Privacy Audit Tool Could Help Guard Against HIPAA Breach Fines

More than half of this year’s $14.8 million in cash settlements for violating data privacy provisions of the Health Insurance Portability and Accountability Act (HIPAA) involved cases in which offenders failed to conduct proper risk assessments.

As the stakes for ignoring those risk assessments continue to grow, officials at software developer AvePoint are pointing to a tool they developed in conjunction with the International Association of Privacy Professionals (IAPP), which can help make the process of conducing those reviews more consistent and efficient.

The AvePoint Privacy Impact Assessment System is distributed exclusively via the IAPP website and designed to help organizations avoid common mistakes of the risk assessment process, many of which are the result of inadvertent human omissions or other errors.

The automated tool can also help organizations keep abreast of changes in the privacy matrix that could require reassessments of risk factors.

“They can use it to create a repeatable and sustainable process for their business associates or even for their vendors or partners,” said Dana Simberkoff, chief compliance and risk officer at AvePoint.

Spurred in no small part by the Affordable Care Act, healthcare IT has become a boon to the U.S. economy, offering an estimated $80 billion in net savings through greater efficiency and a 20 percent increase in related jobs, according to a 2014 report from CompTIA, the nonprofit association for the technology industry.

Nowhere has the trend been more acutely felt than among managed services providers (MSPs), which were enlisted by healthcare firms to oversee the conversion from paper to electronic health records and the automation of processes aimed at reducing cost and improving patient outcomes.

But while healthcare offers an enormous market opportunity, the vertical is not without financial risk for MSPs.

Healthcare organizations that handle electronic protected health information (ePHI) are known as “covered entities” under HIPAA and have long been subject to strict rules and potentially stiff fines stemming from cybersecurity or other privacy violations.

In 2013, the liability for HIPAA violations was extended to “business associates,” which includes MSPs or any other entity that acquires responsibility for ePHI through business relationships with covered entities.

This year, the U.S. Department of Health and Human Services’ Office of Civil Rights (OCR) has exhibited a new zeal in finding and penalizing data security violations.

Such cases are resolved through settlements with OCR. 

The amount collected so far in 2016 from those settlements is up 139 percent from the $6.2 million collected for similar violations during all of 2015.

In four cases this year – in which settlements totaled $7.65 million – the covered entity and/or business associates were found to have failed to conduct risk assessments or performed them inadequately.

In reference to one $650,000 fine, OCR said Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS) “had no risk analysis or risk management plan.”

In leveling a $2.7 million fine against Oregon Health & Science University (OHSU), OCR’s investigation found that the organization performed risk analyses during multiple years but that “these analyses did not cover all ePHI in OHSU’s enterprise, as required by the Security Rule.”

Federal authorities warned of the crackdown in advance.

Earlier this year, OCR announced the launch of a second phase of random audits of covered entities and business associates, and indicated the focus would be on verifying adherence to HIPAA’s rules governing privacy, breach notification and security, which include proof of risk assessments.

“OCR says it selected these provisions for focus … ‘because our pilot audits, as well as our enforcement activities, have surfaced these provisions as frequent areas of noncompliance,’” said a post on the blog govinfosecurity.com.

The IAPP webpage for the AvePoint Privacy Impact Assessment System says the platform allows users to “automate the process of evaluating, assessing, and reporting on the privacy implications of your enterprise IT systems.”

In the event of a breach, OCR investigators will be looking to determine whether the responsible organization took proper care to protect the ePHI data.

“What are the steps you took to mitigate a breach?” AvePoint’s Simberkoff said. “Being able to demonstrate that you were being forward thinking is going to dramatically impact the likelihood of having a significant fine even if something bad happens.”

Send tips and news to [email protected].