What's Next for Employer Group Health Plans and HIPAA Audits?

The Office of Civil Rights (OCR) recently ramped up its HIPAA Privacy, Security and Breach Notification audit program.  With the new administration, employers may be wondering (hoping?) that the audit program for HIPAA might be scaled back.  While the future is far from clear, right now it seems that HIPAA audits are not going away. 

Unlike other audit programs, this program generates significant revenue from the penalties and fines it collects. The first and second series of desk audits (information requests) were to be wrapped up in December 2016 with onsite audits to begin in 2017.  In 2016, HIPAA settlements reached record levels with total payments of $22,855,300 to resolve alleged HIPAA violations. 

Seven settlements were in excess of $1.5 million.  The largest HIPAA settlement ever with a single covered entity was announced in 2016 when OCR agreed to settle with Advocate Health Care Network for $5.5 million.  We expect this trend to continue through 2017.  In fact, OCR already announced its first HIPAA enforcement action for 2017 based on a not-for-profit hospital system’s failure to give timely breach notifications, which settled for $475,000. In addition to OCR audits, employers should be aware of claims that can be brought by individuals under state law.  Although an individual may file a complaint with OCR for a HIPAA violation and thereby prompt an OCR investigation, HIPAA does not provide a private cause of action. 

However, if an individual suffers damages as a result of a privacy violation, they may have a civil claim under state law.  Findings by OCR investigations can be used as strong evidence in individual lawsuits and some courts have held that HIPAA could be used as a basis in establishing the standard of care for negligence. With the ever increasing penalties assessed and individuals suing under state law for privacy violations, it is imperative that employers take their HIPAA policies and procedures off the shelf and verify that they are being followed, as well as take other steps to protect themselves. 

Below are some key steps employers sponsoring group health plans can take for HIPAA compliance and to reduce risk of a breach: 

• Review your HIPAA policies and procedures annually for any necessary changes.  If no changes are needed, document this in your files along with the date policies were reviewed. 
• Train your firewall workforce (those employees permitted to handle protected health information under your policies) annually, each new hire upon hiring, and whenever material changes are made to the policies and procedures.
  • 1. Require strong passwords and prohibit sharing of passwords.
  • 2. Implement policies that leave work out of social media postings. 3. Prohibit selfies around protected heath information. 
• Conduct an annual risk assessment and keep a copy of the completed risk assessment in your files.  Pay special attention to new hacking mechanisms and make sure the appropriate IT systems are in place and staff is appropriately trained.
  • 1. Ransomware is a major concern for 2017 and beyond. Ransomware is malicious software that  prevents or limits access to user’s data, usually by locking the system’s screen or by locking the  user’s files unless ransom is paid.  If the software merely collects protected health information,  the OCR takes the position that there is a breach.
  • 2. Train staff to avoid opening unverified emails or clicking links within them.
  • 3. Frequently back up data and test restorations to verify the integrity of backed-up data. Backups  should be maintained offline and be unavailable from networks.
  • 4. Regularly update software and applications, anti-virus programs and operating systems.
  • 5. Implement browser filters and limit use of unsecure websites. 
• Covered entities should do their due diligence before contracting with a business associate and should periodically monitor the business associate.  To complete a thorough diligence review of a business associate, the covered entity should request from the potential business associate:
  • 1. Copies of the business associate’s policies and procedures;
  • 2. Proof that it is conducting annual risk assessments; and
  • 3. Proof that the staff members are being trained annually. As with employers’ other regulatory compliance efforts, it is important to not underestimate the value of actively implementing the HIPAA compliance plan and documenting those efforts. 

The above recommendations will maximize compliance and reduce the risk of breach.  As a result, if the OCR comes on site to conduct its audit - which it most likely will, regardless of the change in administration - the groundwork will have been laid for a more productive and less nerve-wracking visit.