HIPAA – A Role of the Compliance Dice

by ih-coc admin

by Jay Hodes, President - Colington Consulting

Some organizations may view HIPAA compliance as a roll of the dice because, let’s face it, the chances of any type of random audit are slim to none. Those are pretty good odds, right? The HHS Office for Civil Rights (OCR), the agency that enforces HIPAA compliance, can barely keep up with the extraordinary amount of reported breaches occurring in this country nearly every day. As a result, OCR is more reactive than proactive in its enforcement efforts.

There are just under 400 open breach investigation cases being handled by OCR. And because OCR is faced with a limited staff and the potential for an operating budget reduction, there is very little chance random audits will occur. Even the OCR Director indicated that the continuation of the ongoing random audit program, in which Phase Two was completed last year, will probably not continue.

But that does not mean organizations should gamble and not put any effort into instituting or managing a comprehensive HIPAA compliance program. They should not bet against the house—in this case OCR.

When a breach does occur, it opens a Pandora’s box of problems for organizations that are HIPAA Covered Entities or Business Associates. These organizations are required to report the breach to OCR. There are also different timeline reporting requirements based on the number of individuals affected by the breach. If the breach affects 500 or more individuals, the notification must be made within 60 days; if it affects fewer than 500, it must be made within 60 days of the end of the calendar year. Then the investigation phase begins.

As part of OCR’s breach investigation, organizations should be prepared for what I call the “document dump.” OCR is going to request a number of documents. This will include the organization’s most recent HIPAA Security Risk Assessment, all or some of their HIPAA policies and procedures, and information/documentation on how the organization trained their workforce. Additionally, OCR will require a detailed narrative of how the breach was caused, what corrective actions were taken, and how those member(s) of the workforce who caused the breach were disciplined or “sanctioned.” Putting this documentation together will be time-consuming and most likely will require a lawyer or consultant that specializes in HIPAA compliance.

Just like the tax code, HIPAA Security Standards and Implementation Specifications are contained in the Code of Federal Regulations (CFR). The CFRs mandate how to protect the privacy and security of Individually Identifiable Health Information (IIHI) and Protected Health Information (PHI) as defined in the HIPAA regulations, and other federal and state laws protecting the confidentiality of personal health information. Not complying with the requirements is a violation of federal law.

Organizations must put comprehensive HIPAA policies and procedures in place, conduct accurate and thorough HIPAA Security Risk Assessments, and provide annual HIPAA Security Awareness and Privacy Training to their workforce. All of this helps organizations hedge their bets when it comes to a breach investigation. Demonstrated compliance with the HIPAA regulations can help avoid entry into a monetary settlement process with OCR. In this case, even with a reported breach, organizations may avoid a possible fine and only corrective action will be required. But the outcome will be based on an organization’s comprehensive compliance program. Therefore, they should not roll the dice because the house will always win.