Federal regulators are actively preparing to conduct extensive audits to determine business compliance with the privacy and security requirements of the Health Insurance Portability and Accountability Act (“HIPAA”).  Covered businesses that handle Protected Health Information (“PHI”), i.e.,  individually identifiable health information transmitted or maintained in any form, are required to be HIPAA compliant and are subject to substantial monetary fines if found in violation of HIPAA rules. Traditionally, the federal government has focused its enforcement actions on health plans and health care providers.  This is changing.

The HIPAA audit process, expected to commence in the summer or fall of 2015, is viewed as a major enforcement action by the responsible agency:  The Department of Health and Human Services’ (“HHS”) Office of Civil Rights (“OCR”).  The Director of OCR, Jocelyn Samuels, said that the audits will “proactively uncover risks and vulnerabilities [of businesses’ HIPAA compliance].”  Audited businesses will be required to demonstrate strict compliance with applicable HIPAA requirements.   Accordingly, it is critical that any organization subject to HIPAA have applicable compliance policies and security measures in place before the audits begin.   

Businesses Subject to HIPAA & Audits

Two categories of businesses are required to be HIPAA compliant:  Covered Entities, health plans and health care providers that transmit PHI in electronic form; and Business Associates, entities that create, store, maintain or transmit PHI for a regulated activity on behalf of a Covered Entity.  Business Associates include telecommunications and information service providers that transmit or retain PHI, and medical equipment manufacturers whose devices store PHI. 

Audits are Heating Up

OCR has already commenced sending out “screening surveys” to several hundred potential audit targets, including Business Associates.  The screening surveys gather data about the operations of potential auditees regarding their HIPAA privacy, security, and breach notification procedures.   Any business receiving a pre-audit survey is required to respond within a set period of time.   If OCR is dissatisfied with the response, it will likely commence a full audit.  OCR has stated that it may conduct remote desk audits or on-site audits, depending on the perceived needs and resources available.

Sanctions for Non-Compliance

Monetary sanctions for failing to comply with HIPAA are steep.  OCR is authorized to levy penalties of more than $50,000 per violation, even if OCR determines that the breach was unintentional.   For willful violations not timely corrected, OCR could impose penalties of up to $1.5 million per calendar year.

Compliance Requirements

The crux of OCR’s audits is to determine compliance with the “HIPAA Omnibus Rule,” a set of regulations intended to enforce the privacy and security provisions of HIPAA and its companion legislation:  The Health Information Technology for Economic and Clinical Health Act (“HITECH”).   The rules are complex; a detailed analysis is beyond the scope of this advisory.  

In general, the HIPAA Omnibus Rule requires Business Associates to:  (a) have safeguards in place to protect against unauthorized use and disclosure of PHI; (b) report breaches to Covered Entities; (c) ensure that their subcontractors that handle PHI are HIPAA compliant; and (d) have Business Associate Agreements (“BAAs”) that include PHI privacy and security provisions with all Covered Entities and subcontractors with whom they work.  All compliance procedures and records must be documented, and records made available to OCR if requested.

Business Associates should ensure that all their subcontractors and Covered Entities that handle PHI are HIPAA compliant and have the appropriate safeguard procedures in place.   Accordingly, HIPAA requires that Business Associates have BAAs containing all applicable HIPAA compliance language with their subcontractors and Covered Entities.   The terms of these contracts are critical, because a careless agreement could result in a Business Associate assuming HIPAA compliance responsibility that it would not otherwise have, and liability for breaches caused by the other entity.         

Preparing for Audits — Time is of the Essence

OCR could launch its audit processes at any time.   Hence, the time is now for all Covered Entities and Business Associates to prepare for an OCR audit.  At a minimum, those subject to HIPAA obligations should review their HIPAA security policies, procedures and records to determine if they could withstand an audit.  A recent survey by a reliable information media research group revealed that a substantial percentage of Covered Entities and Business Associates could not meet OCR audit requirements.  Many of those entities believed they were HIPAA compliant, but upon minor scrutiny discovered that they were not.

It is critical that all Business Associates take the time to focus on HIPAA compliance.  With the current political and media focus on patient privacy, it is clear that, in addition to the imminent mass audits, OCR will engage in HIPAA-related investigations and enforcement for the foreseeable future.  Consultation with knowledgeable counsel would be helpful to Business Associates to review existing compliance measures and take steps necessary mitigate the risk in any audit or enforcement action before OCR comes knocking at the door.   The CommLaw Group has attorneys with expertise in HIPAA compliance, audits, and contracting matters.  For more information, please visit our website: Information Privacy, Data Security & Consumer Protection practice.

If you have about questions about any of these issues covered in this alert, or HIPAA compliance in general, please contact Linda McReynolds at lgm@commlawgroup.com or (703) 714-1318.