The 2009 HITECH Act deputized the Office of Civil Rights (OCR) to conduct HIPAA security audits under the auspices of the Department of Health and Human Services’ (HHS). But as it turns out, OCR is not the only HIPAA enforcer in town. State attorneys general can claim a similar right to audit; in fact several were initially trained by OCR to do so. In the second half of 2013, the Center for Medicare Services (CMS) began conducting audits of eligible hospitals and providers that had received payments under Stage 1 of the Meaningful Use (MU) EHR Incentive Program. While there are many core MU requirements, conducting a security risk analysis is one that CMS zeroed in on, finding it the most common audit failing.
Now, even more Federal agencies are getting into the act. The Federal Trade Commission (FTC) recently asserted its right to challenge data security measures at HIPAA-covered entities that constitute unfair “acts… or practices” under the FTC Act. HHS’ Office of Inspector General (OIG) has standing to audit Meaningful Use incentive payments to eligible professionals and hospitals. Eligibility for those payments depends on the implementation and adoption rate of certified EHR systems, thus OIG looks into that as well. But they don’t stop there. In OIG’s 2014 Work Plan, the agency says it intends to play a role in auditing the security of certified EHR technology (CEHRT) and even extends their reach to certain business associates, specifically stating:
“We will perform audits of various covered entities receiving EHR incentive payments from CMS and their business associates, such as EHR cloud service providers, to determine whether they adequately protect electronic health information created or maintained by certified EHR technology. Furthermore, business associates that transmit, process, and store EHRs for Medicare/Medicaid providers are playing a larger role in the protection of electronic health information. Therefore, audits of cloud service providers and other downstream service providers are necessary to assure compliance with regulatory requirements and contractual agreements.”?
OCR isn’t backing off either. Just before last month’s HIMSS 14 Conference, the agency announced it would be conducting a “pre-audit survey”? of up to 1,200 HIPAA covered entities (health plans, health care clearinghouses, and certain health care providers) and BAs. According to OCR, they want to first gather information regarding the size and complexity of a large sampling of organizations before identifying specific audit targets. The data request includes such broad markers as revenue, # of locations, and # of patient visits as well as specifics about their use of electronic information.
At Redspin, we believe the primary aim of the survey is to not so much to determine an organization’s “readiness”? for an audit (which seems a bit counterintuitive) but more so that OCR can focus its resources on higher risk organizations.
One thing that OCR is certain to look closely for will be the existence and comprehensive of HIPAA risk assessments. During a December 2013 HIT Policy Committee meeting, Sue McAndrew commented that the failure to conduct security and risk assessment represented the majority of OCR’s findings during its 2012 audit program and that it will be a critical part of 2014 criteria.
In summary, at Redspin we believe that the best preparation is a robust information security program. We get a chuckle out of some of the HIPAA compliance-oriented firms who are offering “mock audits” as a way of preparing covered entities and business associates for the real thing. Redspin’s mission has always been to help healthcare organizations safeguard PHI from data breach and ensure the integrity and availability of electronic health record technology. Mock audits are like a student studying only to pass an exam rather than actually learning to succeed in the real world. Our HIPAA security risk analysis services enable our clients to evaluate threats and vulnerabilities, and then make informed decisions regarding prioritization, investments, technologies, and staffing. That way, no matter which auditor comes knocking at your door, you’ll be well prepared. Most importantly, you’ll have truly lowered your risk.