On April 30, 2019, Health and Human Services (HHS) published a final rule in which they are exercising their discretion in how they apply regulations concerning the assessment of Civil Money Penalties (CMPs) for HIPAA violations. This final rule reduced the annual limit for three of the four levels of culpability on which HIPAA violation Civil Money Penalties (CMPs) are based, as follows:
(1) The person did not know (and, by exercising reasonable diligence, would not have known) that the person violated the provision (annual limit reduced from $1.5M to $25K);
(2) the violation was due to reasonable cause, and not willful neglect (annual limit reduced from $1.5M to $100K);
(3) the violation was due to willful neglect that is timely corrected (annual limit reduced from $1.5M to $250K); and
(4) the violation was due to willful neglect that is not timely corrected (annual limit remains at $1.5M).
While reductions in the annual CMP limits is generally positive, Plans should not overlook the implications of this change. CMS expects plans to be conducting due diligence to ensure awareness of HIPAA risk and potential violations and to take corrective action to timely correct any issues discovered. Organizations that have taken measures to meet HIPAA requirements will face a much smaller maximum penalty than those who are found neglectful.
HHS HIPAA Audits
The American Recovery and Reinvestment Act of 2009 requires the Department of Health and Human Services (HHS) to provide for periodic audits to ensure covered entities and business associates are complying with the HIPAA Privacy and Security Rules and Breach Notification Standards. Within HHS, the Office of Civil Rights (OCR) is responsible for enforcing the HIPAA Privacy and Security Rules. OCR carries out this responsibility by investigating complaints and conducting compliance reviews of covered entities to determine if those covered entities are compliant. If, through this process, a covered entity is determined to be non-compliant, OCR has the authority to impose the CMPs outlined above. Additionally, if a complaint to OCR describes an action that could be a violation of the criminal provisions of HIPAA, OCR may refer the complaint to the Department of Justice for investigation.
Historically, OCR HIPAA audits have been primarily a compliance improvement activity. OCR has used the resulting audit reports to determine what types of technical assistance, corrective actions, tools and guidance would be most helpful to the industry. However, if an audit report indicates a serious compliance issue, OCR may initiate a more formal compliance review to further investigate, and this again can result in CMPs.
How Healthy is Your HIPAA Program?
Some of the questions you should be asking of your organization based on common HIPAA audit findings, include:
Is HIPAA part of your risk assessment?
A HIPAA risk analysis should define the scope of the analysis, demonstrate management involvement, provide evidence that policies are enforced, and its results should be shared with individuals in your organization who are involved in HIPAA enforcement.
Does Your Risk Assessment include assessing the risk of your First-tier, Downstream and Related Entities (FDRs) and Business Associates?
Remember, your obligations to ensure protected health information (PHI) is adequately safeguarded extend to any FDRs or Business Associates you may use that handle the PHI.
Have you reviewed and updated your policies and procedures to reflect any organizational or technology changes?
Policies and procedures, including desk-level instructions, need to be kept current and account for changes your organization has made. These updates, and training to ensure that your staff is aware of them, are critical to helping ensure HIPAA compliance.
Are your safeguards adequate to protect PHI?
Documentation is only one piece of the audit. Can you effectively demonstrate that your safeguards are in place and effective?
How can you ensure your organization is doing all it can to meet HIPAA requirements?
BluePeak’s HIPAA Program Review service can help you identify and correct privacy, security and breach policy and procedure issues BEFORE an OCR HIPAA audit or complaint identifies the issues.
BluePeak conducts mock HIPAA audits using the HHS protocols and process. Specifically, BluePeak auditors will:
- Assess the covered entity’s efforts using an updated audit protocol, which contains new criteria reflecting omnibus rule changes and more specific test procedures:
- Use sampling methodology to assess compliance efforts
- Target particular areas that were the source of a high number of compliance failures in the HHS pilot audits
BluePeak’s process focuses on 3 areas:
- Privacy, Security and Breach Policy Review – Reviews policies and procedures for completeness and accuracy against standard OCR audit protocols;
- Operational Testing and Validation – Identifies areas at high risk for non-compliance and conducts targeted testing and validation in such areas; and
- Training and Process Improvement– Based on review results or as a standalone service, BluePeak can provide customized training to ensure HIPAA knowledge and assist in development and implement process improvements to minimize the likelihood of HIPAA violations going forward.
In addition to the HIPAA Program Review service, BluePeak also oﬀers follow-up services to clients, such as developing and implementing monitoring and conducting mock OCR HIPAA audits to ensure any issues found during the review have been successfully remediated.