1. HHS mandated audits
Investigations by the Office for Civil Rights related to compliance with the Health Insurance Portability and Accountability Act will no longer be initiated by only complaints and self-reported breaches. Section 13411 of the HITECH Act requires HHS to provide for periodic audits of covered entities' and business associates' compliance with the HIPAA Privacy Rule, Security Rule and Breach Notification standards. While the audits are not intended to be investigations, an audit could reveal a serious compliance issue that could lead to a separate enforcement investigation by OCR. These mandatory audits are further evidence of the increased enforcement efforts of HHS.
2. What we learned from the pilot audit program
KPMG, on behalf of HHS, conducted a yearlong pilot audit program from November 2011 through December 2012 that included 115 audits of covered entities. The audits focused on key compliance requirements under HIPAA, including (a) various requirements of the Privacy Rule, such as notice of privacy practices and uses and disclosures of protected health information, (b) Security Rule requirements for administrative, physical and technical safeguards, and (c) requirements for the Breach Notification Rule.
The large majority of entities that were audited were providers, rather than health plans or clearinghouses (all of which are covered entities under HIPAA). The preliminary results from the pilot audit program revealed that 65 percent of the compliance issues were related to the Security Rule, while only 26 percent and 9 percent of the compliance issues were related to the Privacy Rule and Breach Notification Rule, respectively. Generally, smaller covered entities, such as physician practices and smaller providers, had more compliance issues than larger covered entities. In the future, both covered entities and business associates will be subject to audits.
OCR is currently evaluating the pilot program to assess whether changes should be made before routine audits commence. The evaluation will focus on the pilot audit program's effectiveness, analyze the program's strengths and weaknesses and give recommendations for future audits. The evaluation process is scheduled to conclude in September 2013. We anticipate that routine audits will commence after this time.
3. Audit process
An OCR audit begins the audit process by sending document request to the audit target, which includes an introduction to the audit contractor and a request for required HIPAA documents, including copies of privacy policies and procedures, workforce training documentation, incident response plans, risk analyses and risk mitigation plans. This documentation will generally be due to OCR within 10 business days of the request for information. Following review of the documentation, the auditor will conduct a site visit.
During the site visit, OCR will interview key personnel. Covered entities and business associates should ensure that all members of management and higher-level staff members are familiar with the entity's privacy and security policies, procedures and compliance efforts — the entity's privacy officer will not be the only workforce member interviewed by OCR.
After the site visit is completed, the auditor will provide the covered entity with a draft final report. The entity will then have 10 business days to review and provide written comments back to the auditor. The auditor will complete a final audit report within 30 business days after the entity’s response and submit it to OCR. The reports will be used by OCR to determine what types of technical assistance should be developed and whether a compliance review is necessary to address any serious issues detected during the audit.
4. How to prepare for an audit
The audit protocol can be found on the OCR website and is a great resource for entities looking to perform self-evaluations of their HIPAA compliance. As part of these self-evaluations, the audit protocol can be used by covered entities and business associates to conduct a self-audit. This process will help identify compliance gaps and prepare for an OCR audit.
Covered entities and business associates should ensure, at a minimum, that the following HIPAA compliance measures are being taken:
a. In the case of a covered entity, provide the entity's form of Notice of Privacy Practices to every patient and update such NPP to reflect the changes under the Omnibus Final Rule (required by September 23, 2013).
b. Have written and signed business associate agreements with all entities considered a business associate.
c. Conduct an accurate and thorough assessment of the risk to electronic protected health information.
d. Implement required physical, technical and administrative safeguards to protect ePHI.
e. Have formal policies and procedures for the privacy and security of protected health information and ensure these are updated to reflect the changes under the Omnibus Final Rule (required by September 23, 2013).
f. Train all employees on privacy and security policies and procedures. Those employees who job duties are affected by the changes resulting from the Omnibus Final Rule will need to receive additional training on such changes.
g. Maintain all documentation required under HIPAA, including documentation of all employee training, disclosure logs, documentation of all breach analyses and documentation of sanctions taken against employees for violations of privacy and security policies.
Covered entities and business associates should start to prepare now rather than after receiving notice from OCR of its intent to audit. Preparing for a potential audit may also help protect covered entities and business associates from complaints to OCR related to HIPAA violations.
More Articles on HIPAA Compliance:
HIPAA Compliance: 5 Key Considerations for Hospitals and Other Large Providers
10 Steps for Ensuring HIPAA Compliance