Covered entities, including employer sponsored health plans, should brace for audits and enforcement of the Privacy, Security, and Breach Notification rules by the Department of Health & Human Service Office of Civil Rights (OCR) following OCR’s recent announcement of a large HIPAA settlement last month on the heels of its release of the preliminary results from Phase 2 of the HIPAA Audit Program.
Preliminary results from Phase 2 suggest that compliance with the HIPAA Privacy, Security and Breach Notification standards is largely “inadequate,” with over 94 percent of the covered entities failing to demonstrate appropriate risk management plans. A subsequent $2.3 million settlement with a covered entity highlights the importance for covered entities and their business associates to comply with HIPAA’s organizational, risk assessment, privacy and security, and other requirements.
As OCR continues to issue additional guidance as well as supplement this guidance through information shared in settlement agreements, covered entities may wish to take note of the following themes:
1. Implement a Risk Management Plan and Conduct Risk Assessments on a Regular Basis. Failure to implement a risk management plan and conduct regular risk assessments was one of the biggest HIPAA compliance points of failure in the OCR pilot audit program. Such programs are important to determine risk levels and assess the susceptibility of the covered entity to data breaches of electronically stored PHI.
2. Review Business Associate Agreements (BAA). Although there was an increase in awareness of the requirement that covered entities enter into BAAs with their subcontractors since the passage of the HIPAA Omnibus Rule in 2013, covered entities continue to fail to lay out PHI protective measures in the BAA. In order to survive an audit, the covered entity must be able to produce copies of all of its BAAs.
3. Train Employees. Lack of workforce training can lead to data breaches and other HIPAA compliance issues. A proper HIPAA training program for newly hired employees as well as annual training is ideal, and should be company and industry specific. Covered entities conducting such training should be sure to maintain copies of the training materials, and document attendance.
4. Report Breaches in a Timely Manner. Covered entities should maintain clear policies and procedures to ensure that breaches are reported in a timely manner within HIPAA’s notification timeframes.
While the particulars of each of OCR settlement varies, all send a very clear message that OCR expects covered entities to comply with HIPAA and is offering guidance to aid them in that process.