"We are still working writing our HIPAA policies. Actually, it got pushed aside a few months ago, but we'll get to it as soon as we can."
Many providers are trying to squeeze HIPAA compliance - no small task - into already heavy workloads. Too often, there just isn't the manpower to get HIPAA tasks done as quickly as we would like. For this reason, it is very common for compliance officers to be "working on" HIPAA for weeks, months, or even years, before things are finalized.
The Office of Civil Rights (OCR), which enforces HIPAA, has suggested in recent settlements that "working on" HIPAA compliance is not enough, especially when the provider knows about a risk. For example, one provider identified encryption as a risk. It started encrypting, but continued to use unencrypted laptops. During this time period, one of these unencrypted laptops was stolen. The provider then quickly encrypted, but still paid a $1,725,220 penalty.
This isn't the only example. Recently, a children's hospital submitted two breach reports, both involving unencrypted devices. The OCR investigated, and found that the hospital knew about the risk of unencrypted PHI since 2007, and continued to issue unencrypted BlackBerries to nurses until 2013. This hospital will pay $3.2 million.
What if you got audited tomorrow?
In 2016, the OCR began Phase 2 of its HIPAA audits. As part of these audits, the OCR published provider questions about the audits, and OCR's response. One question shows that the OCR expects providers to have HIPAA policies that are final, not in progress:
Question: Can policies that have been in process for 3 plus months be included even though they have not yet cleared the final approval step?
OCR Clarification: Where entities are asked to provide documentation for a specified time period (e.g., current, previous calendar year, 6 years ago) they should submit documentation that reflects what is in place and in use in the time frame specified.
In other words, when a provider is selected for a desk audit, they are expected to submit documents that are in place - not documents that are in development.
While the 2016 audits are underway, more audits are not off the table: the OCR can audit providers in response to a complaint or breach report, or as part of a future audit phase. How would you be able respond to a HIPAA audit?