New HIPAA Enforcement, Ongoing Audits for More Businesses

Last month, the Office for Civil Rights (OCR) announced a new plan to strengthen HIPAA enforcement in response to criticism from the Office of Inspector General (OIG). The OCR will be beefing up their compliance investigations and expanding their audit program in 2016. They plan to focus on more proactive efforts to identify non-compliance in business associates and repeat offenders.

 

It’s a common misconception among providers and business associates that HIPAA laws “have no teeth” and that violations will only incur a slap on the wrist. The OCR, who was legally mandated to enforce HIPAA compliance in 2006, has been working hard to change that perception. Their enforcement activities have included outreach and education to providers, response to complaints, and data breach investigations.

Despite the numerous enforcement activities already under way, the OCR recently came under scrutiny from the Office of Inspector General (OIG) who criticized their HIPAA oversight program. The OIG is calling for more proactive identification of non-compliant providers and business associates and improvements to their investigation process. Based on these recommendations the OCR has agreed to do the following:

 

  • Obtain documentation (i.e. evidence) of all corrective actions taken by covered entities involved in an investigation.

  • Improve the search functionality of their case tracking system.

  • Require all OCR staff to search for prior breach incidences when opening a new case.

  • Continue to expand outreach and education efforts to Covered entities.

  • Fully implement a permanent audit program.

Implications

The OIG’s criticism focuses on the OCR’s reactionary enforcement activities, pointing out that they only investigate cases in response to complaints, tips, or media reports.  The OCR’s expansion of their outreach and audit programs will enabled them to discover non-compliant businesses and providers before a breach occurs.  

Additionally, organizations that have already had one or more breach or complaint will be coming under greater scrutiny. Through their improved investigations, the OCR will be tracking the corrective actions taken by businesses and providers and will be keeping a closer eye on repeat offenders.

Most importantly, the OCR has agreed to expand their Phase II audit program. Random audits will begin in 2016 and extend to a permanent audit program that will target both covered entities and their vendors. This casts a much broader net when it comes to HIPAA oversight and it highlights the importance of having a solid HIPAA compliance program as a vendor.

 

What should you do to prepare?

 

  • Start now! – You don’t always get a warning shot. Use this opportunity to develop your HIPAA compliance program or identify gaps in your current activities.

  • Focus on training – HIPAA training goes a long way both in protecting you from a breach and in the eyes of the OCR. Make sure your employees receive training at least once per year.

  • Get help – Look online for HIPAA compliance starter kits or resources. Both the OCR and HHS frequently publish guidance on HIPAA compliance. If the task of becoming compliant seems overwhelming seek out experts who can efficiently guide you towards a solution.

Take Aways

 

  • HIPAA enforcement is serious business and as a provider you can expect to see increased enforcement this coming year.  

  • Covered entities AND business associates will be targeted for random audits, starting in 2016.

  • Organizations with a previous breach or complaint should prioritize completion of corrective actions and HIPAA initiatives, as the OCR will be looking more closely at repeat offenders