OCR: Business Associate HIPAA Audits Coming SoonOfficials Also Discuss Ransomware, Upcoming Guidance
The Department of Health and Human Services is gearing up to kick off in October its first-ever round of HIPAA compliance audits of business associates. And the agency is also developing a variety of new guidance aimed at helping healthcare organizations deal with a surge in cyber threats.
OCR Director Jocelyn Samuels and OCR Deputy Director for Health Information Privacy Deven McGraw provided the update of OCR's various HIPAA enforcement activities during a presentation at a HIPAA summit in Washington, D.C. on Sept. 15.
Business Associate Audits
Starting in October, OCR will notify 40 to 50 business associates that have been selected for an OCR HIPAA compliance "desk," or remote, audit. Unlike covered entities that earlier this year first received an email from OCR requesting verification of contact information in case they were chosen for an audit, business associates aren't getting any warning. "We have robust contact information for our BA pool from the covered entity auditees," McGraw says.
OCR will host an informational webinar for the chosen business associates, similar to what the agency did for its selected covered entities, she says.
OCR is also in the midst of evaluating the information and documentation it requested from the 167 covered entities that were notified in July about being audited for HIPAA compliance, McGraw says.
Like the covered entities, the business associates will have only 10 days to submit detailed documentation about specific aspects of their HIPAA compliance.
Some experts say it's critical that business associates be ready in case they're notified of an audit.
"The time to prepare for the audits is now," says privacy attorney David Holtzman, vice president of compliance at security consultancy CynergisTek.
Don't wait to receive the notification from OCR, he says. "Business associates should be prepared to produce their policies and procedures for notifying their covered entities when there has been a breach incident, as well as samples of when and how they have done so," he notes.
Privacy attorney Kirk Nahra notes that the audit process is going to be really challenging for any "lucky business associate" that gets selected.
However, "aside from the annoyance and challenge of having to respond, I do expect that this effort is primarily an information gathering effort for OCR and not an enforcement process," he says. OCR "knows very little about business associates at this point, and this is likely to alert them to the enormous variations among business associates."
Business associates need to be thoughtful and complete in their responses, but there shouldn't be any particular reason to worry at this point, Nahra adds. "The time to worry will be when there is an actual [breach] investigation, so they should use this opportunity to get their documents and policies lined up."
Once OCR completes its covered entity reviews, the agency will issue preliminary reports to each of the covered entities, McGraw notes. The organizations will be given an opportunity to respond before the agency crafts its final reports. The same process is planned for the business associate desk audits, McGraw says.
In addition to the desk audits of covered entities and business associates, OCR also plans to conduct an unspecified number of more comprehensive on-site audits of both, she notes. In total, 200 to 250 audits will be conducted overall.
At the end of the HIPAA compliance audit process, OCR plans to issue a public report that "in aggregate" will address lessons learned and best practices, Samuels says.
Two Decades of Evolving Threats
OCR's latest enforcement plans come as HIPAA turns 20 years old, Samuels says, noting that while that's "a short time" in terms of lifespan, "it's huge in terms of technological developments" that have occurred since the HIPAA rules were written.
For instance, when HIPAA was first enacted, most communications involving exchange of patient PHI took place through mail, fax and phone. But in stark contrast, ransomware attacks on the healthcare sector impacting electronic PHI have already increased 300 percent in 2016 from 2015, she noted.
As such, recently issued ransomware guidance from OCR - as well as its other planned guidance - "are really focused on cybersecurity threats to electronic protected health information," Samuels says.
OCR's ransomware guidance, released in July, details "how HIPAA can help prevent ransomware attacks, detect ransomware and respond to the attacks," Samuels says.
"HIPAA is a tool to protect the privacy and security of PHI. "If you comply, that can help you to address and preempt the threats we're seeing all too frequently in the healthcare sector."
Taking measures including conducting an enterprisewide security risk analysis, workforce training, limiting access to PHI, implementing safeguards against malicious software, and patching, as required by HIPAA, "can help arm you against this real plague of ransomware attacks," she says.
The recent ransomware guidance also aims to help clarify when those attacks are considered reportable breaches under HIPAA.
McGraw explains that the guidance notes that assessing a ransomware attack to determine whether it is a HIPAA breach, and then deciding whether notification is required, is a two-step process. Whether breach notification is required is based on whether there is "a low probability of compromise" to PHI.
Questions about whether covered entities need to report ransomware attacks to OCR and affected individuals - and whether business associates need to notify covered entities of those attacks - have been areas of confusion in the healthcare industry, some experts note.
"I think it is important to remember that every potential breach needs to be analyzed on its own facts," says privacy attorney Nahra. "I think the guidance pushes towards more notice but it does not say every time. It will depend on a variety of factors that are encompassed in the risk assessment elements."
Privacy attorney Adam Greene of the law firm Davis Wright Tremaine notes he was "surprised" by the distinction that OCR is drawing between "breaches" and "reportable breaches." "While not all impermissible uses and disclosures are reportable breaches, the regulations are structured so that once you identify that an incident qualifies as a 'breach' of unsecured protected health information, then it requires notifications," he says.
Cyber Threat Info Sharing
Samuels notes that while the sharing of cyber threat information - such as indicators of compromise - is important in the battle against threats such as ransomware, recent cybersecurity materials issued by OCR addresses the extent to which entities can disclose patient PHI when they share cyber threat information.
"The bottom line is they can't," she says. "PHI is not necessary to share any indicators."
Samuels warns that disclosures of PHI in the process of entities sharing cyber threat information could potentially result in a HIPAA violation. "A good motive - we take that into account in evaluating the kinds of remedies in negotiating settlement agreements - but it does not prevent you from having a HIPAA violation just because you were doing something good with the information."
OCR also plans to issue additional guidance aimed at helping the healthcare sector navigate other critical privacy and security challenges, McGraw says.
That includes supplemental information related to previous OCR guidance on patients' right to access their health records, and potential materials related to the Obama administration's precision medicine initiative.
Also, based on an audience question for McGraw during the summit, she says it's possible that OCR could also consider developing guidance related to disclosures and data exchange pertaining to sensitive patient information, such as HIV/AIDS.