GETTING SERIOUS ABOUT HIPAA - Privacy and Security Audit Program Protocols $1.7 Million Fine for Security Rule Violation

The Office for Civil Rights (OCR) of the Department of Health and Human Services (HHS) is continuing its active HIPAA privacy and security audit program.

Audit Protocols. OCR recently released protocols that it will use in its pilot HIPAA audit program. The audits, as previously described in the November 21, 2011 HRBenefits Authority, OCR Privacy and Security Audits, (i) will target certain health plans, health care providers, and health care clearinghouses, and (ii) will ensure compliance with HIPAA privacy, security and breach notification rules.

The comprehensive audit protocols have been released to the public through OCR’s website
(http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/protocol.html) and are presented as two searchable grids—one for HIPAA security rules and another for HIPAA privacy and breach rules. There are over 160 separate areas of compliance and corresponding questions that may be asked as part of the pilot audit program.

Security Rule Violation and Penalty. OCR takes violations seriously, and failures found through an OCR audit or self-reported as required by the HIPAA security rules can result in very significant financial and other penalties. For example, on June 25, 2012, OCR and the Alaska Department of Health and Social Services (ADHSS) reached an agreement in which ADHSS will pay HHS $1.7 million to settle violations of the HIPAA security rules.

In late 2009, as required by the HIPAA breach notification rules, ADHSS self-reported a possible security breach involving the theft of a USB drive containing protected health information (PHI) from an employee’s vehicle. This incident prompted OCR to conduct an investigation into ADHSS’ general HIPAA compliance, after which it concluded that ADHSS had violated the HIPAA security rules by failing to:

Perform a risk analysis;
Implement sufficient risk-management measures;
Provide security training for its employees;
Implement device and media controls; and
Properly encrypt media devices.

In addition to paying a $1.7 million fine, the second largest ever for HIPAA violations, ADHSS executed a detailed corrective action plan containing new policies and procedures regarding its handling of electronic PHI.

A No Win Situation. The penalty in the ADHSS situation demonstrates the predicament that results from a HIPAA security violation. The employer is required to report the violation, which probably will lead to an OCR audit, which may lead to steep penalties. Perhaps, if ADHSS had followed most of the HIPAA security rules and the reported violation had been a discrete exception, all or most penalties would have been avoided. Nevertheless, OCR is taking the rules seriously, and a few ounces of compliance can save a great deal.

Contact Information. For more information on these HIPAA audit developments from Mazursky Constantine, please contact Amy Heppner (404.888.8825), Kelly Meyers (404.888.8838). For more information from VCG Consultants, please contact Leslie Schneider (770.863.3617).

Please click here for a PDF of this newsletter.