Monthly Archives: March 2015

What Is an Elephant? – An Ant Built to
Government Specification


When I was a lot younger, the title to this post was a joke that was often bandied about.

It is entirely possible, however, that the new elephant is what covered entities and/or business associates (which, for purposes of brevity I will refer to as covered entities) must be ready for with respect to HIPAA audits.

The notion that health information should be held private has metastasized into a set of requirements and protocols that have the capacity to virtually capsize any small-to- medium sized covered entity unless it places significant resources, effort and focus on compliance.

Failure to do so is essentially playing Russian roulette with your practice, company or entity.

I am generally not an alarmist, but the apparent lack of awareness of the parameters of the regulatory landscape causes me to take pause. In this article, I will address two of the 168 enumerated sections of the current draft of what OCR has set forth as the HIPAA Audit protocols. As an aside, advance notice has already been given that there is an updated set of protocols being prepared that will reflect the Final Omnibus Rule. I think it is fair to assume that the new protocols will not be any less cumbersome than the current list. Much to the contrary, the prevailing view is that it may be even more detailed.

Of the 169 current items, there are issues that relate to Security (78), Privacy (81), and Breach (10).

Within these three classifications, though, 40 are required, 27 are addressable, and the remainder are n/a as they deal more with what the auditors have to contend with than with what the covered entity has to do.

If this is not enough, “addressable” does not really mean optional in the typical sense of the word, as failure to address the issue must be accompanied with a reason why it was not addressed.

Rather than write in the abstract, I thought it would be much more productive to take the first required/security item as well as the first addressable/security item in the protocols and try to parse out what the regulations, protocols and ultimately the auditor will be looking for (the information in the boxes is from the HHS website).

Number 1

Section Established
Audit Procedures Implementation
§164.308 §164.308(a)(1):
Security Management Process §164.308(a)(1)(ii)(a) – Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.
Conduct Risk Assessment Inquire of management as to whether formal or informal policies or practices exist to conduct an accurate assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI. Obtain and review relevant documentation and evaluate the content relative to the specified criteria for an assessment of potential risks and vulnerabilities of ePHI. Evidence of covered entity risk assessment process or methodology considers the elements in the criteria and has been updated or maintained to reflect changes in the covered entity’s environment. Determine if the covered entity risk assessment has been conducted on a periodic basis. Determine if the covered entity has identified all systems that contain, process, or transmit ePHI. Required Security

I will not repeat what has already been set forth with respect to conducting a risk assessment. It is important, however, to note the following:

  1. The potential risks and vulnerabilities will vary significantly from one organization to another. This is not a one-size-fits-all document. As such, in order to comply with this requirement/protocol, it is important to have a real and thorough assessment of the physical layout of the operation, as well as a thorough understanding of how and where ePHI is stored and how it is communicated. Without a data map, it might prove difficult to be able to properly set forth the risk assessment. There are many things we understand but are very difficult to put to paper. For example, most people know how to tie their shoes, but if directed to write the various steps involved in this well understood activity, it would be a daunting task. In very general terms, you may know where your data is stored, but detailing this information with the required degree of specificity in a risk assessment may prove to be a very different story.
  1. Completing a risk assessment is apparently not enough. Not only do actual changes in the operation of the entity require updates of the risk assessment, the auditor is tasked with determining if the covered entity has conducted a risk assessment on a periodic basis, and if the assessment identified ALL systems that contain, process or transmit ePHI. It would seem that doing it the first time is the most difficult, but this is something that has to become part of the entity’s routine operation.

Let’s jump to the first “addressable” security requirement

Section Established
§164.308 §164.308(a)(3)(ii)(A):
Workforce security – Implement procedures for the authorization and/or supervision of workforce members who work with electronic protected health information or in locations where it might be accessed.
Implement Procedures for Authorization and/or Supervision Inquire of management as to whether the level of authorization and/or supervision of workforce members has been established. Obtain and review the entity’s organizational chart or other formal documentation and evaluate the content in relation to the specified criteria to determine the existence of chains of command and lines of authority. If the covered entity has chosen not to fully implement this specification, the entity must have documentation on where they have chosen not to fully implement this specification and their rationale for doing so. Addressable Security

Once again, I will not repeat what has already been stated except to point out that in order to address this issue documentation is required.

Either an organizational chart or similar documentation is necessary relating to a covered entity.  In addition, workforce members that need access to ePHI to carry out their duties must be identified. For each workforce member or job function, the covered entity must identify the ePHI that is needed, when it is needed, and make reasonable efforts to control access to the ePHI. Covered entities must provide only the minimum necessary access to ePHI that is required for a workforce member to do his or her job.

For addressable implementation specifications, covered entities must perform an assessment to determine whether the specification is a reasonable and appropriate safeguard in the covered entity’s environment. After performing the assessment, a covered entity decides if it will employ the addressable implementation specification, utilize an equivalent alternative measure that allows the entity to comply with the standard, or not implement the addressable specification or any alternative measures if equivalent measures are not reasonable and appropriate within its environment. Covered entities are required to document these assessments and all resulting decisions.

Factors that determine what is “reasonable” and “appropriate” include cost, size, technical infrastructure and resources. While cost is one factor entities must consider in determining whether to implement a particular security measure, some appropriate measure must be effected. An addressable implementation specification is not optional, and the potential cost of implementing a particular security measure does not free covered entities from meeting the requirements identified in the rule.

Once again, this protocol is probably not a “do it once and file it away” issue.
My analysis is far from comprehensive, and is not meant to convey any legal advice or opinion.  At a practical level, a great deal of how an audit plays out depends on the totality of circumstances (including if the audit is random or precipitated by a breach), the totality of compliance, and the general preparedness of the company.
The purpose of this article is to delicately scratch the surface of what a HIPAA audit may include and alert readers that failure to take a very serious look at the requirements and prepare accordingly is essentially playing Russian roulette.
The good news is that there are many qualified consultants and/or lawyers that can be very helpful. It is important to remember that one advantage a law firm brings to the table is attorney/client confidentiality, which in many cases is an extremely important protection.

HIPAA Audits – Imagine Tax Payments without IRS Audits


We can probably all agree that no one (except possibly accountants) looks forward to an IRS audit. At its most elemental level, there is virtually no upside, a possible downside and a deep feeling that, at best, it will disrupt our lives.

HIPAA audits are essentially no different.

One major difference is that for almost all taxpayers, the idea and the real possibility of an audit existed when they filled out their tax returns. With respect to HIPAA, initially enacted approximately 20 years ago, there was (and, in some cases, still is) some mental block or disconnect regarding audits, penalties, and fines for noncompliance — choose one.

For a little historical background, HIPAA was enacted as a broad Congressional attempt at healthcare reform; it was initially introduced in Congress as the Kennedy-Kassebaum Bill.  The landmark Act was passed in 1996 with two objectives.

  1. One was to ensure that individuals would be able to maintain their health insurance between jobs. This is the Health Insurance Portability part of the Act. Because of its successful implementation, it has become “part of the system” and does not get much coverage.
  2. The second part of the Act is the “Accountability” portion. This section is designed to ensure the security and confidentiality of patient information/data.

Over the years, there have been many additions, clarifications and new portions added to this legislation. All of the changes and details are far beyond the scope of this post; that said, I will list a few.

HIPAA Requirements – Security
Compliance Date – April 20, 2005

The HIPAA Security Rule became effective on April 20, 2005. The Security Rule standards define how we are to ensure the integrity, confidentiality, and availability of our patients’ electronic protected health information (ePHI). The Security Rule requires that we have administrative, physical and technical safeguards for protecting ePHI.  Some (but clearly not all of the ) examples are:

Administrative Safeguards:

  1. Assigning or delegating security responsibility to an individual – Chief Security Officer.
  2. Training workforce members on security principles and organizational policies/procedures.
  3. Terminating workforce members’ access to information systems.
  4. Reporting and responding to security incidents.

Physical Safeguards:  mechanisms to protect electronic systems, equipment and the data they hold from threats, environmental hazards and unauthorized intrusion.

  1. Limiting physical access to information systems containing ePHI (i.e. server rooms).
  2. Preventing inappropriate viewing of ePHI on computers.
  3. Properly removing ePHI from computers before disposing or reusing them.
  4. Backing up and storing ePHI.

Technical Safeguards:  automated processes used to protect data and control access to data.

  1. Providing users with unique identifiers for accessing ePHI.
  2. Accessing ePHI during an emergency.
  3. Encrypting ePHI during transmission.
  4. Automatically logging off users after a determined time period.

Patient Privacy/Security and Technology
As we use technology to improve patient care, we are faced with additional challenges to protect patient information from unauthorized use and disclosure.

In February 2009, the Health Information Technology for Economic and Clinical Health Act (“HITECH”) was enacted as part of the American Recovery and Reinvestment Act of 2009 (“ARRA”). HITECH makes significant changes to HIPAA’s administrative simplification provisions pertaining to privacy and security, including notifying individuals (and in some instances, media outlets) when there has been a privacy/security breach.

Previously, covered entities (healthcare providers, health plans and healthcare clearinghouses) were obligated to mitigate harm caused by unauthorized disclosures of protected health information (“PHI”), but not required to give notice to the individuals whose information was inappropriately disclosed. With HITECH, covered entities and business associates are required to notify individuals when security breaches occur with respect to “unsecured” information. Unsecured information means information not protected through technology or methods designated by the Federal government. In addition, if the breach involves 500 or more individuals, notice to the U.S. Department of Health and Human Services and the media is also required. Depending on the number of people affected by the breach, the time to report the breach changes as well.

While very large healthcare providers have been forthcoming with respect to breach notification, and other providers have been caught when information was breached, we have not yet really had an audit process that would significantly motivate medical providers (especially smaller organizations) to deal with these laws/regulations with the same attention they might give their tax returns. It is only natural that people act based on the consequences of their actions. That is not to say that we should not take the laws seriously, but human nature is still human nature. If I am wrong, the IRS would have no need to audit taxpayers.

To that end, a pilot program was initiated to develop protocols and evaluate HIPAA COMPLIANCE of 115 covered entities. In addition, the methodologies employed in ascertaining compliance were also audited for their effectiveness. In the fourth quarter of 2011, 20 covered entities were selected and received a letter requesting documents, and thereafter on-site reviews began in the first quarter of 2012.

The audit protocol is available at

Subsequently, more entities were audited, and the result of the phase one findings (in this case, findings are not good) showed that approximately 11% of the 115 entities had no findings.  The 11% were comprised of two providers, two clearinghouses and nine health plans.

Additionally, 60% of the findings related to security, which were more than privacy and breach notification findings. This is actually reasonable considering that every entity has security obligations but not every entity has a breach or a breach notification issue. The same rationale applies to privacy issues.

Providers had 65% of the findings and observations although they were only 53% of the entities reviewed.

The frightening part is that the smaller entities had issues with everything.

With respect to security, two-thirds of the entities did not have complete or accurate risk assessments. The other problem areas for providers ran the gamut of issues.

In cases where there were breaches, notification to individuals was the biggest issue.

What we can expect in 2015?

OCR will contact approximately 550 to 800 covered entities for pre-audit surveys; it will use the survey results to select 350 covered entities for an audit. Those entities will have to identify their business associates and provide contact information, at which point OCR will select business associates for audit.

OCR plans to conduct on-site audits as well as desk audits which will be presumably staffed by OCR.

Entities will have two weeks to respond to data requests. All information submitted must be current as of the date of the request. Therefore, after an entity receives a request, it should not then begin to review and update its HIPAA policies and practices. Failure to respond to the request may lead to referral for a compliance review.

It is difficult to know how quickly this will be rolled out in 2015.

There are many entities that should be preparing themselves, as there are many law firms, consultancies and other entities that are gearing up to provide assistance to (virtually) the full vertical of medical coverage that could be subject to this ever-increasing audit regimen.

From a practical perspective, the more audits, the more fines, the more money, the greater expansion of audits.

A word of caution — this article is not meant to offer any legal advice, does not represent the totality of legal/regulatory requirements, the scope of the audits, compliance or remedial measures that entities should take.  In addition there may be state laws and regulations that come into play.

The real concern is that the smaller practices or covered entities may be caught totally off guard. These laws are an important component of the operations of these entities. In sum, it is the new reality.