When I was a lot younger, the title to this post was a joke that was often bandied about.
It is entirely possible, however, that the new elephant is what covered entities and/or business associates (which, for purposes of brevity I will refer to as covered entities) must be ready for with respect to HIPAA audits.
The notion that health information should be held private has metastasized into a set of requirements and protocols that have the capacity to virtually capsize any small-to- medium sized covered entity unless it places significant resources, effort and focus on compliance.
Failure to do so is essentially playing Russian roulette with your practice, company or entity.
I am generally not an alarmist, but the apparent lack of awareness of the parameters of the regulatory landscape causes me to take pause. In this article, I will address two of the 168 enumerated sections of the current draft of what OCR has set forth as the HIPAA Audit protocols. As an aside, advance notice has already been given that there is an updated set of protocols being prepared that will reflect the Final Omnibus Rule. I think it is fair to assume that the new protocols will not be any less cumbersome than the current list. Much to the contrary, the prevailing view is that it may be even more detailed.
Of the 169 current items, there are issues that relate to Security (78), Privacy (81), and Breach (10).
Within these three classifications, though, 40 are required, 27 are addressable, and the remainder are n/a as they deal more with what the auditors have to contend with than with what the covered entity has to do.
If this is not enough, “addressable” does not really mean optional in the typical sense of the word, as failure to address the issue must be accompanied with a reason why it was not addressed.
Rather than write in the abstract, I thought it would be much more productive to take the first required/security item as well as the first addressable/security item in the protocols and try to parse out what the regulations, protocols and ultimately the auditor will be looking for (the information in the boxes is from the HHS website).
Number 1
Section | Established Performance Criteria |
Key Activity |
Audit Procedures | Implementation Specification |
HIPAA Compliance Area |
§164.308 | §164.308(a)(1): Security Management Process §164.308(a)(1)(ii)(a) – Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity. |
Conduct Risk Assessment | Inquire of management as to whether formal or informal policies or practices exist to conduct an accurate assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI. Obtain and review relevant documentation and evaluate the content relative to the specified criteria for an assessment of potential risks and vulnerabilities of ePHI. Evidence of covered entity risk assessment process or methodology considers the elements in the criteria and has been updated or maintained to reflect changes in the covered entity’s environment. Determine if the covered entity risk assessment has been conducted on a periodic basis. Determine if the covered entity has identified all systems that contain, process, or transmit ePHI. | Required | Security |
I will not repeat what has already been set forth with respect to conducting a risk assessment. It is important, however, to note the following:
- The potential risks and vulnerabilities will vary significantly from one organization to another. This is not a one-size-fits-all document. As such, in order to comply with this requirement/protocol, it is important to have a real and thorough assessment of the physical layout of the operation, as well as a thorough understanding of how and where ePHI is stored and how it is communicated. Without a data map, it might prove difficult to be able to properly set forth the risk assessment. There are many things we understand but are very difficult to put to paper. For example, most people know how to tie their shoes, but if directed to write the various steps involved in this well understood activity, it would be a daunting task. In very general terms, you may know where your data is stored, but detailing this information with the required degree of specificity in a risk assessment may prove to be a very different story.
- Completing a risk assessment is apparently not enough. Not only do actual changes in the operation of the entity require updates of the risk assessment, the auditor is tasked with determining if the covered entity has conducted a risk assessment on a periodic basis, and if the assessment identified ALL systems that contain, process or transmit ePHI. It would seem that doing it the first time is the most difficult, but this is something that has to become part of the entity’s routine operation.
Let’s jump to the first “addressable” security requirement
Section | Established Performance Criteria |
Key Activity |
Audit Procedures |
Implementation Specification |
HIPAA Compliance Area |
§164.308 | §164.308(a)(3)(ii)(A): Workforce security – Implement procedures for the authorization and/or supervision of workforce members who work with electronic protected health information or in locations where it might be accessed. |
Implement Procedures for Authorization and/or Supervision | Inquire of management as to whether the level of authorization and/or supervision of workforce members has been established. Obtain and review the entity’s organizational chart or other formal documentation and evaluate the content in relation to the specified criteria to determine the existence of chains of command and lines of authority. If the covered entity has chosen not to fully implement this specification, the entity must have documentation on where they have chosen not to fully implement this specification and their rationale for doing so. | Addressable | Security |
Once again, I will not repeat what has already been stated except to point out that in order to address this issue documentation is required.
Either an organizational chart or similar documentation is necessary relating to a covered entity. In addition, workforce members that need access to ePHI to carry out their duties must be identified. For each workforce member or job function, the covered entity must identify the ePHI that is needed, when it is needed, and make reasonable efforts to control access to the ePHI. Covered entities must provide only the minimum necessary access to ePHI that is required for a workforce member to do his or her job.
For addressable implementation specifications, covered entities must perform an assessment to determine whether the specification is a reasonable and appropriate safeguard in the covered entity’s environment. After performing the assessment, a covered entity decides if it will employ the addressable implementation specification, utilize an equivalent alternative measure that allows the entity to comply with the standard, or not implement the addressable specification or any alternative measures if equivalent measures are not reasonable and appropriate within its environment. Covered entities are required to document these assessments and all resulting decisions.
Factors that determine what is “reasonable” and “appropriate” include cost, size, technical infrastructure and resources. While cost is one factor entities must consider in determining whether to implement a particular security measure, some appropriate measure must be effected. An addressable implementation specification is not optional, and the potential cost of implementing a particular security measure does not free covered entities from meeting the requirements identified in the rule.
Once again, this protocol is probably not a “do it once and file it away” issue.
My analysis is far from comprehensive, and is not meant to convey any legal advice or opinion. At a practical level, a great deal of how an audit plays out depends on the totality of circumstances (including if the audit is random or precipitated by a breach), the totality of compliance, and the general preparedness of the company.
The purpose of this article is to delicately scratch the surface of what a HIPAA audit may include and alert readers that failure to take a very serious look at the requirements and prepare accordingly is essentially playing Russian roulette.
The good news is that there are many qualified consultants and/or lawyers that can be very helpful. It is important to remember that one advantage a law firm brings to the table is attorney/client confidentiality, which in many cases is an extremely important protection.