Keep Your Data Secure: The Phase II HIPAA Audit Process Has Begun and Hackers Have Targeted Smaller Entities!

Deven McGraw, the Deputy Director of Health Information Privacy at the Office of Civil Rights (“OCR”) of the US Department of Health and Human Services, was recently interviewed by Marianne Kolbasuk McGee, the Executive Director of the HealthcareInfoSecurity.com media site. During that interview, Ms. McGraw provided advice concerning the Phase II HIPAA audit process, which began this spring.

According to Ms. McGraw, in May of this year, OCR was still verifying contact information to get a robust sample for the Phase II interviews. What this means is that OCR had not at that time completed the task of identifying and choosing auditees. Covered Entities should not, therefore, conclude that they will not be audited because they have not yet heard from OCR, since OCR is still seeking potential auditees. Only when it is clear (from media reports or notices by the OCR) that Covered Entities are actually being audited would Covered Entities be able to conclude that they will not be audited. OCR is reaching out to Covered Entities via email, so Ms. McGraw recommends that Covered Entities’ appropriate personnel regularly check their inboxes and spam filters for communications from OCR.

Per Ms. McGraw, once OCR has gathered what it deems a sufficiently robust sample of Covered Entities, it will select auditees. The audits are expected to commence this summer, if they have not actually commenced. Initially, OCR will conduct desk audits. Onsite audits will follow.

The first step in the audit process will be the issuance of document requests. Among other things, OCR will request the names and contact information of Covered Entities’ Business Associates. OCR anticipates creating a sample of the Business Associates it will audit from those identified by Covered Entities. The audits of Business Associates will not begin until the audits of Covered Entities are underway.

As it did with the Phase I audits, OCR has issued a protocol for the Phase II audits, as well as a 418-page “cheat sheet.” The protocol identifies several provisions of the HIPAA Privacy and Security Rules on which the Phase II audits will focus. According to Ms. McGraw, because those rule provisions have been in place for some time, auditees should be in compliance with them. Covered Entities, therefore, should have at hand for OCR’s review information demonstrating their compliance with those provisions. To emphasize that point, Ms. McGraw reminded her listeners that Covered Entities will have ten (10) business days in which to respond to OCR’s document requests.

Ms. McGraw also recommends that Covered Entities use the Phase II audit protocol as a self-assessment tool. Recent developments demonstrate the importance of Ms. McGraw’s advice in that regard. In 2015, hackers focused their attacks on large insurers like Anthem and Premera, as well as large medical centers like UCLA. In 2016, however, smaller entities have been hacked. For example, an eleven-member physician practice, Medical Colleagues of Texas, located in Katy, Texas, was hacked, resulting in the compromise of the protected health information of 50,000 patients. In other words, smaller entities are now on hackers’ radars. One commentator expressed a concern that, because the hackers focusing on smaller entities are not as savvy as those hacking into larger and better protected entities, they are seeking to quickly monetize the information they have obtained. Consequently, the patients of smaller victims of hacking may be more likely than the patients of larger victims to find their protected health information being used and disclosed. For that reason, all Covered Entities and Business Associates, regardless of whether they are audited, should review and, where necessary, upgrade the security and privacy of the protected health information in their possession.

Please contact the author for further information about either the Phase II audits or the HIPAA Privacy and Security Rules.