Covered entities have been complying with the HIPAA Security Rule since 2005, with the HHS’ Office for Civil Rights (OCR) as the main enforcer starting in 2009. Industry watchers know that compliance across the provider community was limited, so, when CMS designed the Meaningful Use regulations, a Privacy and Security Objective was included to require that providers conduct a HIPAA Security Risk Assessment (which had been law since 2005). This left us with another agency, CMS, also checking up on HIPAA compliance. For some time we have known that about 5% of hospitals and physicians are undergoing audits by the CMS contractor Figliozzi & Company. And now, the HHS Office of the Inspector General (OIG), has indicated that it will conduct its own audits of hospital and physician HIPAA compliance.
That’s right – yet another federal agency will check up on HIPAA. These audits arise from OIG’s oversight role over the use of funds provided by the American Recovery and Reinvestment Act of 2009 (ARRA/HITECH). More specifically, OIG has chosen to zero in on compliance with the Meaningful Use Privacy and Security Objective [Objective #15 (Stage 1) and Objective #14 (Stage 2)]. In its 2014 Work Plan, (Appendix B, Page 84) the OIG identified “Security of Certified EHR Technology under Meaningful Use” as a new priority. The OIG will now “complete security audits of various covered entities receiving EHR Incentive Payments from CMS and their business associates to determine whether they adequately protect electronic health information created or maintained by EHR technology.”
It is interesting to note that the OIG calls out the role of business associates, and specifies that “audits of cloud service providers and other downstream service providers are necessary to assure compliance with regulatory requirements and contractual agreements.” This suggests that the OIG wants to dig deeper and expects more than a pretty risk analysis report that collects dust on the shelf. They apparently expect covered entities to vet and conduct other appropriate due diligence on their contractors, for example, with vendor security audits and/or penetration tests.
We’ll see what these OIG audits look like, as the OIG becomes the third agency to start checking up on HIPAA privacy and security compliance. We can only speculate based on the information provided in the Work Plan, but on the surface this raises the stakes for providers to conduct a high quality Meaningful Use Risk Assessment and to follow-up with recommended remediation. More specifically, the OIG is giving a hint that merely asking cloud service providers for a HIPAA Business Associate Agreement may not be sufficient.
Eagle Consulting Partners provides covered entities with thorough, professional Meaningful Use Risk Assessments that help them comply with Meaningful Use Core Objective 15 (14 in Part 2).
