OCR Assess Over $5 Million in HIPAA Penalties, Formally Announces Phase 2 Audits

by Leonardo M. Tamburello

Coming in like the proverbial March lion, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) recently announced two Resolution Agreements and penalties totaling over $5 million and the launch of its long-awaited 2016 Phase 2 HIPAA Audit Program.

Lack of Encryption and Other Failings, Lead to Substantial HIPAA Fines

Both recently announced resolution agreements arise from familiar facts involving the theft of an unencrypted laptop computer containing electronic protected health information (ePHI) from a vehicle.

On March 17, 2016, OCR announced the $1.55 million settlement of potential HIPAA violations arising from the theft of an unencrypted, password-protected laptop containing the ePHI of 9,497 individuals from a business associate’s locked vehicle in September 2011. Upon investigation it was discovered that no business associate agreement existed between the covered entity and its business associate which was tasked with providing payment and health care operations activities and had access to almost 300,000 patients’ data. It was further determined that the covered entity had not performed a risk assessment as required by the Security Rule to address all potential risks and vulnerabilities to the ePHI which it maintained, accessed, or transmitted across its entire IT infrastructure. In addition to the $1.55 million fine, a two-year corrective action plan and workforce retraining are required under the settlement.

The next day, on March 17, 2016 OCR announced a near-record $3.9 million settlement resolving potential HIPAA violations with a research institute arising from a laptop computer stolen in September 2012 which contained the ePHI of approximately 13,000 patients and research participants. A subsequent investigation discovered that among other deficiencies, the institution had inadequate security practices, lacked policies and procedures regarding access to ePHI, failed to implement safeguards to restrict access to unauthorized users, and lacked policies and procedures to govern the receipt and removal of laptops that contained ePHI into and out of its facilities.

As we have previously noted on this blog, robust encryption is quickly becoming industry standard, and there are few reasons not to implement it for mobile devices such as laptops. Had the laptops been properly encrypted as part of a larger risk assessment and risk management plan, these losses would not have constituted reportable “breaches” for HIPAA purposes.

2016 Phase 2 HIPAA Audit Program Formally Launches

On March 21, 2016, OCR announced the formal beginning to the long-awaited 2016 Phase 2 HIPAA Audit Program (the “Phase 2 Audits”) through which it will review the policies and procedures adopted and employed by covered entities and their business associates to meet selected standards and implementation specifications of the Privacy, Security, and Breach Notification Rules.

As this blog previously reported, the Phase 2 Audits will primarily be “desk audits,” meaning that the will be conducted through information requests sent by OCR via email to selected covered entities and business associates, although a limited number of on-site audits will also be conducted.

The audit process will begin with verification of an entity’s address and contact information followed by a pre-audit questionnaire to gather data about the size, type, and operations of potential auditees; this data will be used with other information to create potential audit subject pools. If no response is received by email, OCR will use publically available information about the entity to create its audit subject pool. Thus, entities that do not respond to OCR emails may still be selected for an audit or be subject to a compliance review. Spam filters should be carefully reviewed to ensure that OCR communications are not inadvertently discarded.

OCR is expected to post updated audit protocols on its website which will reflect the 2013 enactment of the HIPAA Omnibus Rule. These can also be used by organizations to conduct their own internal self-audits as part of ongoing HIPAA compliance activities. More information about the 2016 Phase 2 Audits can be found on OCR’s website, including key information regarding audit selection criteria based on entity size, affiliations, type of entity, and geography and past enforcement history with OCR.

Audit selectees should keep in mind that information disclosed during the audit process may trigger a more thorough compliance review.