McAndrew Explains HIPAA Audits
Compliance Audits to Start After Protocols Tested
OCR has entered a $9.2 million contract with the consulting firm KPMG to launch the audit program in three phases (see: HIPAA Audit Program Details Emerge).
The first step will be the creation of a comprehensive set of protocols for how audits will be conducted and what measures will be used to determine compliance, McAndrew says in an interview with HealthcareInfoSecurity.com's Howard Anderson (transcript below).
The second step will be to conduct about 20 test audits to make sure the protocols are effective, she says. After that, the formal program for as many as 150 on-site audits will continue through the end of 2012.
McAndrew declines to disclose all the details of how organizations will be selected for the audit tests as well as the formal auditing program. But she says OCR will strive to make sure a wide variety of organizations are selected, based on type, size and location.
Asked whether the audits will be used primarily as a way to enforce HIPAA or as a way to educate organizations about compliance, McAndrew says, "I don't think that the audit program will be that black and white."
OCR views the audit program, mandated by the HITECH Act, "as a way of expanding our capacity to ensure compliance," she says. McAndrew notes, however, that some audits could result in enforcement action. "If we uncover, in the course of the audit, major violations or potential violations, we will be dealing with those in the same manner that we would through our formal enforcement process," she says.
Audit DetailsIn the interview, McAndrew also says:
- OCR has not yet determined whether it will audit business associates as well as covered entities, such as hospitals, clinics and health insurance plans. Nevertheless, KPMG will develop protocols to support business associate audits.
- OCR will provide advance notice to entities selected for the audit process and advance requests for documentation.
- A decision on exactly how to inform others about the results of the audits has not yet been made. OCR has not yet determined whether it will publish individual audit reports or summary reports on trends identified in all the audits.
- The agency won't determine whether to continue the audits beyond 2012 until it evaluates the results of the initial program.
McAndrew encourages healthcare organizations to prepare for the audits by taking several steps, including reviewing their privacy and security policies and procedures; ensuring that they've documented patient information safeguards; completing an updated risk assessment; and developing a breach incident response plan.
As the HHS Office for Civil Rights' deputy director, McAndrew has responsibility for implementing and enforcing the HIPAA privacy rule. She has more than 20 years of federal government experience. Before joining HHS, she practiced law in the District of Columbia.
KPMG to Conduct AuditsHOWARD ANDERSON: The HHS Office for Civil Rights has entered a $9.2 million contract with KPMG to create HIPAA compliance audit protocols and then audit as many as 150 covered entities and business associates by the end of 2012. The audit program was mandated under the HITECH Act. Why did you decide to hire KPMG for this project, and when will the audits begin?
SUSAN MCANDREW: As with any contract, this went through an open-bidding process and KPMG was the successful contractor. We look forward to working with them on this very important endeavor. The contract called for rolling out this test of the audit system in a three-step process. First we will be working with KPMG to develop a comprehensive set of protocols for how these audits will be conducted and what measures will be used to evaluate compliance of the entities that are chosen for the audit. We will then do a round of audits, maybe up to 20 or so, in order to field test and prove-up the protocols that have been developed to make sure that they are working as we intended and are providing us with the information that we need. Then, once that evaluation is complete, we will begin to conduct the actual audits through KPMG. And we have established an evaluation system so that we will know once this contract is over how successful the audits were in providing us with good information that actually measures the degree of compliance by covered entities and their business associates.
ANDERSON: So the third step, the actual beginning of the formal auditing process, begins this year?
MCANDREW: We're hopeful that it will begin this year. If not, it will begin the first of 2012.
Who Will Be Audited?ANDERSON: And how will you go about determining which organizations will be audited?
MCANDREW: We're working with a separate contractor to help us gather the information that we need about covered entities. And we will be working with this other contractor to establish a framework for categorizing these covered entities and stratifying them in a meaningful way so that we can ensure that we have a broad base of entities to use with KPMG to test the protocols across a variety of covered entity types ... to make sure that the protocols are effective. Various sizes of entities [in various] geographical [locations will be audited].
ANDERSON: So the selection will be random?
MCANDREW: ... We will be looking for a variety of entity types to select for the testing of the protocols, and then we will be looking for meaningful ways of targeting the audit selections. But they will be true to the typical audit protocols. It won't be totally random. It will not be incident-driven, unlike the current investigations and compliance reviews that we do. This is an opportunity for us to select on a more random basis who we will be looking at to conduct these audits.
Business AssociatesANDERSON: Just to clarify, it's covered entities as well as business associates that will be audited, is that right?
MCANDREW: Eventually. I'm not sure whether business associates will be part of the initial selection process because they are a little more difficult to obtain information about. We don't have a list or a registry yet of who is a business associate. We're still strategizing as to how to collect information about business associates to make a meaningful selection, but we certainly are looking to KPMG to have protocols developed to give us the capability of auditing business associates.
ANDERSON: So the initial 150 to be audited by the end of 2012 could include some business associates, or will that happen after that?
MCANDREW: It's unclear. The contract calls for up to 150 [audits], so it remains to be seen exactly what the total number of audits will be. And it will depend on how soon the protocols are ready and how soon we can begin to rollout these audits. We will be working with KPMG and we certainly will be providing advanced notice to entities if they are being selected for the audit process.
ANDERSON: I just want to make sure I understand. Is it likely that in 2012 any of those who are audited will be business associates then?
MCANDREW: It's unclear at this point whether or not we will be able to conduct and test the business associate protocols. We are hopeful of being able to do so. The primary focus is going to be on the protocols for the covered entities and proving the audit results with regard to covered entity compliance.
What Auditors Will ReviewANDERSON: Will auditors be reviewing general compliance with the HIPAA privacy and security rules, or will they focus on specific issues?
MCANDREW: It's possible that they will do both. Both are acceptable means of measuring compliance. However, at least initially, because we're very interested in assuring that the protocols are complete and provide comprehensive feedback to us on the degree of compliance, we will be focusing primarily on more comprehensive aspects of compliance. That's not to say that we won't find a capacity within this pilot period for running a few audits that are more issue-directed.
Site VisitsANDERSON: Every audit will include a site visit and result in an audit report. During site visits, auditors will interview key executives to help determine compliance. Please describe that process briefly and tell us what the audit reports will contain.
MCANDREW: The model that we're testing is your typical onsite audit. ... There will definitely be advanced notice to the entity. There will usually be advanced request for documentation and survey material from the covered entity so that the auditor can best use their time onsite to focus in on what they need to do and the people they need to talk to onsite. And then, as is typical following the onsite visit, the auditors, if they need to, will collect more information. They will complete their draft report. Typically the draft report is shared with the covered entity before it's final, and the covered entity's responses to the findings of the auditor would be incorporated as part of the final audit report.
Enforcement vs. EducationANDERSON: Will the audit program be used primarily as an enforcement tool, potentially leading to resolution agreements or civil monetary penalties in cases of non-compliance or will it be used strictly as an educational tool to improve general compliance?
MCANDREW: I don't think that the audit program will be that black and white. We are looking at it as a way of expanding our capacity to ensure compliance with covered entities, and there will be a proper role for these audits in that. But we're looking at the audit as a way of being able to measure compliance without having to have a precipitating incident be the focus of the onsite visit and the review that is done on compliance. These will be broader and not as narrowly focused as most of our investigations are.
That said, I think there's great learning that can be done by making public the audit information. We will need to do some assessment as to how valuable and in what form this information can be made of most use to covered entities other than, of course, the entity that's involved in the audit. And with regard to the entity involved in the audit, as it's typical for any audit, if there are vulnerabilities to be addressed, that will need to be made part of the report and the corrective action that the entity is taking to resolve the audit. ...
If we uncover, in the course of the audit, major violations or potential violations, we will be dealing with those in the same manner that we would through our formal enforcement process.
Audit ResultsANDERSON: Will individual audit reports be made public, or will your office issue periodic reports summarizing the results of audits?
MCANDREW: We haven't decided that yet. Part of this whole endeavor is to have an evaluation component where we can be assured that the information that we are getting through this audit process is accurate and meaningful. As I said, there can be great learning by others from these audit reviews, and I'm hoping, certainly, that it will lead to the ability to publicize best practices, effective corrective action and other things like that. And we can expand the impact on compliance of the entire industry by making this information public.
That said, whether we do it in summary form or publish the individual report similar to the way that the inspector general does with their audit materials still needs to be worked out. I think that we will be looking at that very closely as part of our evaluation criteria.
Long-term PlansANDERSON: Does the Office for Civil Rights intend to extend the audit program beyond 2012, which is when this contract expires? And if so, how would that be funded?
MCANDREW: Again, a lot of this will be subject to decisions that we will be making based on the evaluation of this contracted activity. So until we have more information and feedback from the actual operation under these conditions, we really haven't made any final determination as to what it's worth investing in on an ongoing basis.
Audit PreparationANDERSON: Can you point out any key steps that healthcare organizations should take to prepare for a potential audit?
MCANDREW: Actually, covered entities probably have been doing and taking many of these steps already as a result of their own compliance programs. But this is certainly an opportunity for the covered entities to review their policies and procedures to make sure that they are complete and up-to-date. Also, the way that they are managing the information, whether it's in computerized files or good old-fashioned paper records, make sure that they are fully documenting what's being done with the information and how it's being managed and safeguarded. The [HIPAA] security rule has its own requirements for risk analysis and risk management programs. ...
Through the experience that we've been having with covered entities on breaches and incident response plans, [those plans] need to be up-to-date and flexible, as well as emergency backup systems. I think this is just another opportunity for covered entities to take a moment from their busy, busy days and do a self-assessment. We think that this will help them down the road in terms of building their own capacity for a robust compliance program, training of individuals and making sure that there is awareness throughout the entity of their security and privacy rules and responsibilities.