Legal Lesson of the Month: Phase 3 HIPAA Audits

EMS can be full of interesting and tricky legal scenarios. While you can’t have an attorney ride with you, it behooves providers to have at least some familiarity with the principles, precedents, and major issues of EMS law. To that end EMS World is pleased to offer a new feature, the EMS Legal Lesson of the Month.

These cases are presented by prominent attorneys in the EMS field. This month’s comes from EMS World editorial advisory board member Chris Kelly, JD, chief legal officer at EMS Consultants Ltd. in Atlanta. 

HIPAA isn’t always at the top of most ambulance services’ priority lists. It’s complicated, certainly not written with medical professionals who perform their skills in the backs of moving vehicles in mind, and not a key piece of what we need to do to protect our communities in case of emergency. But with HIPAA compliance enforcement efforts now entering “Phase 3,” it’s time to take a look at what’s going on.

If you haven’t been keeping track and don’t know what Phases 1 and 2 of HIPAA enforcement were about, let’s catch you up: In 2012 the Office of Civil Rights (OCR), HHS’s HIPAA enforcement arm, began a pilot audit program. In this Phase 1 of the process, the OCR developed a plan and format for conducting HIPAA audits. It then tested the audit process on a few medical service providers and their business associates. This phase basically created a road map for future audits.

Phase 2 was a full implementation of the audit process. At first most audited entities were not selected at random but were audited based on patient complaints or self-reporting of HIPAA breaches. However, in 2016 Phase 2 also grew to include “desk audits.” These audits were sent out to randomly selected healthcare providers and business associates and asked them to respond to a list of HIPAA-related items that included subjects like copies of notices posted in the facility, posted on the facility website, or given to patients; policies on disclosures and other matters; and risk assessment forms. The results of these desk audits have not been released, so we don’t know many entities were audited, what percentage were found to have errors, or what penalties they may have received.

As of January 2017 a new tool joined the HIPAA audit arsenal: on-site audits. This is Phase 3 of the OCR’s audit expansion. In this phase auditors will show up, unannounced, to view your HIPAA policies and practices in action. 

Fined for Noncompliance

All of that is merely background to the real issue to which I want to draw your attention. While we do not yet know the results of the desk audits, we do know the results of other audits performed in Phase 2 as a result of patient complaints and self-reporting. The OCR published a list of more than 100 healthcare entities and business associates it has audited and fined for HIPAA noncompliance in the past few years. Some examples (key HIPAA requirements are in italics): 

• A clinic was fined $31,000 for not having a business associate agreement in place with a contractor;
• A hospital was fined $5.5 million for not cutting off a former employee’s log-in credentials for over a year and not having a policy and procedure for revoking a terminated employee’s access;
• A hospital was fined $475,000 for not notifying 836 patients of a missing paper operating room schedule;
• A university hospital was fined $750,000 for failure to implement policies and procedures to prevent, detect, and contain security violations; 
• A cancer practice group was fined $750,000 for a laptop stolen from an employee’s car when it did not have a written policy on hardware removal from the facility; and
• A pharmacy was fined $125,000 for leaving patient records in an unlocked area when it also did not have written HIPAA policies or staff training in place.

As you can see, the fines and penalties for noncompliance can be significant even for relatively minor and certainly unintentional failures. Perhaps even more important, these fines are being paid to the OCR to resolve the cases, increasing the OCR’s net collections exponentially every year. As with all other types of audits, the end goal is the recovery of money, and the more successful an audit process is, the more of those audits there are likely to be. 

In the case of HIPAA compliance audits, I think it’s safe to assume there will be an increase in both desk and on-site audits in the coming years. Make sure you have your HIPAA policies and practices in order and up to date—the penalties for failing to do so can be devastating!

G. Christopher Kelly is an attorney who focuses on federal laws and regulations as they relate to the healthcare providers and specifically to the ambulance industry. Chris lectures and advises EMS service clients across the U.S. This article is not intended to be construed as legal advice. For more information or specific questions, reach Chris at chriskelly@ems-ambulance.law.