OCR’s Shares HIPAA Audit Program Protocols As Announces $1.7M Resolution Agreement Against Alaska Medicaid

Health care providers, health plans, health care clearinghouses and their business associates should review the Department of Heath & Human Services (HHS) Office of Civil Rights (OCR) HIPAA audit protocol used by OCR to conduct the audits required by the HITECH Act to identify potential areas where they may need to tighten existing practices to withstand a possible audit and reduce exposures under the Privacy, Security and Breach Notification rules of the Health Insurance Portability & Accountability Act.  OCR posted the audit protocols on its on its website on June 26, 2012, the same day it announced that the Alaska Medicaid program would pay more than $1.7 million to settle potential HIPAA liabilities arising from OCR’s investigation of circumstances resulting a large data breach reported under the HITECH Act breach notification rules. Covered entities should use these resources both to prepare for potential audits and to review and adjust their practices to help prevent violations and defend against potential HIPAA enforcement actionsl.

HIPAA Audit Protoco

The OCR HIPAA Audit program analyzes key processes, controls, and policies of selected covered entities pursuant to the HITECH Act audit requirement.  OCR established a comprehensive audit protocol that contains the requirements to be assessed through these performance audits. The entire audit protocol is organized around modules, representing separate elements of privacy, security, and breach notification.  The combination of these multiple requirements may vary based on the type of covered entity selected for review. These include:

  • Privacy Rule requirements for (1) notice of privacy practices for PHI, (2) rights to request privacy protection for PHI, (3) access of individuals to PHI, (4) administrative requirements, (5) uses and disclosures of PHI, (6) amendment of PHI, and (7) accounting of disclosures
  •  Security Rule requirements for administrative, physical, and technical safeguards;
  • Requirements for the Breach Notification Rule.

Presently OCR says that HIPAA audits primarily seek to tighten compliance and aid OCR to identify areas where guidance should be revised or supplemented to enhance compliance.  Where an audit identifies a significant compliance concern, however, OCR officials say OCR officials may open an enforcement investigation in response to evidence uncovered in connection with an audit.  Beyond this risk, however, the audit protocols also provide additional guidance for covered entities about expected practices and procedures that could help mitigate risks to enforcement under the OCR’s ongoing investigation and enforcement activities of HIPAA.  As reflected by a growing series of resolution agreements, these enforcement risks and their associated liability exposures are significant and growing.  OCR’s announcement of its latest Resolution Agreement with Alaska Medicaid concurrent the posting of the audit protocol.

Alaska 1.7 Million Resolution Agreement

OCR also announced June 26 that the Alaska State Medicaid Agency, the Alaska Department of Health and Social Services (DHSS) will pay the  $1,700,000 to settle possible violations of the HIPAA  Security Rule.  Alaska DHSS also has agreed to take corrective action to properly safeguard the electronic protected health information (ePHI) of their Medicaid beneficiaries. 

The first HIPAA Resolution Agreement that the HHS Office for Civil Rights (OCR) has reached a state agency, the Alaska Medicaid Resolution Agreement  second announced Resolution Agreement stemming from a unsecured protected health information breach report filed in response to the breach notification rules of the Health Information Technology for Economic and Clinical Health (HITECH) Act.  Earlier this year, OCR announced its first Resolution Agreement involving a health plan resulted from a breach notification report it had filed under the HITECH Act.  See $1.5 Million HIPAA Settlement Reached To Resolve 1st OCR Enforcement Action Prompted By HITECH Act Breach Report.

OCR opened the investigation leading to the Resolution Agreement after Alaska DHSS filed a breach report that indicated that a portable electronic storage device (USB hard drive) possibly containing ePHI was stolen from the vehicle of a DHSS employee.  Over the course of the investigation, OCR found evidence that DHSS did not have adequate policies and procedures in place to safeguard ePHI.  Further, the evidence indicated that DHSS had not completed a risk analysis, implemented sufficient risk management measures, completed security training for its workforce members, implemented device and media controls, or addressed device and media encryption as required by the HIPAA Security Rule.  Inadequacies by covered entities in safeguarding protected health information and laptops and other devices containing ePHI is a common compliance concern according to OCR statistics.

In addition to the $1,700,000 settlement, the agreement includes a corrective action plan that requires Alaska DHSS to review, revise, and maintain policies and procedures to ensure compliance with the HIPAA Security Rule.  A monitor will report back to OCR regularly on the state’s ongoing compliance efforts. 

OCR’s announcement highlights the need for covered entities not only to take proper steps to establish and administer appropriate policies and safeguards to protect protected health information and EHI, but also to prepare, update as needed and be prepared to produce documentation showing their oganizations actions to evaluate, monitor and maintain appropriate safeguards of ePHI and the operating systems and devices that contain this information. 

“Covered entities must perform a full and comprehensive risk assessment and have in place meaningful access controls to safeguard hardware and portable devices,” said OCR Director Leon Rodriguez.  “This is OCR’s first HIPAA enforcement action against a state agency and we expect organizations to comply with their obligations under these rules regardless of whether they are private or public entities.”

The HHS Resolution Agreement can be viewed here.

Enforcement Actions Highlight Growing HIPAA Exposures For Covered Entities

The Alaska Medicaid Resolution Agreement is the latest in a growing list of Resolutions Agreements highlighting the mounting exposures that health care providers, health plans, health care clearinghousesand their business associates face if required to file a large breach notification or otherwise charged with failing to appropriately manage their HIPAA responsibilities. See Arizona Physician Group Pays $100K To Settle HIPAA Charges; $1.5 Million HIPAA Settlement Reached To Resolve 1st OCR Enforcement Action Prompted By HITECH Act Breach Report; HIPAA Heats Up: HITECH Act Changes Take Effect & OCR Begins Posting Names, Other Details Of Unsecured PHI Breach Reports On Website.   As OCR leaders have indicated that OCR investigates all large breach notification filings made under the HITECH Act Breach Notification Rules and with more than 450 large breach notifications reported on its website, additional Resolution Agreements are expected in coming months even as covered entities and their business associates are awaiting the impending  issuance of updated HIPAA regulations.

In light of these and other developments and risks, covered entities and their business associates should move to audit and strengthen their HIPAA compliance and documentaiton and adopt  other suitable safeguards to minimize HIPAA exposures. 

In the face of rising enforcement and fines, OCR’s initiation of HIPAA audits and other recent developments, covered entities and their business associates should tighten privacy policies, breach and other monitoring, training and other practices to reduce potential HIPAA exposures in light of recently tightened requirements and new enforcement risks. 

In response to these expanding exposures, all covered entities and their business associates should review critically and carefully the adequacy of their current HIPAA Privacy and Security compliance policies, monitoring, training, breach notification and other practices taking into consideration OCR’s investigation and enforcement actions, emerging litigation and other enforcement data; their own and reports of other security and privacy breaches and near misses, and other developments to determine if additional steps are necessary or advisable. 

For more information about the PCS Resolution Agreement and HIPAA compliance and risk management tips, see here.

For Representation, Training & Other Resources

If you need assistance monitoring HIPAA and other health and health plan related regulatory policy or enforcement developments, or to review or respond to these or other health care or health IT related risk management, compliance, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer may be able to help.

Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 24 years experience advising health industry clients about these and other matters. Ms. Stamer has extensive experience advising and assisting health care providers, health plans, their business associates and other health industry clients to establish and administer medical privacy and other compliance and risk management policies, to health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns. She regularly designs and presents HIPAA and other risk management, compliance and other training for health plans, employers, health care providers, professional associations and others.

Scheduled to serve as the scribe for the ABA Joint Committee on Employee Benefits agency meeting with OCR, Ms. Stamer also regularly works with OCR and other agencies, publishes and speaks extensively on medical and other privacy and data security, health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns.  Her publications and insights appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications.   For instance, Ms. Stamer for the second year will serve as the appointed scribe for the ABA Joint Committee on Employee Benefits Agency meeting with OCR.  Her insights on HIPAA risk management and compliance frequently appear in medical privacy related publications of a broad range of health care, health plan and other industry publications Among others, she has conducted privacy training for the Association of State & Territorial Health Plans (ASTHO), the Los Angeles Health Department, the American Bar Association, the Health Care Compliance Association, a multitude of health industry, health plan, insurance and financial services, education, employer employee benefit and other clients, trade and professional associations and others.

You can get more information about her HIPAA and other experience here.

If you need assistance with these or other compliance concerns, wish to inquire about arranging for compliance audit or training, or need legal representation on other matters please contact Ms. Stamer at (469) 767-8872 or via e-mail here.

You can review other recent publications and resources and additional information about the other experience of Ms. Stamer hereExamples of some recent publications that may be of interest include:

If you need help investigating or responding to a known or suspected compliance, litigation or enforcement or other risk management concern, assistance with reviewing, updating, administering or defending a current or proposed employment, employee benefit, compensation or other management practice, wish to inquire about federal or state regulatory compliance audits, risk management or training, or need legal representation on other matters please contact Ms Stamer here or at (469) 767-8872.

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile here. For important information concerning this communication click here.    If you do not wish to receive these updates in the future, send an e-mail with the word “Remove” in the Subject to here.

©2012 Cynthia Marcotte Stamer, P.C. All rights reserved.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: