Performance Improvement Plan

Are You Prepared for the HIPAA Phase 2 Audits?

After reviewing the HIPAA Privacy case investigations from 2009-2011, the Office of the Inspector General sent a strong message to the Office of Civil Rights in regard to the administration and enforcement of the HIPAA Privacy Rule. The OIG recommendation is clear in the September 2015 executive summary, “OCR Should Strengthen Its Oversight of Covered Entities’ Compliance With the HIPAA Privacy Standards”.   The Privacy Rule requires that covered entities have appropriate safeguards to protect the privacy of protected health information (PHI) and outlines the limits on uses and disclosures without authorization and rights to inspect and obtain a copy of their medical record. Since the Privacy Rule went into effect in 2003, the OCR has received more than 120,000 complaints for alleged privacy violations (OCR, Privacy Rule Enforcement Highlights).

In this evaluation, the OIG focused on 4 specific areas:
(1) review of a random sample of 150 OCR privacy cases (open and closed) out of a total of 7080 cases from 2009-11
(2) survey of OCR staff to determine how often the staff member checked to see if a provider had been previously investigated
(3) interviews with OCR officials and a review of OCR’s policies and procedures for investigating privacy cases, including use of of Program Information Management System (PIMS)
(4) survey of a random sample of Medicare Part B providers to determine extent to which they addressed the five following Privacy standards:

  • have established a sanctions policy for staff;
  • have provided all staff with training on the covered entity’s policies and procedures with respect to PHI
  • maintain a Notice of Privacy Practices
  • have designated a privacy official
  • provide a complaint process for individuals

blogtable

Non-compliance with at least one of the Privacy standards occurred in more than half of closed privacy cases. Most commonly, non-compliance was related to the standard on restricting uses and disclosures of PHI and the standard on implementing safeguards.   Among those found to be non-compliant, only 74% demonstrated adequate documentation in PIMS of corrective action.   This is only magnified by OCR staff inconsistency in checking for any prior investigations, allowing violations to recur. Even more concerning, 27% of the sampled providers did not address any of the five standards and were completely unaware that the OCR was ultimately responsible for enforcing the Privacy Rule, making it less likely they know how to access any educational resources.

In response to this report, the OCR is finalizing plans for its permanent audit program. Phase 2 audits are starting in early 2016 and will include both desk and on-site reviews. These audits will focus on the most commonly identified areas of non-compliance and will also evaluate business associates. These Phase 2 Audits will continue to help the OCR assess the following areas regarding the structure of their audit program:

  • Updating audit protocols
  • Refining pool of potential audit subjects
  • Implementing a screening tool to assess size and entity type
  • Tracking Covered Entities’ history of investigations (open and closed)
  • Updating electronic document management and investigation tracking system, Program Information Management System (PIMS)