American Association for Physician Leadership

Operations and Policy

Phase 2 HIPAA Audits for Providers and Business Associates on the Horizon

Debra Cascardo, MA, MPA, CFP

February 8, 2016


Abstract:

HIPAA and the HITECH Act are highly nuanced laws, and the fines for not complying can be significant. The commencement of Phase 2 audits shows just how serious the OCR is about compliance and how determined it is to enforce HIPAA rules and policies. Although it is important to have written policies and procedures in place to initiate and prove compliance, documentation is just one aspect. Compliance is mandatory, and it is important that everyone affiliated with the office be trained in the policies and understand the importance of adhering to them. It also is necessary to monitor the systems on a quarterly basis and address any breaches found. The entire staff must take responsibility for ensuring compliance with HIPAA and HITECH laws.




Given the many competing priorities that practices face, HIPAA compliance may not be at the top of your list. Some practices even underestimate the importance of revising their programs to ensure it is up to date. Although there are a few common “reality checks” that your practice should keep in mind as you work to comply with HIPAA rules, now is the time to pay attention to your covered entities and business associates agreements. Here come the Phase 2 HIPAA audits.

Phase 1 audits were part of a pilot program, which included only covered entities and was conducted between 2011 and 2012. The purpose of those audits was to glean compliance with the HIPAA Privacy, Security and Breach Notification Rules, as expressed in the Health Information Technology for Economic and Clinical Health (HITECH) Act.

For the Phase 1 audits conducted in 2011 and 2012, the Department of Health and Human Services Office for Civil Rights (OCR) developed audit protocols to measure efforts of some 115 covered entities. For the Phase 2 audits, the audit protocols were updated to encompass both covered entities and business associates. The OCR’s focus will continue to be on more thorough audits of covered entities, but will really hit hard on business associates in this phase. By bringing business associates into the scope for potential audits, this update has increased the reach of OCR audits, and I believe that it will continue to increase as time goes on.

The OCR issued a number of surveys during 2014 and into the start of 2015 with the goal of gathering information and building up its audit protocol. These surveys were indicators of pending, revitalized audits to come. These pre-audit screening surveys were sent to a pool of covered entities alerting them that they might be selected for a second phase of audits (Phase 2 audits) of compliance with the HIPAA Privacy, Security and Breach Notification Standards, as required by the HITECH Act.

These screening surveys had been delayed from the OCR’s original issue date in the summer of 2014. The Phase 2  audits to assess compliance for Covered Entities and Business Associates are underway, having started in the summer of 2015. It’s important to note that both Covered Entities and Business Associates are now susceptible to these revised HIPAA OCR audits and enforcement.

Business associates provide service to covered entities that include accreditation, billing, claims processing, consulting, data analysis, financial services, legal service, management administration and utilization review. Covered entities include healthcare providers, health plans, and healthcare clearinghouses. A covered entity can be a business associate of another covered entity.

Surveys have indicated that only about a third of medical practices and staff were aware of these “revised” audits. This, in itself, indicates many covered entities and business associates still may not be fully aware of pending audits (or the enhancements to existing audit protocols) that could result in financial settlement or fines for noncompliance. For detailed information on business associates, please refer to the two articles that I wrote, “What to Do Before the Office of Civil Rights Comes Knocking,” Part 1 and Part 2, published in the Journal of Medical Practice Management in May and September of 2012.

Phase 2 Audits

The Phase 2 audit program will differ from the pilot program in that the Phase 2 audits will be conducted as desk audits. However, the OCR has reserved the right to conduct on-site audits as necessary.

Rather than a comprehensive review of all of the HIPAA standards, the Phase 2 audit program will focus on areas of greater risk to the security of protected health information (PHI) and on pervasive noncompliance based on OCR’s Phase I audit findings and observations. OCR also intends for the Phase 2 audits to identify best practices and assess controls and processes implemented by covered entities.

Some of the hot topics that will be included in the Phase 2 audits are as follow:

  • Risk analysis: timely, thorough security risk assessments;

  • Risk management: effective, ongoing risk-mitigation plans;

  • Breach notification policies: procedures and timeline for notification; and

  • Privacy policies: notice of privacy practices; individual access; privacy standards; reasonable safeguards; device and media control; transmission security; encryption requirement; written policies/procedures; training; regular monitoring; and regular review.

For business associates, specific targets include risk analysis, risk management, and breach reporting to covered entities.

What is the Difference between Phase 1 and Phase 2?

There are a couple of notable differences between the Phase 1 and Phase 2 audits. Phase 1 reviewed all of the HIPAA standards, whereas Phase 2 will focus on the key noncompliance areas identified in Phase 1, as well as those areas associated with PHI security. Discerning best practices for PHI compliance is another goal of Phase 2.

An entity, whether a covered entity or business associate, may be subject to civil monetary penalties in the event that a significant compliance concern is revealed. Taking the proper protective measures is mandatory.

Compliance

It is critical that your organization create consistent processes for managing breach incidences. Your practice’s culture will ensure compliance for incident assessment. Compliance should be a critical component of your practice’s business strategy.

To ensure compliance, avoid the practices discussed in the following sections.

Failure to Keep Up with Regulatory Requirements

Gain a better understanding of specifications for standards as “required” versus “addressable.” Some covered entities must comply with every security rule standard. Covered entities must determine whether the addressable section is reasonable after a risk assessment, and, if not, whether the security rule allows them to adopt an alternative measure. Be sure to document everything, particularly since the OCR may look at encryption with audits this year.

Lack of a Documented Security Program

The OCR wants to know how you implement a security risk assessment program, so be sure your organization has a documented security awareness program. Once you know the requirements, assess your environment and your users. Does your organization have a security and compliance program in place? How well is it implemented? Who is involved? How often do you communicate? Everyone in your organization should be held responsible for ensuring the safety of data and following proper procedures. Have a plan and a point person in place, and ensure your compliance and security teams talk to each other. Create a committee with stakeholders and clear responsibility, and make sure the plan is documented, communicated, and enforced across the organization.

A Reactive Approach to Audits

Once you establish a security program, proactively monitor security and performance indicators, because OCR audits will focus heavily on breach plans and the controls you have in place to prevent breaches. Auditors will look for access to critical group memberships, so make sure you are auditing and reporting on user activity—including your privileged users. Auditors are increasingly more interested in this area, due to the recent increase in insider incidents.

Assumptions Regarding Business Associates Agreements

Contractors and subcontractors who process health insurance claims are liable for the protection of private patient information. Make sure you have an updated business associate agreement in place, and ensure the chain of responsibility is documented, agreed upon, and reviewed frequently by both parties.

A Checkbox Approach to Compliance

Regulators want to discontinue the checkbox approach to compliance in favor of a risk-based security approach. Compliance and security must go hand-in-hand, and organizations will benefit from incorporating this mindset across both teams. Strong security measures make it easier to meet compliance regulations. By adopting an organizational self-discovery approach, you will have a higher level of visibility and awareness of internal issues, and achieve a more resilient business process and the next level of organizational maturity

Preparation for Phase 2 Audits

When a physician’s office, a covered entity, or one of its business associates is contacted by the OCR, it has two weeks to respond to the audit request, which can be very specific. An OCR audit should be approached like a Joint Commission accreditation. Assuming the entity is compliant, everything should be organized and easily accessible.

Physicians should answer the following questions to be reasonably sure that no major violations exist:

  • Does your practice have a recently completed comprehensive assessment of potential security risks? If so, then what is your corrective action plan and time line to resolve issues?

  • Does your practice have a complete updated inventory of business associates and subcontractors, including their contact information?

  • Does your practice have comprehensive and up-to-date policies and procedures?

  • Have all of your electronic files been encrypted?

  • Do you have a breach notification policy that follows relevant state laws?

  • Do you have a compliant Notice of Privacy Practices in place, and not just a website privacy notice?

Conclusion

Make sure that your documentation is complete and up to date. If there is a breach of PHI, that breach must be reported if it does not qualify for one of the reporting exceptions.

HIPAA and the HITECH Act are highly nuanced laws, and the fines for not complying can be significant. The commencement of Phase 2 audits shows just how serious the OCR is about compliance and how determined it is to enforce HIPAA rules and policies.

Although it is important to have written policies and procedures in place to initiate and prove compliance, documentation is just one aspect. Compliance is mandatory, and it is important that everyone affiliated with the office be trained in the policies and understand the importance of adhering to them. It also is necessary to monitor the systems on a quarterly basis and address any breaches found. The entire staff must take responsibility for ensuring compliance with HIPAA and HITECH laws.

Useful Definitions to Clarify Phase 2 Audits

  • Business associate: an individual or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity. One example would be a third-party administrator that assists a health plan with claims processing.

  • Business associate functions and activities: may include claims processing or administration; data analysis, processing or administration; utilization review; quality assurance; billing; benefit management; practice management; and repricing.

  • Business associate services: may include legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, and financial services.

Debra Cascardo, MA, MPA, CFP

Principal, The Cascardo Consulting Group, and Fellow, New York Academy of Medicine; phone: 914-358-9553; fax: 914-358-9554; e-mail: dcascardo@aol.com

Interested in sharing leadership insights? Contribute



This article is available to AAPL Members.

Log in to view.

For over 45 years.

The American Association for Physician Leadership has helped physicians develop their leadership skills through education, career development, thought leadership and community building.

The American Association for Physician Leadership (AAPL) changed its name from the American College of Physician Executives (ACPE) in 2014. We may have changed our name, but we are the same organization that has been serving physician leaders since 1975.

CONTACT US

Mail Processing Address
PO Box 96503 I BMB 97493
Washington, DC 20090-6503

Payment Remittance Address
PO Box 745725
Atlanta, GA 30374-5725
(800) 562-8088
(813) 287-8993 Fax
customerservice@physicianleaders.org

CONNECT WITH US

LOOKING TO ENGAGE YOUR STAFF?

AAPL providers leadership development programs designed to retain valuable team members and improve patient outcomes.

American Association for Physician Leadership®

formerly known as the American College of Physician Executives (ACPE)