, laptops, smartphones, etc.);
  2. Threats: Potential threats to the security of your information assets;
  3. Controls: Current controls to safeguard the assets against the threats;
  4. Vulnerabilities: Any vulnerabilities in the controls;
  5. Likelihood: The likelihood that the threats will exploit the vulnerabilities;
  6. Impact: The impact if the vulnerabilities are exploited (e.g. how much health information is at risk); and
  7. Risk: The overall risk of a threat based the likelihood and potential impact of the threat’s exploitation of a vulnerability.

It is important to develop policies and procedures to address any risks that your entity uncovers as a result of the risk analysis.

Although the HIPAA Audit Program can be a source of anxiety for covered entities and business associates, it can also be a great opportunity to update HIPAA policies and procedures and ensure that your entity is doing everything possible to safeguard health information.

For more information about the HIPAA Audit Program and HIPAA compliance issues, please contact Casey Moriarty.

Steep Price Tag for Not Entering a Business Associate Agreement

North Memorial Health Care of Minnesota (“North Memorial”) recently agreed to settle charges that it violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules by essentially failing to enter into a Business Associate Agreement. Pursuant to the settlement, North Memorial agreed to pay $1,550,000. This settlement is a reminder of the importance of executing business associate agreements before sharing protected health information.

The U.S. Department of Health and Human Services Office of Civil Rights (“OCR”) initiated an investigation of North Memorial following their receipt of a breach report. The report indicated that a password protected laptop had been stolen from a locked vehicle belonging to an employee of North Memorial’s business associate, Accretive Health, Inc. (“Accretive”). The laptop contained electronic protected health information on 9,497 individuals.

OCR’s investigation revealed that North Memorial failed to enter into a business associate agreement with Accretive. Pursuant to the HIPAA Privacy and Security Rules, covered entities are required to enter into business associate agreements with all business associates to whom they provide protected health information. The investigation further revealed that North Memorial failed to complete a risk analysis for the electronic protected health information that it maintained, accessed, and transmitted across its IT infrastructure. Such an analysis, may have revealed the vulnerability posed by permitting protected health information to be stored on an unencrypted laptop.

Takeaways from this settlement:

  • Do not share protected health information with business associates without a valid business associate agreement in place. A valid business associate agreement almost certainly would have reduced North Memorial’s liability in this case.
  • Covered entities and business associates should perform HIPAA security risk analyses as required under the HIPAA Privacy and Security rules. Such analyses may uncover vulnerabilities that can be easily addressed.
  • Electronic Protected Health Information should be safeguarded with encryption technology. A high percentage of all breaches stem from lost or stolen portable devices. Encryption provides strong protection to covered entities and business associates in the case of a breach.

Verizon Cloud Services Agrees to Sign BAA

Earlier this month Verizon announced its cloud services aimed at healthcare providers.  These services are designed to be HIPAA compliant including providing the necessary physical, technical and administrative safeguards required by the HIPAA Security Rule.  Most notably with this announcement, Verizon has agreed to execute a Business Associate Agreement.  Verizon’s press release expresses its commitment to top security protocols and offers a cloud hosting possibility to traditional healthcare companies that self-host.  Verizon touts the cloud services as a safe, secure and fast mechanism for healthcare providers to efficiently share information with one another.

Verizon is not the only vendor attracting healthcare clients with HIPAA compliance and Business Associate Agreements.  Microsoft announced earlier in the summer its willingness to execute Business Associate Agreements as well with its Windows Azure Core Services.  Amazon has even published a white paper on HIPAA compliance when using its Amazon Web Services platform.

Though willingness to sign a Business Associate Agreement is significant, as well as the acknowledgement that these companies are subject to the HIPAA requirements (per the HITECH Act) healthcare providers contracting with Verizon, Amazon, Microsoft, or any other company should make sure that they are adequately protected, which not only includes the implementation of security safeguards but also sufficient indemnification provisions in case of a breach.  For more information about HIPAA and Business Associate Agreements please contact Elana Zana or Dave Schoolcraft.