The pilot phase of the HHS Office for Civil Rights (OCR) HIPAA Privacy and Security Audit Program is now underway through December 2012.
Background. Under HITECH Act § 13411, 42 USC § 17940, HHS is required to provide for periodic audits to ensure that HIPAA covered entities and their business associates are complying with the HIPAA Privacy, Security and Breach Notification Rules.
In June 2011, OCR contracted with KPMG to assist it in developing audit protocols and to conduct up to 150 audits in a pilot audit program by December 2012. (OCR also contracted with Booz Allen Hamilton to identify candidates for HIPAA audits.)
Through the audit program, OCR will assess HIPAA compliance efforts by a range of covered entities (and business associates). It anticipates that the audit program will provide opportunity to examine mechanisms for compliance, identify best practices, and discover risks and vulnerabilities. OCR has indicated that it will share best practices learned through the audit process and provide guidance on compliance challenges observed in the audits.
Pilot audit program. Having developed audit protocols, OCR is currently in the second step of its three step pilot audit program, the audits of a limited number (20) of covered entities to test the audit protocols. This step of the pilot is expected to last through February/April 2012. After the protocols are revised in light of the initial audits, the third phase of the pilot program, expected to occur between May and December 2012, will involve a full range of audits. Consistent with the statutory requirement, the director of OCR fully expects that it will initiate a permanent HIPAA compliance audit program at the conclusion of the pilot program.
Audit candidates. OCR’s current pilot audit program is limited to covered entities; later audits will also include business associates. OCR selected the initial auditees to provide a broad assessment of the diverse health care industry. It is expected that OCR will seek to audit a wide range of covered entities, both in terms of size of the covered entity and type of covered entity – individual and institutional health care providers, a wide variety of health plans, and health care clearinghouses.
HIPAA audit process. A HIPAA audit begins with a written notice to the auditee that it is being audited. The letter will explain the audit process and expectations, introduce the audit contractor, and include the initial document and information requests. The auditee will usually have 10 days to respond to the request for information, which will generally require documentation of the entity’s privacy and security compliance efforts, likely including policies and procedures; documentation concerning training, handling of complaints, and application of sanctions for violations of policies, etc.; and risk assessments and mitigation plans. During the pilot program, each audit will include a site visit, likely of 3-10 days. Auditors will interview key personnel (e.g., CIO, Privacy Officer, legal counsel, health information management/medical records director), examine the entity’s physical features and operations, and observe processes and operations to determine compliance with policies and procedures and regulatory requirements. The auditor will then draft an audit report and share it with the covered entity, which will have 10 business days to review and provide written comments on the auditor’s observations and findings, including actions taken to address the auditor’s findings. Within 30 days, the auditor will submit to OCR a final audit report. Audit reports are required to include specific recommendations to address compliance problems through corrective action, recommendations on any need for continued corrective action, and future oversight recommendations. OCR will review the final reports. The audit program will help OCR determine the types of technical assistance that need to be developed and the types of corrective action that is most effective. Although OCR views HIPAA audits as a compliance improvement activity, if an audit report indicates a serious compliance issue, OCR may undertake a compliance review of the entity.
Covered entity action. Given the number of audits expected during the pilot program, the likelihood that any particular covered entity will be the subject of a compliance audit during the pilot is low. However, with initiation of the audit program, and the expected finalization of the HIPAA/HITECH Act Privacy, Security and Enforcement rulemaking, covered entities should consider taking the opportunity to review their HIPAA compliance programs, and:
- Update privacy and security policies and procedures, as needed, taking into consideration new legal requirements and any changed circumstances.
- Check that risk assessments and mitigation plans are up to date. If needed, create a corrective action plan to address HIPAA compliance issues.
- Review training materials and ensure workforce training is up-to-date.
- Ensure proper documentation of compliance with policies and procedures, including training, complaint handling and resolution, application of sanctions policy, etc.