POPULAR | March 1
Staying HIPAA Compliant in 2017: What Do You Need to Know?
HIPAA audits are coming, be prepared with what you need to do in order to keep your company safe.
When it comes to HIPAA compliance in the healthcare industry, 2017 promises to be a banner year.
But before we discuss exactly why that is, let’s set the stage for how that has come to be.
In 2011, the Office for Civil Rights – a branch of the US Department of Health & Human Services – spearheaded a campaign to improve the security of citizens’ protected health information (PHI) and increase the integrity of the covered entities that provide healthcare services to these individuals.
Throughout the following years, the OCR began an audit program to “assess the controls and processes covered entities have implemented to comply with (HIPAA law).”
The OCR then analyzed 115 covered entities using the newly-developed audit program to determine not only the integrity of said covered entities, but the integrity of the audit program, as well. The OCR referred to this process as “Phase 1,” which was somewhat of a “dry run” for the program.
In 2016, the OCR entered “Phase 2” of this campaign. The organization entered this phase prepared to conduct full-scale audits of both covered entities and their business associates, and – as of December 2016 – maintained its scheduled course for doing so.
So what does this mean for your healthcare-related organization?
Phase 2 means an increased possibility of audits, more scrutiny from the OCR during these audits, and heavier sanctions levied against your organization if it’s found to be negligent or non-compliant with HIPAA protocol.
This all might sound a bit frightening; but there’s no need to panic. The purpose of OCR’s initiative is to raise the bar for all healthcare-related organizations across the country, in turn improving the service each of them provides to their patients. As long as you understand what’s expected of your organization – and work diligently to ensure compliance with HIPAA rules and regulations – these audits will simply be confirmation of your organization’s ability to provide its patients with superb care and service.
Who Should Expect to Be Audited?
While the OCR focused specifically on auditing covered entities in 2016, in 2017 it intends to audit both covered entities and their business associates.
Covered entities include:
- Individual or organizational healthcare providers
- Health Plans of all sizes and functions
- Clearinghouses that handle healthcare-related information and PHI
Essentially, any organization that deals directly with patient care and PHI is considered a covered entity. All personnel within such an organization – from doctors and nurses to maintenance and custodial staff – are bound by HIPAA laws.
Business associates of covered entities include, but are not limited to:
- Temp agencies and hired staff
These individuals or organizations may not work exclusively with healthcare-related businesses, but, when they enter into a contract with a covered entity, they become bound by HIPAA law in the same way as a covered entity.
Of course, the OCR will not be auditing every covered entity or business associate in the country. But that doesn’t mean you should assume you’re in the clear because your organization is smaller in size, or, as a business associate, you only seldom work with healthcare organizations.
According to HHS.gov:
“Sampling criteria for auditee selection will include size of the entity, affiliation with other healthcare organizations, the type of entity and its relationship to individuals, whether an organization is public or private, geographic factors, and present enforcement activity with OCR.”
In other words: all covered entities and business associates are fair game for an audit from the OCR in 2017. The only organizations who aren’t eligible for audit are those which are already under investigation for breaches of HIPAA protocol.
What Will Auditors Be Looking For?
While the list of areas the OCR will assess is rather extensive, there are two main aspects of compliance the audits plan to focus on:
- Systemic problems
- Technology protocol and usage
Systemic problems are those which are rooted in the policies and procedures of a healthcare-related organization that inherently result or would result in ongoing breaches throughout day-to-day operations. In other words, these are not one-off, incidental mistakes, but rather continual breaches that point to a problem with an organization’s workflow and processes.
(Note: This is not to say that auditors will overlook one-off mistakes, but rather organizations with systemic problems will face a much higher level of scrutiny than those that may need to do some minor “housekeeping.”)
As technology becomes more and more prevalent in healthcare-related organizations, the OCR is increasing its level of scrutiny in this area, as well.
Auditors will be assessing covered entities’ and business associates’ focus on security to ensure that electronic data is securely saved, stored, and – when necessary – transmitted. They’ll also analyze the processes organizations have in place to ensure the integrity of these security features, and to mitigate damage done should a security breach occur.
Auditors will also assess organizations’ patient-facing technology, such as websites and apps that allow patients to access their own PHI. In addition to assessing the security of these “patient portals,” the OCR will also assess the level of accessibility these portals offer for users with disabilities, such as those who are hard of hearing or sight.
The OCR is focusing heavily on fixing problems at their root, and are focusing on organizations that have shown continuous non-compliance with HIPAA rules and regulations. However, minor breaches may be signs of a much bigger problem, so healthcare organizations are advised to take care of HIPAA-related issues immediately, no matter how small or inconsequential they may seem.
What Happens if an Infraction is Discovered?
As alluded to earlier, the OCR’s purpose for conducting these audits is to determine areas in which covered entities and business associates need improvement, and to help them make said improvements, in turn increasing the quality of service they provide their patients.
That being said, the consequences an organization may face should infractions be uncovered vary depending on the number of infractions found, as well as the severity of such.
While minor or incidental infractions certainly are not excusable in the eyes of the OCR, organizations likely won’t face heavy fines or penalties if a few “easy fixes” are discovered. However, if these minor incidents point to a much larger, systemic problem, this may be cause enough for the OCR to open a deeper investigation into the issue.
If minor infractions are discovered, the OCR will develop tools and guidance plans to help the organization fix the problems and maintain compliance with HIPAA across the board. When provided with these tools and plans for improvement, organizations are expected to put them into practice immediately – and can expect to be checked in on by the OCR in the months to follow.
On the other hand, if major infractions – such as the systemic problems mentioned earlier – are discovered, the OCR will then conduct a much more in-depth compliance review to determine the cause of the problem, as well as any consequences the organization may be subject to.
According to HIPAA Journal, there are four classifications of HIPAA violations:
- Category 1: A violation that the CE was unaware of and could not have realistically avoided, had a reasonable amount of care had been taken to abide by HIPAA Rules
- Category 2: A violation that the CE should have been aware of but could not have avoided even with a reasonable amount of care. (but falling short of willful neglect of HIPAA Rules)
- Category 3: A violation suffered as a direct result of ‘willful neglect’ of HIPAA Rules, in cases where an attempt has been made to correct the violation
- Category 4: A violation of HIPAA Rules constituting willful neglect, where no attempt has been made to correct the violation”
There are also four levels of penalties that organizations may face, depending on the severity of their violation:
- Category 1: Minimum fine of $100 per violation up to $50,000
- Category 2: Minimum fine of $1,000 per violation up to $50,000
- Category 3: Minimum fine of $10,000 per violation up to $50,000
- Category 4: Minimum fine of $50,000 per violation”
Note, however, that a rather minor mistake that leads to a major security breach would be classified as a severe violation, leading to severe sanctions against the organization as a whole.
Also note that the minimum fines listed above are “per violation.” Multiple violations count separately against an organization – meaning even “minimum” fines can pile up quickly.
Furthermore, a single violation – if left unchecked – can count against an organization multiple times. For example, if the OCR gives an organization 30 days to fix a major compliance issue, but the organization takes 60 days to do so, it can be fined the determined amount 30 times, or once per day.
Overall, the OCR’s focus during an audit is on helping an organization come into compliance and avoid any potential HIPAA-related issues in the future. However, if those within an organization show they aren’t making a concentrated effort to become compliant – or continually show to be grossly negligent – the OCR will almost certainly resort to monetary punishment.
The OCR has doubled-down on its 2016 campaign to audit – and hold accountable – covered entities and business associates with regard to HIPAA rules and regulations.
But this isn’t a bad thing.
As your organization more diligently aligns with HIPAA protocol, it will become better equipped to provide top-level service to its patients.
Though maintaining full HIPAA compliance may seem like a daunting task, it doesn’t have to be. Accountable’s on-demand training sessions can help all members of your organization understand exactly what’s expected of them, and what they need to do to ensure they remain HIPAA compliant.