In Part 1 of this series, we examined the purpose and general background of the HIPAA Audit Program. In this second part of the series, we will take an in-depth look into the HIPAA Audit findings to see what issues are tripping up providers the most. Remember: while the pilot phase of the program was intended to be educational, OCR has stated that future violations can and will be accompanied by sanctions, up to and including civil monetary penalties.
In its 2012 HIPAA Audit Pilot Program, OCR sought to create a cross section of providers and payers to assess the trends in HIPAA compliance. Included in this sample were large/medium/small provider groups, community hospitals, outpatient surgery clinics, pharmacies of all types, and many other entity types. However, despite the wide mix of auditees, OCR found patterns of HIPAA noncompliance about the Security Rule, the Privacy Rule, and the Breach Notification Rule. At a high level, OCR recently covered some of these major issues:
1. Security gaps accounted for 60% of the audit findings
2. Only 11% of all selected entities had no discovered HIPAA violations
3. Smaller providers struggle the most with HIPAA compliance
Specific to the Security Rule findings, OCR learned that nearly two-thirds of all entities (including about 80% of all providers) either had not performed or had an incomplete risk assessment on file. Moreover, issues of access management, media movement (including PHI-containing mobile devices), and data encryption were found to be serious areas of concern, accounting for over one-third of all Security Rule violations. OCR even went as far as to diagnose the underlying cause: entities are simply unaware of the requirements they are violating.
Fortunately for those selected in the pilot program, this “willful ignorance” was not enough to, in most cases, prompt sanctions. However, this is about to change. OCR undertook the year-long pilot to collect data about where the biggest HIPAA compliance gaps were to share with those who will be audited in the future. Providers have been effectively put on notice. So if you are a provider and have been neglecting your risk assessments, allowing workforce members to share PHI on their mobile devices, or are not encrypting all PHI in motion, now is the time to start righting the ship before the full audit program was rolled out in 2014.
In Part 3 of this series, we will cover the extension of the HIPAA Audit Program as well as the best practices providers should adopt to minimize their audit exposure.