HHS has become more aggressive with audits, and with increased penalties, covered entities and business associates simply cannot afford an audit on HIPAA rules and regulations. In March of 2016, HHS's Office for Civil Rights (OCR) announced Phase 2 of its HIPAA Audit Program. OCR released the update on the program last April. The Phase 2 HIPAA Audit Program reviews the policies and procedures adopted and utilized by covered entities and business associates to meet the requirements of HIPAA's Privacy, Security, and Breach Notification Rules. These audits will primarily be conducted off-site, through the production of documents; however, some may be conducted on-site.
To target entities for audit, OCR is requesting that certain information be provided to them about covered entities and business associates, including contact information, size, type, and operations of potential auditees. From this data, OCR is creating an audit pool.
If an entity does not respond to OCR’s request to verify its contact information or provide answers to additional questions, OCR will use publicly available information about the entity to create its audit subject pool.
The data from 2016 has reflected HHS's increased audit activity. Below is a summary of some key findings.
In 2016, OCR reported $23.5 million in payouts for HIPAA violations. This was a record high, with the previous high occurring in 2014 with $7.9 million in payouts. Additionally, average payouts have increased, where in 2016 the average HIPAA penalty payout was $1.81 million, up from $1.03 million in 2015.
Further, in 2016, the top causes of HIPAA breaches were unauthorized access / disclosure (44%) and hacking and IT incidents (33%). Additionally, health care providers were the target of 79% of breaches, which is the highest on record, and health plans were the target of 14% of breaches, the second highest on record.
Covered entities and business associates would be prudent to do a self-audit to correct any HIPAA issues, as opposed to allowing HHS to uncover such issues, thus subjecting themselves to audit and potential penalties. HIPAA compliance is a time-consuming process; however, it is a must in light of increased federal audit activity and increased fines.