Earlier this year, the U.S. Department of Health and Human Services Office of Civil Rights (OCR) announced that it would be conducting “Phase 2 Audits” of covered entities and business associates for compliance with the privacy and security rules under the Health Insurance Portability and Accountability Act (HIPAA”). These audits will focus, in part, on a covered entity’s or business associate’s security risk assessments, mitigation plans, breach notification procedures, encryption and training and the necessary privacy and security policies and procedures. The OCR expects that these Phase 2 Audits will commence in the fourth quarter of 2015 and into 2016.

The commencement of the Phase 2 Audits follows several significant HIPAA enforcement proceedings:

• St. Elizabeth’s Medical Center, located just outside of Boston, allegedly failed to conduct a risk assessment before its employees used a cloud document-sharing tool and failed to respond to a security incident in a timely manner, leading to a $218,400 fine.
• A five-physician medical practice in Arizona agreed to a $100,000 settlement for failing to have business associate agreements with the practice’s software vendors.
• Cancer Care Group, a 13-physician radiation oncology practice in Indiana, recently signed a $750,000 settlement stemming from the theft of a laptop and unencrypted media containing protected health information (“PHI”) of approximately 55,000 patients. Please see our Client Alert discussing this case.

HIPAA establishes federal standards for protecting individuals’ PHI and electronic PHI (ePHI) that is created, received, used or maintained by hospitals, doctors and group health plans (covered entities), and service providers to covered entities (business associates). The standards require that covered entities and business associates create, implement and maintain appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity and security of PHI and ePHI. OCR is responsible for the enforcement of these HIPAA standards. It performs audits and conducts investigations, and has the authority to impose civil penalties.

OCR conducted a pilot Phase 1 Audit program in 2011. Following those audits, OCR published an audit protocol that is a valuable tool for covered entities and business associates to conduct internal assessments of key HIPAA requirements.

The Phase 2 Audits will include both covered entities and business associates. If the recent enforcement actions and settlements are a sign of things to come, both covered entities and business associates should consider conducting comprehensive risk assessments to identify issues before the Phase 2 Audits begin. We expect OCR will look to see whether organizations have conducted practice-wide risk assessments to identify technical and procedural vulnerabilities, and whether those assessments resulted in remediation strategies, as well as operational policies and employee training.

We recommend that covered entities and business associates take the time to review their security programs to identify potential HIPAA compliance issues. If you would like any assistance with these assessments, or if you have questions regarding your HIPAA obligations, please contact any member of the Employee Benefits Group listed below or your Kutak Rock LLP attorney.

Additional Information

For more information regarding our employee benefits practice and for recent employee benefits news and alerts, please contact your Kutak Rock attorney or an attorney listed below.