Contact
Boston
Providence
March 23, 2016
Phase 2 HIPAA Compliance Audits Set To Begin
By Kelly McGee
UPDATE: After over a year of delays, the Health and Human Services Office of Civil Rights (OCR) has announced that it is beginning Phase 2 HIPAA audits. The OCR has stated that these audits will focus on reviews of policies and procedures put in place by covered entities and business associates to comply with HIPAA. The audits will be mainly desk audits, but the OCR will also conduct some on-site audits.
The Phase 2 HIPAA audits will commence with an email to verify an entity’s address and contact information, sent from the email address OSOCRAudit@hhs.gov. Be sure that your staff is on the lookout for an email from the OCR and procedures are in place to respond quickly.
Under the Health Information Technology for Economic and Clinical Health (HITECH) Act, the Office for Civil Rights (OCR) was given a mandate to conduct periodic Health Insurance Portability and Accountability Act (HIPAA) compliance audits. In these audits, the OCR is tasked with assessing the compliance of providers, health plans and healthcare clearinghouses (referred to under HIPAA as “covered entities”) with the Security Rule, the Privacy Rule, and the Breach Notification Rule. The OCR conducted Phase 1 pilot audits in 2011 and 2012, and anticipated starting Phase 2 audits in late 2014. Although the Phase 2 audits have been postponed, recent actions by the OCR, such as sending out surveys to confirm covered entities’ contact information, indicate that the OCR could commence Phase 2 at any time.(1) Now is the time for covered entities to prepare for a HIPAA compliance audit, or potentially find themselves subject to large fines for non-compliance.
Findings of the Phase 1 Pilot Audits
During 2011 and 2012, the OCR conducted 115 Phase 1 pilot audits and found that covered entities typically struggle the most with Security Rule compliance, with 60% of the audit findings focusing on Security Rule issues. Healthcare providers had more compliance issues than health plans or healthcare clearinghouses, and small organizations were less compliant than larger organizations.
The OCR made it clear that demonstrating compliance means more than merely having policies and procedures. Covered entities must show that personnel are aware of and follow the policies and procedures that are in place. In addition, it is the responsibility of covered entities to identify risk and have a risk mitigation strategy. According to an analysis of the Phase 1 audit data, about 80% of providers and nearly 57% of health plans did not have complete or accurate risk analysis programs.
Preparing for Phase 2 Audits
Although the OCR has not yet begun Phase 2 audits, now is the time for covered entities to prepare. Below are suggested guidelines for covered entities to ensure that they are ready for audit review.
Initial Preparation
As an initial step, covered entities should immediately review their policies and procedures, as well as any HIPAA-related documentation, such as business associate agreements or breach logs, to ensure that such documentation complies with current HIPAA law. As part of the Phase 2 audits, the OCR will also request lists of business associates from some covered entities, particularly information technology-related business associates. Covered entities should review their business associate lists for accuracy.The OCR will notify the covered entities selected for an audit by letter, and the covered entity may have only a short window of time to initially respond. Staff should be informed that such a letter may arrive, and of its importance. In addition, covered entities need to have their audit response protocol in place, including the staff member in charge of the response and the individuals on the response team.
Security Rule Compliance
The OCR placed a heavy emphasis on HIPAA Security Rule compliance in the pilot audits. The Security Rule establishes standards for administrative, technical and physician safeguards that covered entities must implement to ensure the security of patient information. Covered entities need to document their risk analysis plans and update those plans at least every three years (though many HIPAA advisors recommend updating annually), and whenever there is an environmental or operational change in the organization. In addition, covered entities must show an active, documented plan to manage and reduce risks, and clearly indicate which area of the organization is responsible for risk analysis and management, whether it be Compliance, Information Technology, or another department. Finally, the covered entity must evaluate compliance with the administrative, physical and technical safeguards set forth in the Security Rule.Privacy Rule Compliance
The Privacy Rules establishes standards to protect medical records and other personal health information by setting limits on the uses and disclosures of such information, and gives patients rights over their health information. To prepare for a HIPAA audit, each covered entity should review its privacy policies and procedures to ensure that the policies are in compliance, as are the actual practices of the covered entity and its staff. In addition, the HIPAA Omnibus Rule required all covered entities to update their Notices of Privacy Practices by September 23, 2013. Accurate and adequate documentation is the key to demonstrating compliance with the HIPAA Privacy Rule. Any records involving HIPAA policies, training, breaches, sanctions, etc. should be maintained and readily available in preparation for an OCR audit.Breach Notification Rule Compliance
The Breach Notification Rule requires covered entities and their business associates to provide notification following a breach of patient information. Every covered entity must have breach policies and procedures in place that comply with HIPAA and relevant state confidentiality and privacy laws. For each breach or other security incident, covered entities need to show auditors documentation of completed breach risk assessment, and documentation of notification to individuals, the Office of Health and Human Services, and the media (if applicable), as well as any law enforcement delays placed on the required notifications.
What to Expect in a HIPAA Audit
As of May 2015, the OCR confirmed that it is in the process of verifying covered entity contact information,(2) indicating that Phase 2 audits could begin at any time. In addition to an unknown number of onsite audits, which will last between three and ten days, the OCR anticipates conducting about 200 offsite audits, which will be paper review only, and of limited scope. When the audits finally begin, the best way for a covered entity to respond is to provide all documentation needed to demonstrate compliance in the manner and timeframe requested, and to clarify any documents that are not clear on their face.
While the main goal of these audits is compliance improvement, if any serious compliance issues exist, the audit may result in an enforcement action. Such enforcement actions have increased recently, with over $10 million paid in settlements in 2014. As the OCR gains more financial resources through collecting settlements, the number of audits will only increase in the future. Privacy attorney Adam Greene, a former the OCR employee, stated that he has heard anecdotally that the OCR has a significant pipeline of unprecedented settlement agreements and potentially record-breaking financial penalties.(3)
In addition to potential Federal penalties for non-compliance, the HITECH Act gave state Attorneys General authority to enforce HIPAA rules by bringing actions in state court on behalf of state residents. The Massachusetts Office of the Attorney General has taken advantage of this opportunity, resulting in recent settlements of $40,000 and $100,000 by two large Massachusetts hospitals as a result of stolen laptops containing patient information.
Additional Resources for Covered Entities
Now is the time for covered entities to prepare for a possible Phase 2 HIPAA audit. Below are a series of resources that covered entities can use to ensure that their policies, procedures and documentation are in compliance and will withstand the scrutiny of an OCR audit.
OCR Security Risk Analysis Guidance
About the Author
Sign up for email alerts
© 2021 | website: visual dialogue
News
Health Law
-
August 27, 2020
Best Lawyers in America® 2021 Recognizes Summit Health Law Partners Attorneys
-
June 03, 2020
Adelita Orefice, Esq. Honored by Rhode Island Monthly
-
April 17, 2020
Healthcare fraud warning from the Massachusetts U.S. Attorney arising out of COVID-19
-
April 10, 2020
Financial Solutions for Small Businesses Disrupted by COVID-19
-
March 26, 2020
Massachusetts and the Federal Government Expand Telemedicine Services and Coverage in Response to COVID-19
-
March 23, 2020
COVID-19 Update for Our Clients
-
August 27, 2019
Best Lawyers in America® 2020 Recognizes Summit Health Law Partners Attorneys
-
November 06, 2018
Sweeping New Opioid Law Extends Anti-Kickback Liability to Private Insurance Market in Three Areas
-
November 05, 2018
Adelita Orefice Earns Certification in Healthcare Compliance
-
October 22, 2018
Super Lawyers® Recognizes Summit Health Law Partners Attorneys
-
September 18, 2018
| Crystal Bloom, Andrew Levine
DPH releases proposed amendments to Determination of Need regulation
-
August 20, 2018
| Robert Blaisdell
Governor Baker Signs Sweeping Reform on Employee non-Competition Agreements Law
-
August 15, 2018
Best Lawyers in America® recognizes Summit Health Law Partners attorneys for their excellence in law.
-
October 24, 2017
| Jeffrey Chase-Lubitz
Legal Issues and the Aging Physician
-
October 11, 2017
| Andrew Levine
Department of Public Health Presentation on DoN Regulations
-
August 22, 2017
Best Lawyers, Lawyers Weekly, and Superlawyers Recognize DBS Attorneys
-
July 20, 2017
Massachusetts Supreme Judicial Court rules that terminating an employee for using medical marijuana may constitute handicap discrimination.
-
February 16, 2017
| Diane Moes
The ACA May Be in Jeopardy, but MACRA Isn’t Likely to Go Away
-
January 16, 2017
| Andrew Levine, Crystal Bloom
DPH Adopts New Determination of Need Regulations
-
November 09, 2016
| Andrew Levine, Crystal Bloom, Adelita Orefice
UPDATE: Preliminary Injunction Temporarily Halts Implementation of Final Rule Prohibiting Pre-Dispute Arbitration Contracts in LTC Facilities
-
October 24, 2016
| Andrew Levine, Crystal Bloom, Adelita Orefice
UPDATE: Nursing Facilities Sue HHS to Block Ban on Pre-Dispute Binding Arbitration Agreements
-
October 17, 2016
| Andrew Levine, Crystal Bloom, Adelita Orefice
HHS Prohibits Long-Term Care Facilities from Using Pre-Dispute Binding Arbitration Agreements
-
August 31, 2016
| Robert Blaisdell,
Massachusetts Enacts Equal Pay Act: What employers can do now to prepare for its implementation
-
August 29, 2016
| Andrew Levine, Crystal Bloom
Massachusetts Department of Public Health Announces Major Determination of Need Regulatory Reform Initiative
-
August 29, 2016
New MA Prescription Monitoring Program Goes Live August 22, 2016
-
August 15, 2016
| Crystal Bloom, Amanda Beauregard
OPPS 2017 – Implementation of Section 603 of the Bipartisan Budget Act of 2015
-
August 12, 2016
| Robert Blaisdell
CMS cracks down on “abuse” of nursing home residents via social media
-
July 20, 2016
| Kelly McGee, Adelita Orefice
Rhode Island Prohibits Physician Non-Competes
-
June 28, 2016
Massachusetts Trial Court Dismisses Wrongful Employment Termination Claim Based on Medical Marijuana Use
-
May 17, 2016
| Robert Blaisdell,
Noncompliance with Security Deposit Law Could Be a Defense to Eviction
-
April 19, 2016
| Crystal Bloom
Update Regarding DPH Increased Oversight of Long-Term Care Facilities
-
April 11, 2016
| Crystal Bloom
DPH Strengthens Oversight of Long-Term Care Facilities
-
March 23, 2016
| Andrew Levine, Andrew Ferrer
Governor Baker Signs Legislation Designed To Address Opioid Crisis
-
March 22, 2016
| Robert Blaisdell,
Failure to execute HIPAA business associate agreement and conduct risk analysis costs health system $1.55M
-
February 11, 2016
| Kelly McGee
Proposed Rule Modifies 42 CFR Part 2, the Confidentiality of Alcohol and Drug Abuse Patient Records Regulations
-
November 16, 2015
| Andrew Levine, Crystal Bloom, Nicole Sexton
Medicare Hospital Reimbursement Changes
-
October 26, 2015
Diane Moes named one of Mass Lawyers Weekly’s “Top Women of Law”
-
June 12, 2015
OIG Fraud Alert Warns Doctors That They Will Be Personally Accountable for Violations of Federal Anti-Kickback Statute
-
May 15, 2015
| Andrew Levine
Long Term Care Facility Regulatory Update
-
April 23, 2015
| Andrew Levine
Department of Public Health - new process for the addition of licensed mobile or portable health care units
-
April 21, 2015
| Paul Barrett, Jeffrey Chase-Lubitz
OIG Releases Compliance And Oversight Guide for Healthcare Boards
-
April 20, 2015
| Andrew Levine,
Massachusetts Department of Public Health Revamps Application Process for Registered Medical Marijuana Dispensaries
-
April 16, 2015
| Crystal Bloom, Andrew Levine
Proposed Legislation Will Increase Legal Authority of Health Policy Commission and Attorney General
-
March 15, 2015
| Andrew Levine
Health Policy Commission Releases Proposed Regulation Concerning Nurse-to-Patient Ratios | Public hearings scheduled for late March and early April
-
March 06, 2015
| Robert Blaisdell
Court Holds Officers and Directors of Non-Profit Healthcare Facility Personally Liable to Creditors for Breach of Fiduciary Duty
-
September 17, 2014
| Andrew Levine, Robert Blaisdell, Kathleen Harrell
Legal Issues Associated with MA Registered Marijuana Dispensaries: An article by Andrew Levine, Robert Blaisdell, and Kathleen Harrell
-
July 14, 2014
| Andrew Levine
Important Compounding Pharmacy Law Empowers Board of Registration in Pharmacy
-
June 20, 2014
| Crystal Bloom, Andrew Levine
Public Health Council Approves Amendments to Determination of Need Regulations
-
June 03, 2014
| Diane Moes
U.S. District Court Ruling Vacating HRSA’s 340B Program Orphan Drug Exclusion Rule Casts Uncertainty on Forthcoming "Mega-Rule"
-
May 28, 2014
| Andrew Levine
New Guidelines for Dementia Special Care Unit Regulations
-
January 10, 2014
| Andrew Levine
MassHealth Changes regulations to comply with Affordable Care Act
Litigation
-
August 27, 2020
Best Lawyers in America® 2021 Recognizes Summit Health Law Partners Attorneys
-
May 12, 2020
First Federal Indictment Arising Out of Fraudulent Applications for Paycheck Protection Program Loans Highlights Focus on COVID-19 Related Investigations
-
April 30, 2020
Impact of COVID-19 on Reporting Foreign Components
-
August 27, 2019
Best Lawyers in America® 2020 Recognizes Summit Health Law Partners Attorneys
-
October 22, 2018
Super Lawyers® Recognizes Summit Health Law Partners Attorneys
-
August 15, 2018
Best Lawyers in America® recognizes Summit Health Law Partners attorneys for their excellence in law.
-
April 05, 2018
In Russia probe, the difference between ‘target’ and ‘subject’ matters a great deal
-
February 22, 2018
Landmark Supreme Court Decision Substantially Narrows the Applicability of the Dodd-Frank Whistleblower Provision
-
August 22, 2017
Best Lawyers, Lawyers Weekly, and Superlawyers Recognize DBS Attorneys
-
July 20, 2017
Massachusetts Supreme Judicial Court rules that terminating an employee for using medical marijuana may constitute handicap discrimination.
-
August 31, 2016
| Robert Blaisdell,
Massachusetts Enacts Equal Pay Act: What employers can do now to prepare for its implementation
-
August 12, 2016
| Robert Blaisdell
CMS cracks down on “abuse” of nursing home residents via social media
-
June 28, 2016
3 Things Every Massachusetts Podiatrist Should Know About the Proposed Amendments to Podiatry Regulations
-
June 01, 2016
How Recent Changes to the Fair Labor Standards Act’s “White Collar” Exemptions May Affect Your Small Business
-
March 25, 2015
Avoiding Securities Fraud Prosecution: Using the SEC’s 2015 examination priorities as a compliance roadmap when dealing with retail investors.
-
December 29, 2014
| Bruce Singal
Was the Ferguson grand jury rigged?
-
March 26, 2014
Employer Avoids Discrimination Trial Thanks to Robust Investigation and Documentation Policies
-
February 13, 2014
| Michelle Peirce
Shielding Companies Against Whistleblower Suits
-
March 01, 2010
Trials Facing Women Litigators and Tips For Success: Michelle Peirce
-
“Official Immunity” for Private Research Institutions: How a recent federal court decision impacts civil tort lawsuits arising out of research misconduct inquiries / investigations.
-
Research Misconduct Penalties and How to Avoid Them
Corporate
-
August 20, 2018
| Robert Blaisdell
Governor Baker Signs Sweeping Reform on Employee non-Competition Agreements Law
-
March 16, 2018
Massachusetts Equal Pay Act: 5 Things Every Employer Should Do Before It Takes Effect On July 1, 2018
-
August 22, 2017
Best Lawyers, Lawyers Weekly, and Superlawyers Recognize DBS Attorneys
-
June 28, 2016
Massachusetts Trial Court Dismisses Wrongful Employment Termination Claim Based on Medical Marijuana Use
-
June 28, 2016
3 Things Every Massachusetts Podiatrist Should Know About the Proposed Amendments to Podiatry Regulations
Research Misconduct
-
May 18, 2020
Why Grantees Must be Prepared for Heightened Scrutiny of Conflicts of Interest in Foreign Support for US Research
-
March 23, 2016
| Andrew Levine, Andrew Ferrer
Governor Baker Signs Legislation Designed To Address Opioid Crisis
-
What is Research Misconduct and Why Should I Care?
-
“Official Immunity” for Private Research Institutions: How a recent federal court decision impacts civil tort lawsuits arising out of research misconduct inquiries / investigations.
-
Research Misconduct Penalties and How to Avoid Them
This website presents general information about Summit Health Law Partners and is not intended as legal advice nor should you consider it as such. You should not act upon this information without seeking professional counsel.
Please note that contacting Summit Health Law Partners by email, telephone or facsimile will not establish an attorney-client relationship, obligate us to act as your attorney or impose an obligation on either the law firm or the receiving lawyer to keep the transmitted information confidential. Completion of Summit Health Law Partners' new client intake protocol, including without limitation the firm’s conflicts checking process and an engagement letter, is necessary to establish an attorney-client relationship. Absent a current attorney-client relationship with Summit Health Law Partners, any information or documents communicated or transmitted by you to Summit Health Law Partners will not be treated as confidential, secret or protected in any way. If you are not a current client of Summit Health Law Partners, please do not send any confidential information to us through this website or otherwise concerning any potential or actual legal matter you have. Before providing any confidential information to us, you must obtain permission to do so from one of the firm’s lawyers. By clicking "Accept," you acknowledge that we have no obligation to maintain the confidentiality of any information you submit to us unless we already represent you or unless we have agreed to receive limited confidential material/information from you as a prospective client.
If you would like to discuss becoming a client, please contact one of our attorneys to arrange for a meeting or telephone conference. If you wish to disclose confidential information to a lawyer in the firm before an attorney-client relationship is established, the protections that the law firm will provide to such information from a prospective client should be discussed with the firm attorney before such information is submitted. Thank you for your interest in Summit Health Law Partners.