The Department of Health and Human Services' Office for Civil Rights (OCR) is still not ready to release an expected date for the roll-out of Phase 2 of the HIPAA Audit Program, according to an agency staff member. During a panel on privacy security and breach notification rules and enforcement at the American Health Information Management Association conference on Tuesday, agency representatives Geraldine Davis, Yun-Kyung Lee and Eric Press discussed where the agency is in preparing to initiate the second phase of audits.
According to Davis, OCR is still actively working to build an online portal that will facilitate the submission of documentation to the agency. The portal has resulted in a delay of the initiation of Phase 2, originally intended to begin in fall of 2014. Davis said unofficially that OCR hopes to begin the audit process by the end of 2014 or the beginning of 2015. The random pool of selected entities to be audited has been selected, but no notifications have been sent out. Davis was unable to provide any guidance as to the number of entities to be audited.
Davis also discussed what the agency will focus on in this second round of HIPAA compliance audits. OCR will look at covered entities and business associates' risk analysis and risk management (the Security Rule), the content and timeliness of breach notifications (the Breach Notification Rule) and the notice of privacy practices and access rights (the Privacy Rule). The agency will focus on the risk to the data, not the risk to the impacted individual.
Under the Breach Notification rule, for breaches impacting 500 or more individuals, the OCR must be notified "without unreasonable delay," which the agency has defined as 60 days from the point of discovery of the breach. In such cases, the covered entity should be prepared to respond with a determination of the root cause of disclosure, identification of gaps in compliance that resulted in the breach and evidence that the root cause has been addressed to insure that no further breaches occur. In cases where under 500 individuals are impacted, the covered entity has until the close of the calendar year plus 60 days, or the following March 1.
There are a number of low-impact ways that hospitals can protect themselves from breaches, Davis said. According to her presentation, theft accounts for 51% of all breaches. In a digital age, most providers are focused entirely on digital safeguards, but Davis points out that 21% of breaches are paper records. She pointed to the recent Parkview Health case, in which the nonprofit system agreed to pay $800,000 and adopt a corrective action plan to address deficiencies in its HIPAA compliance program. In September 2008, Parkview took custody of paper medical records for roughly 5,000 to 8,000 patients while helping a retiring doctor shift her patients to new providers, and while considering the purchase of some of her practice. In June 2009, Parkview employees, knowing the doctor wasn't home, left 71 cardboard boxes of medical records "unattended and accessible to unauthorized persons on the driveway of the physician’s home, within 20 feet of the public road and a short distance away from a heavily trafficked public shopping venue," HHS said.
Looking after physical access controls can dramatically mitigate the risk of this kind of easily-preventable breach, Davis said.
Press, an equal opportunity specialist at a regional branch of OCR, gave a brief overview of the scope of OCR's corrective activity since 2003. Since that year, 98,279 complaints have been filed with the agency, with 22,706 resulting in corrective action and accounting for $26.3 million in resolution and civil money penalties. The number of complaints per year has gone up dramatically since 2003, according to Press.