Are you ready for an OCR audit?
If you aren't, it could cost you
It's been 17 years since the Health Insurance Portability and Accountability Act (HIPAA) was signed into law, but despite that, there are still plenty of organizations that aren't complying with its rules and are ending up paying millions in fines for their errors. Chris Apgar, president and CEO of Apgar and Associates of Portland, OR, works with organizations to become HIPAA compliant, and he cites some scary figures. A case in Alaska resulted in $1.7 million in civil penalties; an Arizona medical practice was fined six figures; one Blue Cross/Blue Shield organization was fined $1.5 million. "They take a very dim view if you appear to be ignoring the security and privacy rules."
Only another 100 or so audits are expected this year, he says, so the chances are fairly small that your hospital will be subject to one. But if you add the potential to be audited with the likelihood that you have to report a data breach, it's in your interest to be ready at all times for an Office of Civil Rights (OCR) audit of your HIPAA compliance.
An audit is formal — the accounting and consulting firm KPMG will ask for various documentation and give you 10 days to provide it, and they will do a site visit whose length increases with the size of the organization. They will provide a preliminary report and give you 10 days to comment on it before it is sent on to the OCR, which will review it and make a determination. If there is significant non-compliance — and that's not something that's ever been defined — then the OCR will do its own investigation and compliance assessment. If what was found in the report is true, the OCR may assess a fine, Apgar says.
The more likely event is that you will have a breach, he says. If you have more than 500 people involved in the data breach, you have 60 days from the discovery of the breach to report it to the OCR. They will contact you within two weeks of notification and ask for policies, the results of your risk analysis reports, training guidelines, and the breach notification/incident response forms. If you aren't compliant or the documents you submit are lacking, you may be fined.
There are still organizations for which the things the OCR may ask for are but a fuzzy memory, says Apgar. Others may think that having created a policy or procedure a few years back is good enough. The worst cases are those who think that there's no way they could ever have a breach. Because if you think that, Apgar says, you aren't looking hard enough. Just about every organization of size has breaches.
So how can you correct what's incorrect and be ready for either an audit or to provide relevant information following a breach? Apgar says to start by centralizing all policies and procedures. "Make sure they are correct," he says. "Make sure you have a disaster recovery and business continuity plan. You need to have an audit program that looks at user log-ins; you need to ask if you are doing everything you should be doing."
The are some good checklists available for this basic start of readiness on state health department websites (West Virginia's is herehttp://www.wvdhhr.org/han/security/HIPAASecurityChecklistLHDsv2.pdf) or at the website of other professional organizations like the American Health Information Management Association(http://library.ahima.org/xpedio/groups/public/documents/ahima/bok2_000583.hcsp?dDocName=bok2_000583).
Along with the federal rules, you also have to understand different state regulations. Some states have different classes of patients on which are conferred special protections. HIV patients, minors, people with mental health problems, cases involving birth control or genetics, or alcohol and chemical dependency patients are examples. Information for these classes is even more stringently protected than under HIPAA, and whichever rule is the strictest is the one that matters. Apgar says Texas (in effect Sept. 1,2012), California and Massachusetts are particularly rigorous. In California, if there is a breach, the rule there says you have to notify all the individuals involved in a case. And while Oregon says if you have to notify a bunch of people you can put notices in the newspaper rather than send a first-class letter to each person, some states make you send that letter. Washington State residents who think their privacy has been violated can sue. Your local association chapters are a good resource for information.
"Everyone has to report something at some point," Apgar says. "Some incidents will only involve one or two people, and then you can have until the end of the year to report it to the OCR. But if it's 500 or more, report it immediately. And if you can't find anything to report, you aren't looking hard enough."
Apgar says the most common error he sees is incomplete, inaccurate, or outdated policies and procedures. "You should be looking at this once a year at least. You may not have to alter anything, but there is enough change in technology and in law that it merits a regular look." And you don't need to document the review of every policy, but you should note somewhere that you reviewed your policy and include a list of anything that was altered or updated.
Everyone but me
If you think you aren't likely to have a breach, consider the common rule that no one can use personal phones or tablets at a hospital. "You can say you have a policy that precludes it, but you won't be able to stop it all," says Apgar. "Docs will use their own iPads and may have patient information on it. Maybe it gets stolen, but the physician isn't reporting it to you because they forget."
Questions to ask about your HIPAA compliance
1. If you were asked to make all of your policies, procedures and compliance documentation available to OCR or a state's attorney general, how long would it take? Are you sure all is current and accurate?
2. Does your employee training include all of the new HITECH requirements? When was the last time you trained all employees?
3. Do you have a formal audit program (usually every 30 or 90 days), and is all documented? Do you review all of the audit logs in your systems and network? If not, it's all discoverable, and if you're sued, a breach is found and you didn't look at it, you'll likely lose the case.
4. Have you tested your incident response including breach notification plan recently?
5. Have you conducted a risk analysis within the last year?
6. Are you after meaningful use dollars and have you launched your complete risk management program? If you haven't, you're missing a core measure requirement. Attesting without meeting all measures can get very expensive if CMS shows up.
7. If you prohibit storing of personal health information on tablets, laptops and smart phones (especially personally owned ones), how are you enforcing the prohibition? Lost or stolen mobile devices and unencrypted personal health information don't go together.
8. Have all of your business associate contracts been updated to include breach indemnification language?
9. Are you sure all personal health information is encrypted when it's transmitted outside your organization?
10. If you prohibit sending personal health information via email, do you audit email, and how do you know it's not being sent?
11. Are you certain your patients and other unwanted individuals aren't getting into areas they are not supposed to?
12. Are you sure you can recover the personal health information you backed up that's critical to patient care? If you don't regularly test data recovery, you don't know if it is actually recoverable.
13. Are you sure your staff is correctly informing patients of their privacy rights? It's not OK to just post your notice of privacy practices. You need to hand it to them.
14. Are your staff reviewing medical charts or accessing your EHR in the local coffee shop? "Shoulder surfing" can be costly, especially when your patients find out.
Or a hospital may have a research division that one employee leaves. But no one tells IT and that person still has access to patient information because that ex-employee's log-in hasn't been cancelled. If it's a disgruntled former employee, you may have a bigger problem.
There are questions you can ask that can help you see all the areas that are ripe for a breach — like how do you guarantee that there are no personal devices used? How do you enforce that no one stores personal information on devices? How do you make sure that no patient information is sent via email, even from physician to physician? When was your last risk analysis?
If you can't answer "one year or less" to that last question, Apgar considers that you are engaging in "willful neglect." The case in Alaska that cost the department of health there a cool million plus? It was all related to an alleged failure to do a risk analysis. One more thing you should know: All that fine money goes right back to the OCR for further enforcement. That means the more fines they levy, the more money they have to look for organizations that aren't in compliance.
Apgar says there is plenty you can do, and plenty of resources that will help you do it. He suggests starting by answering the questions in the box on page 92.
For more information on this topic, contact Chris Apgar, CEO and President, Apgar & Associates, Portland, OR. Email:email@example.com.
SOURCE-Hospital Peer Review