The past week has brought no less than three significant HIPAA announcements: the publication of the audit protocol that is being used in the Office for Civil Rights’ (“OCR”) current privacy and security audits; the first HIPAA financial settlement with a state agency; and a further delay of the final HIPAA “omnibus” rules. These various news items offer a tool for assessing compliance, an indicator that no covered entity may be immune from formal enforcement, and yet another bump on the road towards the next phase of HIPAA regulations.
A few takeaways from these developments:
- Even a relatively small breach may lead to a large settlement if the subsequent investigation indicates widespread noncompliance.
- The publication of the audit protocol suggests that robust documentation of compliance efforts is a key to passing a privacy and security audit, but leaves a lot of unanswered questions about the standards upon which entities are being assessed.
- The final HIPAA omnibus rule remains out of OCR’s hands for the time being, and the extended delay raises the question of whether there are prolonged discussions with the Office of Management and Budget (“OMB”) that may significantly alter the final rule from what was proposed.
OCR publishes the audit protocol
On June 25, OCR published the audit protocol that is being used in the current round of privacy and security audits. The audit protocol includes 165 “key activities” (88 related to the Security Rule, 10 related to Breach Notification, and 78 related to the Privacy Rule). For example, a key activity under the Breach Notification Rule is “Timeliness of Notification.” A given key activity may have a number of associated audit procedures. With respect to sanctions under the Privacy Rule, for example, the associated audit procedures include:
Inquire of management as to whether sanctions are in place against members of the covered entity's workforce who fail to comply with the privacy policies and procedures. Obtain and review formal or informal policies and procedures to determine if sanctions are identified/described in the event members of the workforce do not comply with the entity's privacy practices. From a population of instances of individual/employee non-compliance within the audit period, obtain and review documentation to determine whether appropriate sanctions were applied. Obtain and review evidence that the policies and procedures are updated and conveyed to the workforce.
This audit protocol emphasizes documentation of HIPAA compliance efforts. Accordingly, covered entities and business associates that have robust policies but little documentation of implementation may want to consider beefing up evidence of their continued compliance.
The audit protocol represents a mixed bag. On the positive side, the audit protocol provides questions that auditors will be asking with respect to compliance with HIPAA’s privacy, security, and breach notification provisions. Covered entities and business associates can go through these questions themselves for purposes of conducting a gap analysis (although not all questions will be applicable to business associates). The result should be a significantly improved privacy and security program. In particular, this audit protocol, combined with the recently published National Institute of Standards and Technology (“NIST”) HIPAA Security Rule Toolkit and videos of training to state attorneys general, provides a wealth of information to covered entities.
The audit protocol, however, is a disappointment in other respects. It does not provide much detail as to the standards against which the audited entity is being judged. For example, with respect to the Privacy Rule’s requirement for administrative, technical, and physical safeguards, the audit procedures require the auditor to “[o]bserve and verify whether the safeguards in place are appropriate.” However, it remains unclear what safeguards are appropriate (e.g., does all physical protected health information need to be kept locked, or only that which would cause significant harm if viewed by an unauthorized person). The audit protocol also suggests new obligations that are not clearly stated in the regulations or prior guidance. For example, with respect to evaluations of security measures, the audit procedures require that the auditor:
Inquire of management whether evaluations are conducted by internal staff or external consultants. Obtain and review a sample of evaluations conducted within the audit period to determine whether they were conducted by internal staff or external consultants. For evaluations conducted by external consultants, determine if an agreement or contract exists and if it includes verification of consultants' credentials and experience. For evaluations conducted by internal staff, determine if the documentation covers elements from the specified performance criteria.
The above appears to exceed the requirements of the Security Rule, which does not require covered entities to verify the credentials of outside evaluators (which is not to suggest that doing so is not a good idea).
The audit protocol also appears to be missing some relevant sections of HIPAA. For example, it references the standard for "transmission security," but does not include the related implementation specifications. It is unclear whether this means that the auditors are not looking at such implementation specifications (integrity and encryption of transmissions), or whether they are merely absent from the published protocol.
Finally, the audit protocol raises some questions regarding interpretation of the regulations. For example, the Security Rule includes both standards and implementation specifications. The implementation specifications are listed as either “required” or “addressable,” but the standards are not labeled in the same manner. The audit protocol suggests that a standard, when it also has implementation specifications, is addressable rather than required. For example, the audit protocol treats implementing a security awareness and training program for all members of the workforce (a standard) as addressable, rather than required. This may come as a surprise to many, who may have interpreted that such standards were required.
OCR settles with Alaska Medicaid for $1.7 million
On June 26, OCR announced a resolution agreement and corrective action plan with Alaska’s Medicaid agency, the Alaska Department of Health and Social Services (“DHSS”). The precipitating event was the theft of a portable external hard drive from the vehicle of a DHSS employee. According to the breach data that DHSS submitted to OCR, the incident involved the records of 501 individuals, a relatively small amount compared to other breaches on OCR’s breach report website. Upon investigation, however, OCR allegedly found that DHSS had not completed a risk analysis in accordance with the Security Rule, had not implemented sufficient risk management measures, had not completed security training of its workforce, had not implemented device and media controls, and had not addressed device and media encryption. The resolution agreement involves the payment of $1.7 million and the corrective action plan lasts for three years and focuses on security surrounding devices containing electronic protected health information (e.g., procedures for tracking, safeguarding, encrypting, and appropriately disposing of or re-using such devices), responding to security incidents, applying sanctions to workforce members that violate the corrective action plan’s policies, training, and conducting risk analysis and risk management. DHSS also must obtain the services of an independent monitor, which may significantly add to the cost of the resolution.
After the last financial settlement (with a small physician practice), OCR is continuing to deliver its message that formal settlements may occur with respect to any size or type of covered entity. This case raises interesting issues such as, in this time of tight budgets, the propriety of a federal agency collecting settlement dollars from a state Medicaid agency (the resolution agreement alternatively could have only included a corrective action plan). It also raises the question of whether OCR will also pursue formal enforcement against federal entities, such as the Veterans Health Administration.
Additionally, of 10 OCR settlements/penalties to date, this is the fourth from Region 10 (of 10 regions), which primarily handles the Pacific Northwest (although it also handled the Phoenix Cardiac Surgery settlement). In comparison, four regions have not brought any formal enforcement cases.
The HIPAA omnibus rule is further delayed
Finally, on June 22, the OMB website indicated that OMB extended its review of the so-called HIPAA omnibus rules for an indeterminate period of time. The omnibus rule would finalize the proposed HITECH Act rule (July 2010), the interim final breach notification rule (August 2009), the interim final enforcement rule (October 2009), and the proposed modifications pursuant to the Genetic Information Nondiscrimination Act (October 2009). While OCR recently has been stating that the omnibus rule is not just close, but “very close,” its publication is out of OCR’s hands until it gets OMB clearance. Accordingly, covered entities and business associates remain in limbo, with certain obligations under the HITECH Act unclear, the date that HHS expects business associates to come into compliance with the Privacy and Security Rules unknown, and the continuing threat that all business associate contracts will need to be renegotiated in the foreseeable future.
Theories abound regarding this delay, ranging from political motivations, a lengthy OMB docket, or complexities in the final rule that require significant discussion (the latter is my guess). While the delay may be as innocuous as OMB being too short staffed to handle its docket, it alternatively could suggest that the rule’s OMB approval is being held up on some policy matters. The latter could indicate further changes from what was initially proposed in 2010.
While some were predicting publication in June 2012, speculation may now be focused on July or August (although later publication remains very much possible). In other words, no one knows when the final rule will come.
There is no word yet on finalization of the proposed accounting of disclosures modification, including the proposed access report requirement, which OCR has indicated is not part of the omnibus package.