The OCR is laying the foundations that will allow it to start a permanent audit program with the implementation of a new HIPAA web portal ahead of the second round of audits. The new portal will streamline data collection and will ultimately allow the OCR to conduct more audits.
HIPAA Web Portal Essential to the Smooth Running of the Compliance Audits
The audits place a considerable administrative burden on OCR auditors due to the sheer volume of paperwork which must be collected, checked and assessed. It was therefore essential for the OCR to ease that burden and make the process more streamlined and efficient before the start of the next phase of audits.
The second round of HIPAA compliance audits were delayed last year for this reason. The results of the pilot audits have been analyzed, the focus areas for the next phase have been determined and now the process of data collection has been streamlined. Covered organizations – including their business associates – will not have long to wait to find out if they are to be audited as the OCR appears to be on track to commence the audits this year as expected.
Previously the the form to report data breaches consisted of a single page, but this has now been replaced with a wizard that guides the user through the reporting process. The new wizard is written in Java and has been designed to make the reporting process as straightforward as possible, while allowing the HHS to compile more detailed HIPAA compliance reports on healthcare organizations.
The new HIPAA web portal has been programmed to take the user to specific questions related to the breach and it will provide auditors with the information they need to have in order to accurately assess data breaches for HIPAA violations. It allows questions to be asked of specific covered entities, such as healthcare providers, health plans and business associates, and will route the user to the appropriate questions based on their previous answers.
The previous form required more detailed information to be entered about the breach and how it occurred. The OCR previously wanted information on the security measures in place prior to the breach to assess for non compliance. In the new HIPAA web portal the OCR asks for more information about what the covered entity has done since the breach. The OCR wants to see evidence of prompt action to correct security issues and mitigate damage. It is less concerned with how the breach occurred, and only requires information on security measures in general terms.
If a breach occurs, it cannot be undone, but future breaches can certainly be prevented. The OCR wants to see evidence of action and now requires users to select from 15 different options to determine exactly what has been done since the breach was discovered to alert the victims to the breach, mitigate any damage caused and plug any gaps in security which could lead to a further breach.
The options are:
- Adopted encryption technologies
- Changed password / strengthened password requirements
- Created a new/updated Security Rule Risk Management Plan
- Implemented new technical safeguards
- Implemented periodic technical and nontechnical evaluations
- Improved physical security
- Performed a new/updated Security Rule Risk Analysis
- Provided business associate with additional training on HIPAA requirements
- Provided individuals with free credit monitoring
- Revised business associate contracts
- Revised policies and procedures
- Sanctioned workforce members involved (including termination)
HIPAA Web Portal Requires More Detailed Information on PHI Breaches
The updating of the web portal before this deadline means that any organization which has not yet reported their breaches will now have to do so in more detail. The timing also means that the OCR will be able to scrutinize the smaller breaches of 2014 and could use this information to select organizations to audit.
There was no extra money available for the OCR in 2014 which has meant it has had to get lean and mean. It has improved efficiency, has a new Director and is gearing up for a big round of audits. The 2016 budget proposal has allocated more funding for the OCR in 2016 to help it police HIPAA more thoroughly.
The next two years is therefore likely to see much greater activity from the OCR in policing HIPAA and more fines are likely to be issued to organizations too slow to comply with HIPAA Privacy, Security and Breach Notification Rules.