HIPAA Enforcement: Waiting for Ramp UpExperts Say Delay of Audit Program Sends Wrong Message
Some privacy and security experts are concerned that the Department of Health and Human Services' Office for Civil Rights isn't taking bold enough action in its promised efforts to step up HIPAA enforcement. They cite ongoing delays in the startup of OCR's next phase of federal HIPAA compliance audits, as well as the relatively small number of OCR HIPAA enforcement settlements in 2014 involving financial penalties.
During a Jan. 13 media briefing, OCR Director Jocelyn Samuels said her office is planning to launch its next phase of HIPAA compliance audits "expeditiously," but offered no timeline as to when (see HIPAA Audits Are Still On Hold). She said a new protocol for the next round of audits, taking into account new requirements in the HIPAA Omnibus Rule, had yet to be developed.
Last year, OCR had said that the next phase of HIPAA audits would begin in the fall of 2014 with the audits of about 350 covered entities, followed by audits of approximately 50 business associates to be conducted in early 2015. In recently acknowledging ongoing delays in the resumption of audits, OCR officials haven't said if those target numbers are still part of the agency's audit plans.
"The delay [in audits] could be like the 'boy who cried wolf,'" says Tom Walsh, a president of security consulting firm Tom Walsh Consulting. "After a while, organizations begin to think, 'It will never happen.' Or 'It will never happen to us'."
Security expert Brian Evans, senior managing consultant of IBM Security Services, notes: "Any delay in random audits allow covered entities and business associates to justify reallocating their focus and efforts in areas other than protecting information and addressing HIPAA requirements. Conversely, an active audit program serves as an additional motivator for CEs and BAs associates to protect information more effectively. "
Reasons for Delay
A number of factors may be contributing to the delay in OCR resuming its audit program. For example, OCR has had a number of senior leadership changes in recent months, including Samuels joining in July to replace former director Leon Rodriguez. At the same time, OCR resources are likely being squeezed as more HIPAA breaches and complaints are filed and investigated by regional offices. On top of that, a delay in a technology roll-out to help automate the collection of audit-related documentation from covered entities and business associates is also likely a culprit in the stalled audit effort.
But the delay, whatever the reason behind it, could hamper efforts to boost compliance, some observers say.
"I definitely think the continuing delay is a bad thing," says privacy expert Kate Borten, president of consulting firm The Marblehead Group. "I'm disappointed, but not surprised, at the ongoing delay in OCR HIPAA audits. Unfortunately, it will be seen as taking the pressure off compliance efforts at some CEs and BAs - and they may be the most likely to need it.
"While many organizations are committed to continually improving their programs, plenty of others are oblivious to their obligations, such as to perform risk assessments and have a breach response plan. Until a robust audit program is fully implemented, I predict industry compliance will remain spotty."
Privacy attorney Adam Greene, of the law firm Davis Wright Tremaine, says that even though the audits appear to be in limbo, covered entities and business associates are taking a big risk if they use that delay as an excuse to slack off.
"Covered entities and business associates should not take too much of a sigh of relief based on the audit program delays," he says. "While the audits are important, the far larger enforcement risks continue to come from information security breaches and patient complaints.
Greene says the biggest question he has about the delayed audit program "is how many of the next round of audits will be narrowly focused desk audits and how many, if any, will be comprehensive onsite audits. OCR has referenced that they intend to do onsite audits as resources permit, but they have provided mixed signals regarding whether they currently have the resources allocated to perform such on-sites," he says.
Evans says OCR should widen its pool of covered entities and business associates that are audited.
"I would like to see a larger number of organizations audited or, minimally, surveyed. Increasing the candidate pool heightens organizational readiness to pursue and maintain compliance," he says. "Offsite 'desk audits' can be a cost-effective way of gathering compliance data and cover a wider population in the process. It also provides a more representative sampling of data for future OCR audits."
Six Monetary Penalties in 2014
When the HIPAA Omnibus Rule went into effect in September 2013, OCR had pledged to ramp up its HIPAA enforcement activities. Anticipated action included a resumption of the audit program as well as more investigations that could result in financial sanctions for HIPAA violations.
OCR announced six resolution agreements in 2014 involving monetary penalties for cases involving violations of HIPAA. The biggest enforcement action was in May 2014, when OCR announced a record $4.8 million settlement in with New York-Presbyterian Hospital and Columbia University. That case involved a breach of unsecured patient data on a network, affecting about 6,800 patients.
Walsh says he believes it's unlikely that OCR will dramatically ramp up the number of penalties it issues this year.
"I heard ... Samuels state that the OCR is interested in voluntary compliance. Enforcement penalties and corrective action plans are the tools the OCR will use - when necessary to obtain compliance when it is obvious that nothing else will work," he says.
"Provider healthcare organizations are facing some tough budget issues starting in 2015. Imposing stiff fines for noncompliance is like the bank charging for overdrafts on insufficient funds in a checking account."
Greene, the attorney, says it's still too soon to tell how OCR's enforcement priorities may change under Samuels's leadership. "Once we have 2015 behind us ... we will have a better sense of whether OCR is increasing the number of financial settlements and how, exactly, the audit program fits into OCR's enforcement efforts. "
Samuels told reporters Jan. 13 that OCR expects to receive about 17,000 HIPAA complaints this year, and it will continue to use its "arsenal" of enforcement tools, including resolution agreements, corrective action plans, and financial settlements, to shine a spotlight on "high impact cases," including breaches and other HIPAA investigations that show "egregious" and "systemic" compliance concerns.
"We will continue to identify and bring to resolution high impact cases that send strong enforcement messages to the industry about compliance," Samuels said.