Threatening Swordsman

Dramatization

Spoiler alert: probably not.

Now that’s out of the way, some background: The Office of Civil Rights (“The HIPAA People”) announced earlier this year that they are definitely doing a repeat of their random HIPAA audits in 2016. People who follow such happenings (okay, people like me, I mean) will remember that the OCR did some random audits of HIPAA covered entities in 2012. They confirmed this year their plans to do more audits in 2016.

The audit process is like so: the OCR will send an email to some number of randomly selected HIPAA covered entities. This email will prompt recipients to go fill out a questionnaire meant to help the OCR determine if that covered entity is appropriate for audit. If you’re curious, you can see the questionnaire here.

Out of these respondents, some number will be chosen for audit. The audit protocol will mostly be desk audits, meaning they won’t be visiting very many practices or clinics on-site. Rather they will ask most auditees to submit paperwork which the OCR will review on their own.

The OCR claims that the audits are purely informational. In other words, they claim the audits will primarily be used to determine what kinds of assistance is needed for HIPAA covered entities to help with HIPAA compliance. They do say, however, that if they find an entity to have serious compliance issues they will then follow up with a compliance review. That review would bring the potential for penalties.

You Say “Probably Not.” If It’s Random, Why Couldn’t One Of Us Be Audited?

Finger On LensIt’s quite possible you could end up receiving the initial email that asks you to fill out the survey questionnaire. However, there remains the question of how the OCR will choose auditees based on those questionnaires. They state in their announcement:

By looking at a broad spectrum of audit candidates, OCR can better assess HIPAA compliance across the industry – factoring in size, types and operations of potential auditees. Sampling criteria for auditee selection will include size of the entity, affiliation with other healthcare organizations, the type of entity and its relationship to individuals, whether an organization is public or private, geographic factors…

The last time I counted, there were approximately 37 gajillion (plus or minus) HIPAA covered entities in the United States. The OCR will choose to audit several hundred of those.

They won’t choose those several hundred entirely at random. They will choose their auditees in order to create a sample that provides the best cross-section of American HIPAA covered entities they can manage. Remember, the main stated point of this program is to get an idea of what’s going on out there so that the OCR can get an idea of what they need to do to help improve compliance.

This raises a question: what does the OCR consider the “best” sample they can get?

There are many types of covered entities in this country and some are bigger sources of risk than others to the privacy of American health care consumers. Hospital systems, health plans, and other large entities that handle millions of patients’ data through thousands of subcontractors generate the bulk of data breaches that impact Americans.

Important aside:

Besides data breaches, the OCR is very concerned about whether or not health care providers are providing copies of records when patients/clients request them. In fact, of the 8 private practice HIPAA enforcement case examples listed on the HHS web site, 5 are enforcements that happened because the private practice was in some way or another not respecting individual rights to access or amend their health records. See it for yourself here→

It’s that last point — release of records — where mental health centers and solo mental health practitioners get dinged a lot. As a field, we need to make peace with the idea that HIPAA allows our clients to get copies of their records and we need to keep those records in a way that reduces the likelihood that the client will be harmed if they read our notes about them. That is an aside from the main point of this article, however.

Even if the OCR wants to get a cross-section of covered entities that includes solo or small group therapy practices, it seems unlikely that their sampling needs leave room for more than something akin to “several” such practices (remember that they did just 115 audits in 2012.) Given their goals, it doesn’t seem very likely or productive — to me at least — for them to select any small therapy practices at all.

Bear in mind that I could be entirely wrong. Or worse, I could be right and you end up being one of those couple or few small therapy practices that gets selected. Ether way, I find it unlikely that the numbers support a risk management approach for small therapy practices that includes acting on significant anxiety about random audit.

If They Won’t Audit Me At Random, Why Be Compliant At All?

Surprised Kid

Don’t get too excited, kid!

Enforcement actions under HIPAA generally come from “compliance reviews.” These reviews are different from random audits and can result in penalties. A review could be triggered in several ways, but the most relevant ways (in my opinion) are:

1) You have a data breach that you must report to the OCR before the end of the year. They follow up on your breach with a compliance review. 

In my anecdotal experience, the small breaches that we most often suffer don’t seem to be interesting enough to trigger these reviews. Examples include: a therapist’s email is hacked and client emails are exposed, or a therapist is carrying a lockbox with a few files in it and the lockbox is stolen from the therapist’s car.

I have discussed many breaches of these exact kinds with many therapists who had reported those breaches to the OCR — as they are legally required to do. My (once again, entirely anecdotal) experience thus far is that none of those breaches were followed up on with a compliance review.

I am quite sure there are small therapy practices who have had the opposite experience, however. It is also feasible for even a small therapy practice to suffer a much larger breach than the ones in my examples.

2) A HIPAA-related complaint is filed against you.

Man during psychotherapy

You don’t have an Information System Activity Review Policy? How can you possibly understand what I’m feeling??!

These complaints are frighteningly easy to make, and are the origin of every small therapy practice compliance review story I have heard in my (once again, anecdotal) experience. Click here to see the online complaint form for yourself→.

The risk that you could be subject to a compliance review following a complaint — from anyone, client or not — is one that we advise you to take quite seriously.

Stated simply, if a small therapy practice complies with HIPAA primarily to avoid punishment or liability, random audits are probably not the liability source they should focus their energy on.

If your main interest in security is the protection of your clients and your relationships with clients, then preparing for random audit is probably not a good use of your energy. It’s probably better to spend that energy on preventing data breaches and complaints. Ironically, the best way to do that, in our opinion, is to complete the HIPAA compliance processes.

Can I Be Audited Or Reviewed If I Am Not a HIPAA Covered Entity?

Nope.

Well, not by the OCR, at least. If you’re not a HIPAA covered entity, then you’re not subject to HIPAA enforcements or audits. That’s just the facts.

If you’re not sure about this, see our article, Am I a HIPAA Covered Entity? How Much Does It Matter If I Am Or Not? There are many reasons for us to consider compliance with HIPAA even if we can’t be subjected to compliance reviews or random audits. That article covers those reasons.

Roy: Isn’t Your Business About Helping People With HIPAA? Wouldn’t You Rather Scare Us Into Buying Courses With Threats of Random Audit?

Person-Centered Tech LogoConsider an irony: a company sells materials with information that they claim to be the most accurate and up to date. To convince you to buy those materials, they exaggerate or even flirt with lying about the thing they claim to accurately inform you about in those materials.

Here are two truths:

  • There are many reasons to comply with HIPAA. They don’t need to be scary or even urgent to be compelling.
  • HIPAA is a great prop for convincing clinicians to think carefully about how to better care for their clients and their practices in this wacky, super-transparent world. It is our experience that clinicians rarely consider the ups and downs of digital technology without HIPAA as a behavioral catalyst.

So we see it as highly important to make sure that our colleagues are thinking about HIPAA and about security & privacy in ways that are actually relevant to ethical professional practice and that support a better future for our professions.

Please understand, this is not written with the intent to be self-aggrandizing or even inspiring. As a field, we still have a slippery grasp on the most basic concepts of security risk management and on security & privacy regulations (e.g. HIPAA.)

The process of fixing that will rely on first dispelling mythical fears (such as some appreciable risk of random audit) and nurturing objective and accurate discernment regarding the risks we face in private practice. We all need to get better at this, and Person-Centered Tech’s policy is that we never damage progress toward that goal for business gain.

What Can We Learn From the Random Audits?

Handful of PinesOne useful thing that has come out of this round of audits is that the OCR has released their audit protocol. This gives us a slightly more solid idea than we used to have regarding what they expect out of HIPAA covered entities.

At Person-Centered Tech, we will be using the protocol to help refine our HIPAA Security Workbook Tool.

Critics of the auditing protocol state that it indicates that the OCR still has unrealistic expectations about HIPAA compliance from small practices. If we’re lucky, the audits will reveal to the OCR the ways in which they have been disconnected from the realities of small health care practices.