Officials at the U.S. Department of Health and Human Services Office of Civil Rights (HHS OCR) have recently selected a vendor to conduct the second wave of HIPAA audits. These so-called "Phase 2 Audits" are set to commence on the heels of two important HHS OCR enforcement proceedings alleging violations of the HIPAA Security Rule:
The HIPAA Security Rule establishes a federal standard for protecting individuals' PHI and ePHI that is created, received, used, or maintained by Covered Entities (CEs) and Business Associates (BEs). This standard requires that entities design, implement and enforce appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of PHI. HHS OCR is responsible for the administration and enforcement of the Security Rule. It performs compliance audits and investigations and has the authority to impose civil penalties and corrective action plans for violations. In addition to the Security Rule, OCR also enforces the Privacy Rule and Breach Notification Rule.
Required by the Health Information Technology for Economic and Clinical Health (HITECH) Act, HHS OCR initiated its pilot Phase 1 Audit program in November 2011. Those audits were punctuated by HHS OCR's publication in June 2012 of an online searchable audit protocol that mapped the Security, Privacy and Breach Notification requirements evaluated in Phase 1. The audit protocol has emerged as a valuable tool for conducting internal assessments because it established a roadmap for aligning organizational performance of key HIPAA requirements with, among other things, security policy development, security monitoring and detection, security governance and management, workforce training, incident response planning, and business associate contracts.
Although the prior audit focused exclusively on CEs, the Phase 2 Audits will encompass both CEs, as well as BEs, which often serve critical data processing and management services. There is no doubt that HHS OCR will leverage the insights learned during Phase 1 to inform and design the audit protocols for Phase 2, which have not yet been published. If the recent enforcement actions and settlements against St. Elizabeth's and CCG are any indication of things to come, both CEs and BEs should consider conducting comprehensive risk assessments to identify issues for remediation before the Phase 2 Audits begin. As in those investigations, HHS OCR will likely be looking for whether organizations have conducted enterprise-wide risk assessments to identify their core technical and procedural vulnerabilities, and whether those assessments then translated into remediation strategies, as well as operational policies and employee training. In particular, HHS OCR is sure to examine the preparedness of organizations to detect, response, and recover from security incidents and data breaches. Moreover, as Phase 2 will encompass BEs, the same types of risk analysis and risk management, as well as breach reporting issues, promise to be front-and-center given the spate of recent high profile data breaches (across industries) that have been attributable to third-party service providers.
As a result, CEs and BEs should take this opportunity to review their security programs to identify potential HIPAA compliance issues, use the existing searchable online audit protocol tool as a starting point for conducting a comprehensive self-assessment, consider retaining expert outside help as necessary to provide an objective view and to help in developing a comprehensive plan that addresses physical, technical and administrative safeguards, and prepare and begin implementation of remediation plans. The best defense is early identification of risks and areas for remediation to provide organizations with the opportunity to avoid enforcement actions.