HIPAA Audits: A Revised Game PlanMore On-Site Audits Planned, But All Audits on Hold for Now
Federal regulators are delaying the start of phase two of the HIPAA audit program until the agency responsible for enforcement finishes the roll-out of technology that will allow audited organizations to submit data via a Web portal.
And once the program resumes, the Department of Health and Human Services' Office for Civil Rights plans to do more on-site audits and fewer remote "desk audits" than officials originally planned, Linda Sanches, an OCR senior adviser, said during a Sept. 9 presentation at the Healthcare Information and Management Systems Society's privacy and security forum in Boston.
"We're updating technology that we'll use to get documents from the companies we are auditing," she says. "The IT project was pushed back. We're holding off starting [audits] while waiting for the technology."
The portal technology, once available, will help OCR streamline a "labor intensive" audit process by "collecting, collating and analyzing" audit data, she says, declining to speculate about when the audit program will officially kick off.
Earlier, OCR officials had said the agency planned to start the next phase of audits beginning in the fall using its own staff (see HIPAA Audits: Getting Ready). In 2012, OCR conducted a pilot HIPAA audit program involving 115 covered entities that was carried out by a contractor, the consulting firm KPMG.
The original OCR plan for the next phase was to conduct 400 remote desk audits, but that will be trimmed to "fewer than 200," Sanches says, with more comprehensive on-site audits being conducted than initially anticipated due to "a budget for a larger number of on-site audits." She declines to estimate how many onsite audits will be performed or provide details about funding.
Surveying Audit Candidates
Pre-screening surveys will be electronically sent to covered entities and business associates that are potential candidates for audits, and their responses will be collected via the portal, populating an OCR database, she says.
In a Feb. 24 notice in the Federal Register, OCR said it planned to survey "up to 1,200 HIPAA covered entities, including health plans, healthcare clearinghouses and certain healthcare providers, and business associates, to determine suitability for the OCR HIPAA audit program (see HIPAA Audits Step Closer to Resuming).
Sanches says OCR is planning to send pre-screening surveys first to covered entities and then to business associates "in near future." She advises covered entities to "know who your business associates are. We will ask for a list and contacts for all your business associates. This is a good time to get your house in order."
The covered entities are being randomly selected from a national provider index database, with the aim of even geographic distribution and mix of different kinds of covered entities, including physicians' offices, dentists to healthcare plans, she says. Also, the audits will not be performed on organizations for which OCR already has "open" breach or HIPAA compliance investigations under way, she says.
The business associates chosen for audits will be selected from the lists of vendors that the surveyed covered entities provide, Sanches says. The pre-screening surveys that will be sent "aren't meant to ensure you're compliant, just whether you're in or out," in terms of being a possible audit candidate. "We have a pool of several hundred [surveys] ready to go," she says.
The "very targeted audits" of covered entities will look at specific compliance areas, such as security risk assessments, privacy and breach notification, Sanches says. Business associates will be audited for compliance with such requirements as conducting a security risk assessment and providing breach notification to covered entities, she adds.
The desk audits will ask for documentation without any follow-up, while the on-site audits will be more comprehensive. OCR will also update its HIPAA audit protocol before the next round of audits begin.
In the next round, audited organizations might be asked to submit their security risk analysis or policies and related documentation, Sanches says. For instance, if OCR asks about an organization's sanctions policy for HIPAA privacy violations, the agency will also ask how the policy is carried out.
Mac McMillan, CEO of security consulting firm CynergisTek, says OCR's plans to conduct more onsite audits than originally planned in the next round of audits is good news from an enforcement standpoint.
"Desk audits only tell [OCR] what I want to tell [OCR] and that's not necessarily the truth," he says "You can produce documentation, but have poor implementation, and a desk audit won't necessarily show that. Onsite audits hold someone more accountable."
As for HIPAA enforcement actions that OCR has taken to date, the agency generally focuses its investigations on larger breaches, Sanches says. However, if OCR sees "clusters" of smaller breaches or patterns of HIPAA complaints related to a particular organization, the agency will take a closer look at the situation or conduct a compliance review, she says.
Under the HIPAA Omnibus Rule, covered entities and business associates can be fined up to $1.5 million per HIPAA violation.
To determine the amount of a HIPAA penalty, OCR takes into consideration factors such as previous HIPAA compliance incidents, how long an event lasted, the kind of harm that resulted and number of individuals affected, Sanches says. "The sky isn't a limit. We do face limits. All factors are laid out in the enforcement rule," she says.
As for emerging threats, such as new hacker methods that result in breaches, "we will look for your periodic risk analysis" to show that your organization had been taking regular steps to address changing risks and threats, she says.