Joelle Duval comments on the implications of the reopening of the Health Information Technology for Economic and Clinical Health (HITECH) audit program and a new round of audits of HIPAA-regulated entities.
Healthcare Risk Management | July 2024
The Health and Human Services Office for Civil Rights (HHS OCR) has reopened the Health Information Technology for Economic and Clinical Health (HITECH) audit program and will begin audits of HIPAA-regulated entities later in 2024, according to public statements by OCR Director Melanie Fontes Rainer. The audits will focus on the Security Rule, particularly the requirements for security risk analyses and risk management.
The audits will be accompanied by other enhancements intended to promote better compliance with HIPAA. These changes will put more pressure on covered entities and require work ahead of time to avoid penalties.
The impending audits may be more of a threat to smaller institutions, says John W. Leardi, JD, attorney with the Buttaci Leardi & Werner law firm in Princeton, NJ.
“I think most institutional or large providers probably, because of how resource-intensive they are compared to others, are probably fine, right? Or at least if they’re not, there’s no excuse for it,” he says. “My concern here in terms of vulnerability is going to be medium to small practices and independent practices, not part of a health system, not part of a larger institutional system.”
Leardi notes that the HIPAA Security Rule is about 20 years old now, and OCR probably is looking to update it. The audits may provide some guidance, he says.
“Some of it has become dated. The landscape of how we maintain health information is dramatically different now than it was 20 years ago,” Leardi says. “A substantial portion of the industry now has adopted electronically based storage as opposed to maintaining manila folders in the office. There has been some chatter that it needs to be revisited and, perhaps, updated to closely align with where we are in the industry. It’s not surprising that maybe these audits are designed as much about enforcement as they may be gathering data to determine the touch points in industry that are most in need of focus in any proposed rulemaking or adjustments.”
Many covered entities will not be ready for the audits, says Jeffery P. Drummond, JD, partner with the Jackson Walker law firm in Dallas.
“I think it’s going to catch people by surprise because nobody knows what we’re being tested on. There’s no study guide,” he says. “A more explicit message from OCR saying there are 10 things here that are listed, a list of possible bad things that can happen to you, would be helpful. They haven’t really done something that explicitly. It would be better for them to say we’re going to re-audit in two years and here are the things we’re going to be looking for, here is a list of things you need to do.”
No More Checking the Box
With the announcement of the return of the OCR HIPAA audit program the days of the “check the box” risk assessments and HIPAA compliance program evaluations may be gone for good, or at least until OCR pauses the program again, says John F. Howard, JD, senior attorney with the Clark Hill law firm in Scottsdale, AZ. It has long been understood that HIPAA requires covered entities and business associates to conduct accurate and thorough assessments of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI), he says.
“But, notwithstanding entities that have fallen victim to some form of cybersecurity incident, most entities have taken this requirement as merely a quick review and response to a privacy and security questionnaire to ensure that all the requirements of the security and privacy rules are attested to for documentation purposes,” he says. “Often, this means that there is no validation of the required controls to ensure that they are operating as they should and do not need attention.”
Howard says he often has seen entities that have allowed the value of the risk assessment process to take a back seat while they focus on more seemingly pressing business matters. This is understandable to a point, he says, but clearly is not what was intended by the Rule when it was made. The announcement of the return of the federal audit should change this, he says. Howard suggests that covered entities and business associates should, at least, do the following to prepare for a potential audit by OCR:
- Review past risk assessment results and ensure any findings were addressed or plans have been put in place to do so.
- Conduct new risk assessments that look for validation of compliance measures being in place through pen testing, vulnerability scans, employee interviews, configuration validations, and access and control sweeps.
- Clearly document any findings, remedial measures, and plans for moving forward based on criticality if issues are found.
- Clearly identify any cybersecurity framework being relied on and how it has been implemented.
- Make sure appropriate leadership is kept aware of the state of the entity’s HIPAA compliance activities.
“These are necessary basic steps that I see missed over and over again that apply to risk assessment and risk management requirements under HIPAA. It is important that these also apply equally to the security and privacy side of the house,” Howard says. “Don’t forget to review the processes and procedures for responding to patient rights requests and making sure an entity’s privacy practices are clearly communicated. This applies to privacy practices between an entity and its patients, business partners, affiliates, and vendors.”
Structured relationships are necessary to ensure compliance along the entire service chain where
(e)PHI is involved, he says. It also will be important for covered entities and business associates to remember that HIPAA requires technical and nontechnical evaluations of an entity’s policies and procedures to make sure they are compliant with HIPAA’s various requirements, he says. This is completely separate from the risk assessment requirements and can be more closely equated to a HIPAA compliance program review, Howard notes. The output of this evaluation can be used to create an audit book that can be a great resource when the auditors come knocking.
“Overall, the return of the OCR audit program returning is a good signal that it is time for regulated entities to start putting processes in place now to identify any compliance gaps they may have and develop plans for resolving the more pressing issues found through risk assessments and program evaluations,” Howard says.
OCR Sending Survey
OCR indicated in a notice published in the Federal Register that it will send an online survey consisting of 39 questions to the 207 covered entities and business associates that participated in the 2016-2017 OCR HIPAA audits, explains Layna Cook Rush, CIPP/US, CIPP/C, shareholder with the Baker Donelson law firm in Baton Rouge, LA. OCR specifically asks for information regarding subsequent HIPAA compliance actions taken by the survey recipients as a result of the previous audits to evaluate the effectiveness of the audits and the counseling the organizations obtained from OCR in response to the audits, she says. Presumably the information gathered will be used to develop an updated audit program for future use, she says, adding that OCR has not expressly stated that the audit program will return or provide information on when audits will resume or what will be different. Because the requirements for covered entities and business associates have not substantially changed since the 2016-2017 OCR HIPAA audits, if there is a next phase of audits, OCR likely will focus on the same requirements, she says.
However, there may be an increased scrutiny on cyber performance, given the proliferation of cybersecurity incidents in the healthcare industry and OCR’s focus on technological security preparedness and resiliency, she says.
While OCR has not provided details on a new audit program, it is likely that the selection process will mimic the audits in 2016 and 2017, she says. OCR identified organizations that represented a wide range of covered entities; its sampling criteria included size, affiliations, location, and whether an entity was public or private.
The audited covered entities submitted lists of all their business associates, which OCR combined to create a pool of business associates, she says. OCR randomly selected business associates from the pool to audit.
“OCR has stated that the audit program is used to identify best practices gleaned through the audit process and to inform guidance targeted to identified compliance challenges,” Rush says. “Since the last audits, OCR has routinely published sub-regulatory guidance to covered entities on different aspects of the HIPAA privacy and security rules.”
In conjunction with the previous audits, OCR also published a comprehensive audit tool that covered entities and business associates could use to gauge compliance with HIPAA, Rush notes. The prospect of an audit and the availability of the tool resulted in many organizations reviewing their compliance posture and making positive changes, she says, and the same industry response is likely if the audit program is re-instituted.
The HITECH Act requires OCR to periodically audit covered entities and business associates for HIPAA compliance, so OCR’s failure to continue the audit program is in derogation to the requirements of the HITECH Act, Rush notes. OCR may be gearing up for another phase of audits to ensure it is complying with legal directives, she says.
“Another potential driver is the increase in security-related breaches that result from cybercrime. The audits may be a piece of the overall goal of seeing covered entities and business associates strengthen their protection of PHI,” she says. Rush notes that HHS also has recently launched new Healthcare and Public Health Cybersecurity Performance Goals to provide healthcare delivery organizations with practices that will “strengthen cyber preparedness, improve cyber resiliency, and ultimately protect patient health information and safety.”
“It is likely that only a few organizations will be selected for audit if the program is reconstituted, but organizations that have not utilized the OCR audit protocol should consider such a review in anticipation of OCR resuming the program,” Rush says. “Covered entities should review the OCR audit protocol in anticipation of the return of the audit program. Further, covered entities should ensure that they have conducted a recent security risk assessment, instituted a risk mitigation plan in response to the assessment, and developed policies and procedures for compliance with the HIPAA Rules.”
OCR Sending Survey
The audits should not strike too much fear in the hearts of covered entities that are making a good faith effort to comply with HIPAA, says Joelle Duval, JD, an attorney with the Coffey Modica law firm in White Plains, NY. “While it goes without saying that nobody likes to be audited, least of all by the United States government through HHS or the IRS (Internal Revenue Service), covered entities that have complied, or made a valiant and demonstrable attempt to comply with the myriad of regulations and protections mandated by HIPAA, should take comfort that their efforts will shield them from violations, or substantially reduce the crushing fines that HHS is known to give for violations of protected health information,” she says.
Duval suggests that these covered entities should even be proud to be among those selected for audit by HHS to demonstrate to other comparable covered entities that compliance is possible and slip-ups forgivable to a large degree — “even if, just like the one student that always sat in the front row of the class and raised his/her hand for every question, they are ‘hated’ for passing the course and always knowing the answer.”
For those entities that have not made the effort, the audits will be problematic. “Those covered entities who have ignored the regulations, by choice or necessity, such as perhaps lacking resources to keep up with the privacy and security rule regulations, sadly there is little advice to give them other than to say that the dice they have been rolling have just hit snake eyes,” Duval says. “Quite simply, there are few excuses covered entities can have that HHS would likely accept as mitigation to identifying violations and breaches during an audit. In fact, I cannot think of one viable excuse to suggest. Even a comet crashing to earth and knocking out the power grid would have HHS asking the covered entity about what safeguards were in place should there be a complete loss of power.”
HIPAA and its privacy and security rules have been in effect too long, and reports of data breaches, identity theft, and data ransoms are too widespread to the general population for a covered entity to be unprepared to stand up to HHS scrutiny, Duval says.
Whistleblowers Encouraged?
An unexpected effect from the reemergence of random HIPAA audits may be the encouragement of whistleblowers, she says. Covered entities often maintain a smiling public face touting their lack of any tolerance for HIPAA violations, Duval says, proclaiming “if you see something, say something” or “report and you will be supported” or “HIPAA violations will not be tolerated here.” But the actual internal practice is really one of punitive retaliation against employees reporting violations, she says. It is surprisingly common but seldom recognized, Duval says, that some of the largest private and public covered entities are the most punitive to those internal personnel voicing legitimate concerns regarding negligent data practices and the routine practice of turning a blind eye.
“HIPAA violations happen, most often inadvertently, but at times negligently. HHS recognizes this reality, and covered entities facing violations or breaches can mitigate their damages,” she says. “But, regardless of how an adverse event happens, covered entities who have made it a regular practice to bury their heads in the sand or sweep violations and reporters under the rug rather than acknowledge — by reporting when obligated to do so — and attempt to rectify the situation will find themselves in a much deeper hole than underneath the sand.”
Therefore, covered entities should be prepared for HHS to come knocking at their door by not only examining its compliance practices under HIPAA, but also looking at its actual internal practices of compliance, including how employees are received when they voice legitimate concerns to protect HIPAA, and the covered entity, Duval says.
“It should not be surprising, therefore, for a random audit by HHS to stir up unrecognized and illegal state and federal employment practices,” she says. “And those covered entities [that] have taken a punitive approach or turned a deliberate blind eye to employees reporting actual or suspected HIPAA violations may find themselves under the dual scrutiny from both HHS; state and federal Departments of Labor; and, most frightening, plaintiff attorneys.”
Weak Risk Analysis?
A crucial element of the HIPAA Security Rule is conducting risk analysis, something that historically has been a weakness for many organizations, notes Michael Parisi, head of client acquisition with Schellman, an information technology compliance and cybersecurity firm in Tampa, FL.
“Poor risk analysis practices are major contributors to the increase in breaches we’ve seen in past years,” he says. “In fact, more than 90% of the OCR HIPAA settlement actions regarding ePHI breaches involved an insufficient risk analysis or risk management program.”
With the news that OCR is reinvigorating its HIPAA audits, it is important for organizations to take a look at when their last risk assessment was — if ever — and what actions they have taken since then, Parisi says. From there, they need to identify if they acted on making the appropriate security updates to address identified vulnerabilities and whether they have maintained those practices.
Parisi highlights these pitfalls many organizations face when it comes to HIPAA risk analysis and risk management:
- Skipping the step of threat analysis, which should happen even before the risk assessment. Organizations need to look through all potential existing threats, identify which are relevant to them, and have those threats reflected in the risk assessment.
- Not including all systems that touch ePHI in the risk analysis/management program and what threats are relevant to the organization. Overlooking these places leaves them vulnerable to attack and vulnerable to penalties.
- Inadequate risk analysis. Organizations should look to existing resources like the OCR Guidance on Risk Analysis Requirement or NIST SP 800-30 Guide for Conducting Risk Assessments for help when conducting analysis.
- Neglecting to reassess on a specified basis and not performing updated analyses when a change in the environment introduces new risks.
Being caught out of compliance can mean significant financial penalties, as well as reputational damage, Parisi says. Prioritizing these risk requirements not only preserves HIPAA compliance, but also mitigates risk for a breach or cyberattack.
One suggestion is for organizations to package up their “‘HIPAA story,” he says. Instead of having a risk assessment in one place and policies and procedures in another, it behooves the company to pull everything together with a cover page that tells the story of their HIPAA compliance journey and gives OCR everything they need in an easy to access bundle, he says.
“This movement of bringing back HIPAA audits is a step in the right direction from OCR in the efforts for a more secure healthcare system,” Parisi says. “It is, however, just a first step, and I think we can anticipate seeing continued movement from the OCR and HHS to implement additional standards and requirements beyond HIPAA, especially in light of recent breaches.”