OCR Enforcement Ramps Up as Phase 2 Audits Begin; OCR Signals Compliance Risk Areas
On back to back days, the Office for Civil Rights (“OCR”) announced two new settlements with significant dollars attached. On March 16 and March 17, 2016, OCR announced settlements with North Memorial Health Care of Minnesota ($1.55 million) and Feinstein Institute for Medical Research ($3.9 million), respectively. Both settlements emanated from the organization self-reporting the theft of an unencrypted laptop computer containing ePHI.
North Memorial Health Care of Minnesota, serving the Twin Cities and surrounding communities, contracted with Accretive Health, Inc. for certain payment and health care operations activities. It is well publicized that Accretive Health has had significant legal battles relating to its operations at North Memorial Health Care, including security of PHI. The revenue cycle firm was accused by the Minnesota Attorney General of deceiving patients, harassing them for money in emergency rooms and mishandling patient data. Accretive was required to pay the State of Minnesota $2.5 million in connection with these allegations and is banned from doing business in Minnesota until at least November 2018. It was forced to give up its only remaining client in Minnesota – North Memorial Health Care. When OCR investigated North Memorial Health Care’s breach report involving Accretive, OCR concluded that North Memorial Health Care failed to have a business associate agreement in place with Accretive as required under HIPAA. OCR also found that North Memorial Health Care failed to complete a comprehensive security risk analysis. To settle the allegations of non-compliance, North Memorial Health Care agreed to a settlement of $1.55 million and a corrective action plan lasting two years from the date North Memorial Health Care puts in place all required documents under the corrective action plan.
This settlement is significant in that it emphasizes the importance of having business associate agreements in place. We note the stolen laptop incident and the commencement of OCR’s investigation occurred prior to the extension of HIPAA’s reach (and OCR’s enforcement authority) to business associates. Thus, the covered entity was in OCR’s cross-hairs for the actions of its business associate. If this incident occurred today, we believe that as long as the covered entity could produce a compliant business associate agreement with the business associate, OCR would generally focus its investigation on the business associate. Failure to have that business associate agreement in place can open up the covered entity to OCR’s scrutiny of its organization-wide compliance based on an action or incident isolated to the business associate.
In the second OCR settlement involving Feinstein Institute for Medical Research, a biomedical research institute headquartered in Manhasset, New York, OCR’s investigation found that “Feinstein’s security management process was limited in scope, incomplete, and insufficient to address potential risks and vulnerabilities to the confidentiality, integrity and availability of ePHI held by the entity.” OCR also found numerous and significant deficiencies in the policies and procedures and safeguards employed by the entity. For these findings, Feinstein agreed to pay OCR $3.9 million and has entered into a three-year corrective action plan. With this settlement, OCR is signaling that research entities are not excluded from the requirements of HIPAA. Covered entities should evaluate their involvement with research organizations as carefully as it does other entities and vendors to assess the research entity’s understanding of HIPAA compliance and to ensure the appropriate authorizations or other agreements are in place as required under HIPAA.
Phase 2 of HIPAA Audits Underway
On the heels of these two significant settlements, OCR announced the long-awaited (but not longed for) start to Phase 2 of the HIPAA Privacy, Security, and Breach Notification Audit Program. OCR has sent out (via email) letters to a pool of entities requesting verification of contact information. OCR advises entities to check your junk or spam filters for emails from OCR which will come from OSOCRAudit@hhs.gov. After the contact information is verified, OCR will send a questionnaire to a pool of potential audit candidates and will categorize entities based on size, type, operations (public or private, affiliation with other organizations, etc.) and geographic factors. From that pool, OCR will “randomly” select its first audit targets in a manner that ensures a cross section of the industry. Approximately 200 organizations will be audited in the first round, which will be desk audits only – unless findings are so bad they need to come on site. A small silver lining for those of you with a pending OCR investigation, if you have an open investigation with OCR, you are automatically ineligible for audit.
The first round of desk audits is slated to be completed by December 31, 2016. From there, OCR will audit business associates and begin a round of on-site audits. If you received a contact verification letter, and certainly if you received a questionnaire, you are advised to begin assembling policies around the topics identified for the initial desk audits (e.g., security risk assessments, individual access to PHI and timing and content of breach notification letters, for starters). If you are selected for audit, you only have 10 days to submit the required information to OCR. We do not believe any extensions will be granted. Covered entities may want to consider conducting a self-audit in preparation for the real deal – eventually OCR will come calling.
HIPAA Compliance Risk Areas
Speaking from the podium at a recent national conference at which OCR announced the beginning of the Phase 2 audits, OCR also discussed the “lessons learned” from recent investigations. These lessons learned should serve as a road map for covered entities in doing a check-up on their HIPAA compliance. Here are the top five takeaways:
- Conduct a comprehensive risk analysis. OCR has high expectations for a true risk analysis. The assessment should be comprehensive and enterprise-wide covering all sources and locations of PHI. It should identify the vulnerabilities of the organization. Organizations should use the results of the risk assessment to create a risk mitigation plan.
- Both paper records and portable devices continue to cause problems. While on opposite ends of the technology spectrum, both unsecured paper records and unencrypted portable devices are the cause of a number of breaches. OCR indicated some organizations may be leaving paper records out of compliance policies or risk assessments. While portable devices continue to be a significant source of breach, OCR’s message is: don’t forget about the paper!
- Make sure your paper documents are HIPAA-compliant documents. OCR discussed that they have seen a number of non-compliant forms used for patient authorizations. Patient authorization forms are used for requested uses and disclosures of PHI not authorized by the Privacy Rule. This form requires the inclusion of specific elements to be HIPAA-compliant.
- Confirm business associate agreements are in place. OCR continues to see that not all covered entities have business associate agreements with their business associates. Large and small organizations alike have countless business associate relationships. Covered entities should consider tracking the flow of data and payments made outside the organization to capture any missed business associate relationships.
- Pay close attention to individual rights under HIPAA. In particular, OCR has signaled a new focus on an individual’s right to access their own health information. OCR has recently added comprehensive guidance on patients’ right to access their PHI, timeliness requirements, costs that can be charged to a patient, and when access can be denied. Some of the expectations included in the document give new detail and direction to access requirements and limitations that may have been more loosely interpreted in the past. Covered should carefully review the guidance and the organization’s access policies now that OCR has shined a light on this area of the Privacy Rule. They are most certainly signaling heightened enforcement of these provisions.