Keys to Implementing an OCR-Quality Compliance Program

This blog is based on session 2 from our 5-part webinar series, “HIPAA Audits Are On The Way—Are You Ready?” Watch the replay here.

For the past 25 years, government bodies and other regulatory agencies have been working to improve security and privacy protections for sensitive patient information. What began in 1998 as the proposed Security Rule has now evolved into a range of other regulations covering everything from rights of access and control to preventing unauthorized access and developing industry-recognized cybersecurity best practices.

As a healthcare-covered entity or business associate, you must ensure your employees, vendors, and other stakeholders meet every requirement. As these requirements continue to increase and become more complex, the old ways of managing standards through spreadsheets or paper documents are no longer effective. Instead, to keep pace, you need an effective compliance program to oversee it all. But even the best-planned programs can put you at risk. One overlooked control or process could result in non-compliance, leaving your organization facing penalties and fines that can quickly reach millions of dollars and possibly even criminal prosecution.

How can you build confidence that your compliance program is effective, reasonable, and appropriate for your organization? Implementing a compliance program based on Office for Civil Rights (OCR) guidelines and recommendations is key. 

From Then to Now: How Changing Rules Influence Your Compliance Program

In the past two decades, there have been many key developments in security and privacy standards within the healthcare industry. By understanding where these regulations got their start and where industry standards are headed, you can ensure your compliance program aligns with current requirements and best practices, ultimately safeguarding the privacy and security of patient data.

Here’s a quick timeline of critical rules and regulations that influence modern healthcare compliance programs:

• 1998: Security Standards proposed
• 1999: Privacy Standards proposed
• 2000: Privacy Rule issued/rewritten
• 2002: Privacy Final Rule issued
  • Protects patients’ personal health information (PHI) by giving them the right to access and control their medical records. Providers must follow specific procedures when using or disclosing this data.
• 2003: Security Rule issued
  • Sets national standards for healthcare providers to protect patients’ electronic health information (ePHI) from unauthorized access, use, disclosure, disruption, modification, or destruction.
• 2005: Security Rule compliance date
• 2009: HITECH Act with Breach Notification Rule
  • Requires healthcare providers to notify patients of health information breaches that may compromise their privacy.
• 2013: Omnibus Final Rule
  • Combines several previous HIPAA rules and strengthens patient privacy protections, especially regarding electronic and genetic health information. It also expands the reach of HIPAA to business associates of covered entities.
• 2013: Genetic Information Nondiscrimination Act (GINA) 2009 (Amended in HIPAA 2013)
  • This HIPAA amendment prohibits health plans from using or disclosing genetic information for underwriting, protecting patients from discrimination based on their genetic makeup.
• 2014: Clinical Laboratory Improvement Amendments (CLIA) and HIPAA Privacy Rule
  • Clarifies how HIPAA applies to laboratories certified under CLIA, ensuring consistent privacy protections for patient information these facilities handle.
• 2015: Cybersecurity Act Section 405(d)
  • Encourages healthcare providers to adopt cybersecurity practices to protect electronic patient health information from cyberattacks.
• 2020: 21st Century Cures Act (Cures Act) Information Blocking Final Rule
  • Prohibits healthcare providers from using certain practices that electronically restrict sharing a patient’s medical records with others involved in their care.
• 2021: Notice of Proposed Rulemaking (NPRM) to the HIPAA Privacy Rule
  • Not yet finalized, this proposed rule seeks to improve patients’ access to ePHI and their ability to manage it.
• 2023: NPRM – Cures Act: Establishment of Disincentives for Healthcare Providers That Have Committed Info Blocking
  • Not yet finalized, this proposed rule could impose penalties on healthcare providers who continue to electronically restrict sharing of patient medical records.
• 2023: NPRM – HIPAA Privacy Rule to Support Reproductive Health Care Privacy
  • Just finalized on April 22, this rule aims to strengthen privacy protections for patients seeking reproductive healthcare.
• 2024: Health Data, Technology, and Interoperability (HTI-1) Final Rule (to be released)
  • This upcoming rule is expected to further promote the secure exchange of ePHI between healthcare providers and patients.
• 2024: HIPAA Audit Review Survey Notice (to be released)
  • This upcoming notice will likely outline details regarding a standardized HIPAA audit program.
• 2024: Confidentiality of Substance Use Disorder Patient Records Final Rule (to be released)
  • This upcoming rule is expected to strengthen confidentiality protections for patients with substance use disorder diagnoses.

Understanding Today’s HIPAA Audit Protocols

With a foundation in the regulations that led the industry to where we are today, it’s important to note that today’s HIPAA audit protocols are more like an open-book test.

In most HIPAA audits, the auditing agency will tell you which evidence (documents) you must provide to demonstrate that you comply with a particular standard or implementation specification. Once you submit these items, the auditor will evaluate those documents against audit protocols. The auditor will then present you with draft findings, allowing you to respond before issuing a final audit report.

Here’s an example using 45 C.F.R. §164.308(a)(2) as an auditing standard. This requires organizations to identify the security official responsible for developing and implementing policies and procedures for the covered entity or business associate.

To ensure compliance with this example, you need to demonstrate effectively:

• Your organization has policies and procedures in place regarding the establishment of a security official.
• You have identified the security official responsible for developing and implementing the required policies and procedures.
• You have created and reviewed documentation of the assigned security official(s) responsibilities (e.g., job description).
• You have ensured that a natural person has been named as the security official and any other individuals assigned with other security duties.
• You can evaluate and determine that the security official’s responsibilities are clearly defined.

Understanding Compliance Responsibilities

A common question across the industry is: Why do organizations still struggle with implementation if the rules have been around so long? That’s because most organizations still don’t fully understand their compliance responsibilities; they’re just looking at the rules’ verbiage without a deeper understanding of the intent or how audit protocols determine compliance.

For example, if you go back to 2000’s “Standards for Privacy of Individually Identifiable Health Information Final Rule,” you’ll find that the preamble to each rule and response to comments on publication provide significant clarification of intent, which remains applicable to requirements today.

Other resources are also available. For example, OCR offers guidance in its publication on HIPAA for Professionals, and you can also subscribe to OCR email updates. NIST SP 800-66 Rev. 2, Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule: A Cybersecurity Resource Guide is also a very helpful resource.

10 Key Elements to Develop OCR-Quality Compliance Programs

While the rules and related publications can help you understand compliance requirements, you can also draw on OCR enforcement actions to identify areas where other organizations have struggled. By understanding deficiencies and how OCR interprets compliance, you can build an OCR-quality compliance program that ensures you ace every audit and can quickly and accurately respond if you ever face an OCR investigation. Here are 10 key elements to demonstrate you’re taking reasonable and appropriate steps to manage your compliance program:

1. Establish a privacy and security risk management and governance program (45 CFR § 164.308(a)(1))
   This is an enterprise responsibility. It’s not the responsibility of one department or one privacy official. It’s the responsibility of all workforce members. When managing risk and governance, you need a good core team of cross-functional representation, such as privacy, security, legal operations, and finance. By establishing a governance team that reports directly to senior leadership or your board of directors, you can effectively leverage resources across your organization and collaborate on program development.
   
2. Develop and implement privacy, security, and breach notification policies and procedures (45 CFR §§ 164.530 and 164.316)
   These must be specific to your organization, not something you pull off a website and change a few fields like your name and other info. Your policies and procedures must apply to your workforce and detail their responsibilities and actions. If your organization doesn’t undergo much change or growth, your policies may be effective for as long as three to five years; however, you’ll likely need to update your procedures more routinely based on what’s happening within your organization and industry and regulatory changes. Policies and procedures must also be available to your workforce, for example, via your intranet, a SharePoint site, or something similar.
   
3. Train all members of your workforce (45 CFR §§ 164.530(b) and 164.308(a)(5))
   Often, organizations subscribe to HIPAA training content, and much of it is generic and high-level, and you can’t alter it. To ensure compliance, your training should be more specific and focus on policies and procedures applicable to your workforce.
   
4. Complete a HIPAA security risk analysis (45 CFR § 164.308(a)(1)(ii)(A))
   This is a fundamental requirement. You’re not meeting the security rule if you’re not doing effective risk analysis. OCR’s Audit Protocol outlines specifically what your risk analysis program should include.
   
5. Complete HIPAA security risk management (45 CFR § 164.308(a)(1)(ii)(B))
   Once you’ve completed your risk analysis and have identified vulnerabilities and other security issues, your risk management program should address them in a meaningful way that’s reasonable and appropriate for your organization. You must track and document all remediation activities and their status and effectiveness for OCR. This is a technical process, so utilize resources from HIPAA and NIST to ensure appropriate control implementation and compliance.
   
6. Complete a HIPAA security evaluation (e.g., “compliance assessment”) (45 CFR § 164.308(a)(8))
   This evaluation is not about determining whether or not you have specific controls in place. Your security evaluation should evaluate all your policies and procedures and how well your workforce meets those specifications. Are you doing what you say you’re doing, and is it working?
   
7. Complete technical testing of your environment (45 CFR § 164.308(a)(8))
   Consider working with a third party for penetration tests, social engineering, phishing, etc., to determine the effectiveness of your security program. They can identify issues before attackers exploit them and make remediation recommendations to address gaps before an audit or real-world issue.
   
8. Implement a robust and proactive business associate management program (45 CFR §§ 164.502(e) and 164.308(b))
   Having a business associate agreement with your business associates or subcontractors is not enough. Look at this requirement from a broader scope, like establishing a vendor risk management program that outlines your vendor assessment processes. Because of the increase in breaches that originate with third parties, due diligence for vendor assessments is critically important.
   
9. Conduct Privacy Rule and Breach Rule compliance assessments (45 CFR §§ 164.530 and 164.400)
   If your current policies and procedures are still based on decisions made when the Privacy and Breach rules went into effect, they are highly likely outdated. Now is the time to conduct compliance assessments and make updates as needed.
   
10. Document and act upon a remediation plan (45 CFR §§ 164.530(c) and 164.306 (a))
    Document. Document. Document. Once you establish a remediation plan to address security and privacy issues, you must document and act upon it. As far as OCR is concerned, if you didn’t document it, it didn’t happen.