The Office of  Civil Rights (OCR) recently uploaded two items of interest: information regarding the largest penalty to date against a single entity, Advocate Health Care Network (Advocate), and HIPAA Phase II Desk Audit guidance materials.

Advocate Health Care Pays $5.55 Million Settlement and Adopts Corrective Action Plan

Advocate has agreed to pay $5.55 million in penalties and adopt a two-year corrective action plan to settle multiple potential violations of HIPAA  According to OCR, this is the largest penalty against a single entity to date.  The resolution and corrective action plan are available here.

OCR’s investigation of Advocate began in 2013 after the company reported three separate breaches involving its subsidiary, Advocate Medical Group (AMG). The combined breaches affected the ePHI of approximately 4 million individuals and were caused by:

• The theft of four desktop computers from an AMG administrative office building;
• Unauthorized third-party access of AMG’s billing service provider’s (Blackhawk Consulting Group) network; and
• The theft of an unencrypted laptop containing the ePHI from an AMG workforce member's vehicle.

According to OCR, the breach investigation revealed that Advocate failed to:

• Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to all of its ePHI as part of its HIPAA compliance program;
• Implement policies and procedures and facility access controls to limit physical access to the electronic information systems housed within a large data support center;
• Enter a business associate agreement with Blackhawk leading to the impermissible disclosure of PHI from AMG to Blackhawk; and
• Reasonably safeguard an unencrypted laptop when left in an unlocked vehicle overnight.

2016 Phase II HIPAA Desk Audit Guidance

OCR recently posted guidance documents for the 2016 Phase II HIPAA Desk Audits (Desk Audits), namely:

• Selected Desk Audit protocol elements with the document requests for each element (Document Request List) and related Q&As (collectively, the Protocol available here);
• Slides from the July 13, 2016 informational webinar for audited entities (Webinar Slides); and
• Comprehensive question and answer listing (Q&A List).

The  Document Request List offers insight into the kinds of documentation OCR expects in response to the Desk Audit (and audits generally) and what level of documentation is generally considered  necessary for HIPAA compliance. The level of documentation OCR expects may take some covered entities and business associates by surprise. For example:

• For Security Rule risk management processes, OCR requests:
  • Policies and procedures regarding the entity's risk analysis and risk management processes;
  • Documentation demonstrating the efforts used to manage risks from the previous calendar year; and
  • Documentation demonstrating the security measures implemented to reduce risks as a result of the current risk analysis or assessment.

• For Privacy Rule compliance, OCR requests:
  • All documentation for the first five access requests of the year and evidence of fulfillment; and
  • All documentation for the last five access requests for which the entity extended the time for response to the request; and any template request and response letters and policies and procedures related to access requests.

The Webinar Slides are from OCR’s July informational webinar for audited entities regarding the Desk Audit process, and are available here.  According to the Webinar Slides, OCR anticipates business associate desk audits will commence in the fall (likely late September).  The slides further instruct that these audits may include covered entities and business associates that were subject to the desk audits, as well as newly selected entities that were not part of the desk audit process. Most business associates will be selected from the pool identified by covered entities in their responses to the Desk Audits. 

The Webinar Slides indicate that once the Desk Audits are complete, OCR will start the on-site audits in early 2017.  Notification for the on-site audits is expected in late fall. These audits will involve a comprehensive set of HIPAA compliance controls. For this reason, covered entities and business associates should prepare for the upcoming on-site audits using the full 2016 Audit Protocol.

The Q&A List contains questions and answers directly related to the Desk Audit process itself and provides general explanations of what OCR considers appropriate documentation to support requests.  The Q&A List is available here.  For example, OCR explains that it wants to see pictures (with the text visible) of required Notices of Privacy Practices hanging on the walls at covered entities’ facilities in addition to paper copies.  As another example, OCR indicates it expects current Security Rule risk analyses to be uploaded, and is not concerned about the information becoming public under the FOIA due to the exemption protecting trade secrets and financial information.

While OCR states the Phase II Audits are a compliance tool, and are not intended to be an enforcement tool, multiple recent high-dollar settlements and Resolution Agreements (which now include both covered entities and business associates) indicate OCR is trending toward a higher rate of HIPAA enforcement and higher penalties.