Jocelyn Samuels, the Director of the OCR has confirmed that Phase Two of the HIPAA compliance audits will be commencing in early 2016 and that organizations need to prepare if they have not done so already; and according to HIPAA Journal, business associates will not be excluded from the audits this time. The original audits – Phase One – were aimed at educating covered entities and particularly in educating them. They did include companies who appeared on the OCR Wall of Shame as covered in this Zix webinar, but not typically companies that suffered breaches with less than 500 patient records being exposed. Not this time around: in Phase Two, not only are audits to be expected of all sizes of covered entities, but also of their business partners, who supposedly have had time to get their houses in order; and fines and enforcement orders are anticipated.
The OCR is under great pressure: senators and congressmen from both sides of the aisle have accused the OCR of not protecting breach victims, including not doing enough to investigate smaller breaches and to implement corrective actions. Worse for the OCR, this report from the Inspector General’s Office found the following:
OCR’s oversight is primarily reactive, with OCR investigating possible noncompliance primarily in response to complaints.
OCR has not fully implemented the required audit program to proactively assess possible noncompliance from covered entities.
In 24 percent of cases where OCR requested corrective action, it subsequently failed to obtain complete documentation of corrective actions taken by the covered entities.
Some OCR staff rarely or never checked to see whether a covered entity had been previously investigated. The OIG found that the staff’s failure to check for previous investigations may be due to the limited functionality of its case tracking system.
Hence the OCR is on the ropes and obliged to take a more aggressive stance for Phase Two. So in early 2016, we anticipate it choosing 200 entities, both covered entities and business associates for auditing. We also anticipate a proportion of companies that suffer breaches of greater than and less than 500 records to come under scrutiny, and that these audits will be rigorous.
If you have not already done so, you need to complete a professional security risk assessment: believe it or not, during Phase One it was found that two-thirds of companies had not even completed this baseline document. Next, clearly document all your required policies: record that your staff are complying with these policies. Make sure you have a designated Security Officer and a Privacy Officer and that they are fully conversant with their obligations.
Finally, make sure your staff are trained to use electronic systems – both operationally and ethically - trained to recognize social engineering, and trained to use an automated secure email encryption system such as ZixGateway. If you have not done so already, now is definitely the right time to prepare.