On February 24, 2014, the Department of Health and Human Services announced its plans to conduct a pre-audit survey of up to 1,200 HIPAA “covered entities” and “business associates” to determine whether such entity is suitable for the HIPAA Audit Program conducted by the Office of Civil Rights (OCR). The pre-audit will potentially collect recent data about the number of patient visits, use of electronic information, revenue and business locations. The pre-audit information will be shared with the OCR, who is mandated to conduct audits of covered entities and business associates to assess compliance with the Privacy, Security and Breach Notification Rules under HIPAA.
Expansion of HIPAA Requirements under Final Rule
The Omnibus Final Rule, which became effective March 26, 2013, increased penalties for violations of HIPAA, signaling to affected parties heightened regulatory scrutiny. The Final Rule expanded the regulatory requirements of HIPAA in several ways. For instance, the Final Rule made business associates of covered entities directly liable for compliance with certain requirements under privacy and security rules. The Final Rule also expanded certain patient rights and adopted the HITECH breach notification requirements pertaining to unsecured protected health information. We have recently seen the Department of Health & Human Services enforce these provisions in a recent settlement with Concentra Health Services, a subsidiary of Humana. Concentra agreed to pay more than $1.7 million to HHS due to a breach in security from unencrypted stolen laptops.
Being Prepared and in Compliance
What all this means is that health providers and their business associates should be prepared by engaging in proper risk assessments to identify, evaluate and correct vulnerabilities in the protection of patient health information. In previous posts, we made the comment that it is no longer sufficient to have a compliance program in name only. We add to this by stating that regulations require covered entities to review its policies and procedures so that vulnerabilities are corrected. Boilerplate policies not reflective of the security risks present at the provider’s practice is wholly insufficient. Policies and procedures should be implemented in response to identified vulnerabilities. The public comment period regarding the HIPAA pre-audit survey closed on April 25, 2014. We will attempt to make updates on pre-audit surveys as information is made available.