On July 27, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) released detailed information regarding its current HIPAA audit program. The current round of audits is ongoing, with 167 target entities receiving their notification of selection on July 11. OCR held a webinar on July 13 to educate the targets regarding the audit process; the July 27 guidance followed and aims to help potential future targets understand the process. These instructional materials are significant to all covered entities and business associates since any organization subject to HIPAA is eligible for future audit. This article addresses four key takeaways from the guidance.
1. Auditee Be Nimble, Auditee Be Quick
Covered entities have only 10 business days to respond to the audit requests (all documentation must be submitted electronically through a secure portal provided by OCR). OCR and its contractor, FCi Federal, will then have an unspecified period to review materials and issue draft findings. Upon receipt of draft findings, covered entities again have 10 business days to respond. That timeframe is consistent with OCR’s approach to compliance reviews: 10-14 days is frequently the deadline to respond to documentation requests and questions when OCR follows up on a complaint or breach report. On-site audits are similarly quick for auditees: the auditor will spend 3-5 days onsite and covered entities will have 10 business days to review the draft findings.
Due to the tight timeframe, it is critical to have documentation prepared in advance that aligns to both the HIPAA rule requirements and the audit protocol. It is well worth the time required to review the protocol and make note of the documentation requests that deviate from the HIPAA rule requirements. For example, OCR requests documentation evidencing that certain HIPAA compliance items like risk analyses are reasonably available to relevant workforce members. That evidence may not reside amongst covered entities’ typical HIPAA compliance documentation, which tends to be limited to policies, procedures, evaluations, and training.
Although selected organizations will only have to respond to part of the protocol (in this round, the selected protocol items include privacy notices, access rights, risk analysis, and breach notification), it would be prudent to prepare for the full protocol since there will be very little time to gather documents once actual requests are received from OCR. It also would be prudent to prepare now to immediately divert resources upon receipt of both the audit request and audit results so that responses to both the initial audit requests and the proposed findings are prepared, vetted internally, and delivered back to OCR timely. Key personnel who may need to devote a substantial amount of time to the exercise will almost certainly include compliance and/or privacy staff, legal representatives, and security personnel.
2. Spam Filters Are No Excuse
OCR has repeatedly warned that its questionnaires, audit requests, updates, and other communications will be delivered by email and it advised covered entities to monitor for these emails. Specifically, OCR has cautioned that its emails may end up in spam filters or junk folders. OCR expects covered entities and business associates to check proactively for these emails, which will be addressed from OSOCRAudit@hhs.gov. A sample of OCR’s initial contact verification email has been made available so covered entities and business associates can be aware of the appearance of these communications.
3. Identify Risks, Mitigate, Document, Repeat
The current round of audits focus on a few significant areas of the HIPAA Privacy, Breach Notice, and Security Rules (auditees will only be required to respond to specific portions of the protocol, as designated by OCR). Notably, the security portion of the protocol focuses on risk analysis and risk management, which continues a very strong trend of OCR scrutiny in this compliance area. Lack of an effective risk analysis has been a significant element in all of the following major HIPAA enforcement actions: Phoenix Cardiac Surgery (2012); Alaska DHHS (2012); Massachusetts Eye and Ear Infirmary / Associates (2012); Affinity Health (2013); Concentra (2014); QCA Health Plan (2014); New York and Presbyterian Hospital / Columbia University (2014); Anchorage Community Mental Health Services (2014); Cancer Care Group, PC (2015); Lahey Hospital and Medical Center (2015); Triple-S Management Corporation (2015); University of Washington Medicine (2015); North Memorial Health Care of Minnesota (2016); Feinstein Institute for Medical Research (2016); Catholic Health Care Services of the Archdiocese of Philadelphia (2016); Oregon Health & Science University (2016); University of Mississippi Medical Center (2016).
Taken together, those actions resulted in total resolution payments of over $30 million and an average resolution payment of $1.8 million. The message could not be more clear: Your organization cannot afford to skip (or scrimp on) conducting the required HIPAA risk analyses.
Recently, OCR also has focused on inadequate risk mitigation, finding that covered entity enforcement targets may have identified risks, but failed to take action to mitigate them effectively. For example, in 2014 OCR alleged “Concentra had previously recognized in multiple risk analyses that a lack of encryption on its laptops, desktop computers, medical equipment, tablets and other devices containing electronic protected health information was a critical risk. While steps were taken to begin encryption, Concentra’s efforts were incomplete and inconsistent over time leaving patient PHI vulnerable throughout the organization.” This year, OCR made a similar finding regarding Oregon Health & Science University, alleging “OHSU performed risk analyses in 2003, 2005, 2006, 2008, 2010, and 2013, but OCR’s investigation found that these analyses did not cover all ePHI in OHSU’s enterprise, as required by the Security Rule. While the analyses identified vulnerabilities and risks to ePHI located in many areas of the organization, OHSU did not act in a timely manner to implement measures to address these documented risks and vulnerabilities to a reasonable and appropriate level.” There is a clear message here too: Once risks are identified, a mitigation plan must be developed and implemented.
As noted, the audits continue OCR’s specific focus on the risk analysis and risk mitigation elements of the Security Rule. Specifically, the audit protocol requests copies of the covered entity’s policies and procedures regarding the risk analysis process and documentation demonstrating they have been in effect for six years. Covered entities preparing for this aspect of the audit protocol should ensure that these policies align to OCR’s risk analysis guidance, and that past versions or change control documentation reflect six years of revision and/or effective dates. (Note that this documentation requirement over a six-year span applies to all compliance policies and procedures required by HIPAA.)
The audit protocol also requires disclosure of the current and immediate prior HIPAA risk analyses, which are likely to reveal vulnerabilities and highlight security challenges. Nevertheless, OCR has extensive authority to request (and subsequently require) disclosure of this material. Which leads us to our next point . . .
4. Discoverability of Audit Responses and Reports
OCR has confirmed that, although it does not intend to proactively identify audited parties, it may be required to release its audit requests in response to Freedom of Information Act (FOIA) requests. Similar requests have already been pursued by ProPublicaregarding compliance reviews.
OCR is a bit cagier about releasing audit results, noting only that “OCR may be required to release . . . other information about these audits upon request by the public” and it will “abide by FOIA regulations.” FOIA does provide federal agencies with some exceptions that, if applicable, would permit OCR to withhold documentation. We speculate that OCR is at least contemplating whether some of these exceptions could or should be invoked in the event its findings reveal sensitive information about auditees. During its audit webinar, OCR fielded the following question and provided a response that supports our conclusion:
A [OCR]: We believe that a risk analysis submitted by a CE [covered entity] for the audit to be covered by the following exemption from FOIA: Exemption 4: Trade secrets or commercial or financial information that is confidential or privileged.
Accordingly, auditees should specifically invoke confidentiality when submitting eligible responses to the auditor. To do so, we recommend specifically calling out that exemption in the written audit responses and identifying the documentation to which it can be applied so that OCR is on notice of an auditee’s position that the documents should not be disclosed in response to a FOIA request. (We often take the same approach in OCR compliance reviews for similar reasons.)
Notably, FOIA exemptions may not be available for all aspects of responses or audit reports, and they may be defeated by enterprising litigants. As such (and as always), HIPAA covered entities and business associates should take care when producing compliance documentation that may be provided to OCR, particularly in the production of risk analyses and security assessments that can reveal non-compliance or actionable vulnerabilities.
* * *
HIPAA audit-readiness is a great add-on to any mature HIPAA compliance program. For example, asking key areas of the company to engage in a mock response to the audit protocol items that fall in their area will help enhance compliance and cut down on fire drills in the event that an audit actually occurs. For programs of any maturity level, conducting a legally-adequate risk analysis continues to be a key part of both audit and enforcement readiness. The Wyrick Robbins Privacy and Data Security team assists clients with these and other privacy and data security compliance matters, including conducting or advising on compliance reviews and risk analyses, under HIPAA and other privacy and data security legal regimes.