Latest OCR Updates On HIPAA Compliance Audit Program & Newest Enforcement Settlement

Washington, DC | September 2, 2015 – September 3, 2015

The NIST/OCR HIPAA Information Security Assurance Conference opened on September 2nd with a keynote address given by OCR Director Jocelyn Samuels, at which she reviewed a number of initiatives on which the agency is focusing, including the latest on the HIPAA compliance audit program. Speaking of the long anticipated program, Director Samuels emphatically said that “the audits are coming”, calling it a critical tool to help prevent breaches and bring up the level of compliance of health care providers. In her speech, Director Samuels announced that OCR is in the final stages of selecting a third party vendor to conduct audits of HIPAA covered entities and business associates using a protocol being developed by the agency. She said that the audit program would be conducted primarily through desk audits but that there will also be on-site audits in this next phase. Director Samuels did not provide any details of the number of organizations to be audited in this next phase or when the audits will begin. The presentation by Director Samuels is notable for the affirmation that OCR is committed to its audit program but is a change in approach by using outside contractors to perform the work instead of the previously announced approach to run the program through developing an audit program from within OCR. She also highlighted the value of using the audit protocol as a tool for organizations to enhance their current compliance state as well as to prepare for their selection in the upcoming OCR initiative.

On September 3rd more details of the random audits were revealed. OCR finalized a contract with an outside vendor, FCi Federal, to manage the audit program using subcontractors to perform the engagements. The contract award to FCi is valued at $769,000 and the task order calls for the services to be performed between September 2015 and the end of 2016. “We are hard at work on the next phase (of audits), and I know you’ve heard that a lot, but it’s coming,” OCR Director Samuels said Wednesday at the conference. “Audits are really a critical compliance tool for us because they enable us to get out in front of potential industry problems before they result in a breach … and they enable us to better tailor our guidance and our technical assistance to ensure that we’re addressing the most common problems.” It is anticipated OCR will have approximately 200 desk audits and 24 on-site audits conducted by this contractor.

OCR made it clear that they are serious about compliance and enforcement of noncompliance by announcing its most recent settlement to coincide with the opening speech given by Director Samuels. Cancer Care Group was issued a $750,000 HIPAA settlement that emphasizes the importance of risk analysis and device and media control policies. They were also given a robust correction action plan to correct its deficiencies of HIPAA compliance. On August 29, 2012, Cancer Care notified OCR of a breach after a laptop and backup media were stolen from an employee’s car. Both were unencrypted and compromised about 55,000 current and former patients’ names, addresses, datas of birth, Social Security numbers, insurance information and clinical information. OCR’s investigation found that Cancer Care had many instances of non-compliance with the HIPAA Security Rule. It had not conducted a risk analysis and did not have policies in place for removing PHI from hardware and electronic media. OCR found that these two issues, in particular, contributed to the breach, as an enterprise-wide risk analysis could have identified the removal of unencrypted backup media as an area of significant risk to Cancer Care’s ePHI, and a comprehensive device and media control policy could have provided employees with direction in regard to their responsibilities when removing devices containing ePHI from the facility.

“Organizations must complete a comprehensive risk analysis and establish strong policies and procedures to protect patients’ health information,” said OCR Director Jocelyn Samuels. “Further, proper encryption of mobile devices and electronic media reduces the likelihood of a breach of protected health information.”

Some of the other updates from OCR included:

Guidance on individual’s right to access is forthcoming in October, which Samuels called, “a fundamental right”.
OCR is developing guidance on HIPAA compliance when using cloud technology that is slated to be available this fall.
OCR is updating its web portal for software developers.

Over the two days, OCR made clear is that it is focused on risk assessments, risk management, breach and HIPAA enforcement. All of the movement with the HIPAA compliance audit program and enforcement activity demonstrates that OCR is back to running on all cylinders and aims to ramp up its efforts to root out organizations that demonstrate significant non-compliance with the health information privacy and security standards.

If you would like to learn more on what you need to do to be in compliance with HIPAA or want to hear how you can prepare for an audit, register for one of our HIPAA Privacy and Security Workshops this fall, or sign up for our free webinar, “How to Prepare Your Organization for an OCR HIPAA Audit” on September 30th.