Health care privacy breaches continue to be a serious concern for health care organizations. Some of the most highly respected health care providers and payers, as well as their business associates (BAs), have expended considerable effort and costs implementing compliant privacy and security programs. However, the vast majority of these organizations continue to struggle with inadequate privacy and security capabilities to either be substantially compliant with the Health Insurance Portability and Accountability Act (HIPAA) or to perform at acceptable operational risk levels. As medical privacy breaches keep making headlines on a near-daily basis, the cost of these occurrences can be sizeable and can also result in severe damage to an institution's reputation.
Title XIII of the American Recovery and Reinvestment Act of 2009 (ARRA) includes the subsection entitled the Health Information Technology for Economic and Clinical Health Act, better known as HITECH. In addition to its incentives for the adoption of electronic health records (EHRs), HITECH also substantially expanded or created new provisions for HIPAA's privacy and security requirements. A new key provision that became effective in Jan. 2012 is its proactive auditing and monitoring of HIPAA's Privacy and Security Rules. As a result of HITECH, the Department of Health and Human Services's (HHS) Office of Civil Rights (OCR) will undertake a series of proactive audits of 150 covered entities (CEs) and BAs to assess their compliance with HIPAA. This is a significant departure from HHS's previous approach in which such investigations were primarily initiated in reaction to privacy breaches or complaints.
What are the potential business and legal impacts of not performing well?
HIPAA's new increased fines, penalties and enforcement actions have become a real business concern. HITECH now provides HHS with more tools for enforcing HIPAA. Previously, HIPAA's enforcement approach resulted in few investigations and the imposition of penalties was exceptionally rare. The sanctions for noncompliance are now substantial and include new tiered fines with a potential maximum of up to $1.5 million per repeated violation. Furthermore, state attorneys general can now bring civil actions to enforce HIPAA. This provision creates new legal concerns for organizations and burdens related to the existing Federal Rules of Civil Procedure guidelines for electronic discovery.
Coincidentally, providers are also faced with their initial attestation for Meaningful Use, HHS's certification program to release incentive funds set aside for CEs that implement EHRs in a manner that meets certain operational performance and security capabilities. Meaningful Use certification requires CEs to conduct a security risk analysis of their EHR program and to remediate unacceptable risks. If CEs cannot attest that they conducted a security risk analysis, implemented updates as necessary, and corrected identified security deficiencies, they risk losing millions of dollars in reimbursement funds.
It is also important to note that, per the Enforcement Rule, collected fines will be used to supplement the HHS enforcement budget, and these fines may be viewed as subjective, rather than objective, as the fines will fund future audits.
In addition to the fines and penalties, the potential brand damage and public embarrassment may present the most significant risk to CEs and BAs. HHS has been revealing the outcomes of their audits via press releases and web postings. The associated fines and penalties resulting from poor outcomes consist of multimillion dollar charges and years of mandatory, external oversight of HIPAA privacy and security governance. With such daunting consequences, CEs and BAs should approach these pending audits as a real business priority.
There are no known specifics as to who will be audited and when, although Ernst & Young expects that there may be a relevant sampling across all sectors that must comply with HIPAA to include providers, payers, clearinghouses, life sciences and BAs of all types. There is also an expectation that it will be further balanced against private companies and public agencies, both at the state and federal levels. The OCR is expected to begin issuing letters of notification to certain CEs to inform them that their HIPAA program will be audited in early 2012.
To gain a better understanding of what to expect in preparation of the pending audits, it is relevant to recognize the recent actions from HHS related to its complaint-driven audits. Ernst & Young has been closely following the publicized actions and reports from HHS and below is a sample of complaint-driven (reactive) HIPAA audits that occurred in 2011.
While the enforcement fines and penalties represent a real concern, it should also be noted that CEs and BAs have an opportunity for remediation if an audit deficiency is discovered. However, if they are not already substantially compliant with HIPAA, remediation may not be possible to realize reduced tiered fines or sanctions. Characteristics of organizations that demonstrate substantial compliance with HIPAA include:
- Effective and updated policies and procedures
- Demonstrated compliant practices
- Well-managed, active and up-to-date training program
- Current and comprehensive risk analysis process inclusive of remediation planning
- Implemented and effective physical, administrative and technical controls
Per HITECH's Enforcement Rule, a Tier D fine of $1.5m could be lowered to a Tier C fine of $250,000. So, CEs and BAs should be well-prepared for remediation by having experienced staff ready to correct identified deficiencies as soon as possible, even prior to the issuance of the report, if a deficiency is highly suspected.
What do CEs and BAs need to do?
CEs should assume that an audit will potentially evaluate all aspects of the Privacy and Security Rules and not just a subset of well-defined controls. BAs must comply with HIPAA's Security Rule and only minor aspects of the Privacy Rule, per HITECH. The OCR is expected to conduct a detailed administrative and operational review of these programs to gauge their overall capability maturity.
Specifically, CEs and BAs should consider taking the following immediate actions to prepare for the pending HIPAA audits:
1. Conduct a comprehensive risk assessment of the HIPAA program.
- Even CEs and BAs with Health Information Trust Alliance (HITRUST) certification, which only covers the Security Rule, will still need to perform a supplemental assessment of the Privacy Rule
2. Establish a HIPAA audit response team, unless one is already formed within the HIPAA Governance Committee.
- Collect and organize all key documents related to executing the HIPAA program, such as:
- Letters of designation for the Privacy and Security Officers
- Copy of the preemption analysis for determining the most stringent provisions between HIPAA and other federal, state and local health care laws
- Privacy and security policies, procedures and relevant forms
- Copy of HIPAA training records
- Sample of the current Notice of Privacy Practices, supplemented by archived versions
- Copy of the most recent internal privacy and security risk assessments, supplemented by archived versions
- Inventory of implemented physical, administrative and technical security controls
- Copies of HIPAA program Governance Reports submitted to executive management
- Copy of the privacy compliance logs with supporting resolution plans
- Inventory of business associates agreements (BAAs)
3. Develop a communication and engagement plan for initiating the pending HIPAA audit to set expectations for your workforce as well as the OCR auditors.
- This should also include a rapid response plan for public relations related to media inquiries or reports
These recommendations are based on the core assumption that a CE has already established an effective HIPAA governance structure to address the complexities of the regulations and the broad number of business stakeholders required to support the program. If not, this would be an additional critical step to include in our above preparation recommendations.
What's the bottom line?
In the midst of what appears to be forthcoming impactful HIPAA audits, hospitals have been actively engaged in implementing new and costly strategic reforms, such as EHRs, enhancing or replacing key systems involved in medical coding and dealing with a challenging economic environment. As such, many of their financial and staff resources have already reached strenuous levels. Furthermore, despite high levels of unemployment, there is a global scarcity of skilled health care security and privacy professionals.
Even CEs who believe they have an effective HIPAA program are not typically confident in their ability to perform well with the new HIPAA audit process. Most CEs continue to struggle with substantially complying with HIPAA/HITECH primarily due to:
- The broad complexities from both federal and state health care regulations
- Limited budgets to support the requisite personnel, IT controls and changes in business processes
- Balancing competing strategic initiatives of health care reform against health care compliance
Additionally, many BAs have failed to implement the Security Rule, per HITECH, due to a lack of corporate awareness or simple denial that they must comply beyond the security controls already in place.
Regardless of these business challenges, CEs and BAs should act as soon as possible to assess and improve their privacy and security capabilities. It will take substantial resources to effectively address these business risks. However, taking the self-initiative now can be more cost-effective and can help avoid potential brand damage to companies and agencies.
Glen Day (left) is a senior manager in the advisory services practice of Ernst & Young LLP and is the America's information security leader for healthcare and life sciences. he has more than 20 years of experience consulting with and working in the health care, financial services, automotive, retail and defense industries.
Reza Chapman (right) is a senior manager with Ernst & Young's advisory services practice, focused on driving security and privacy offerings. He has more than 15 years of experience providing information security and risk management solutions to companies in health care, financial services, energy, retail and government industries.