This Year's HIPAA Audits an Interim StepHHS Makes Another Incremental Move Toward Permanent Program
See Also: Ransomware: The Look at Future Trends
HIPAA compliance audits, mandated under the HITECH Act of 2009, have been on hold since a pilot program, which included onsite audits of 115 covered entities, was conducted in 2011 and 2012. A "permanent" program was expected to have been launched by now.
Phase two of the audits will focus on "desk audits" of covered entities as well as business associates, to be completed by the end of December, followed by a handful of onsite audits, HHS says.
In a March 21 statement, HHS' Office for Civil Rights, the agency headed by Jocelyn Samuels that oversees HIPAA enforcement, says it has begun sending emails to potential auditees requesting that contact information be provided "in a timely manner." OCR says it will then transmit a pre-audit questionnaire to gather data about the size, type and operations of potential auditees. The office will use this information to create a pool from which those to be audited will be selected.
Phase two of the audit program will consist mostly of remote desk audits, first of covered entities and then business associates. These audits will examine compliance with specific requirements of HIPAA's privacy, security or breach notification rules, and auditees will be notified of the subjects of their audits in advance.
Organizations chosen for a desk audit will be sent an email notification, which will ask them to provide documents and other information within 10 days via a new secure audit portal on OCR's website.
"Auditors will review documentation and then develop and share draft findings with the entity," OCR says. "Auditees will have the opportunity to respond to these draft findings; their written responses will be included in the final audit report. Audit reports generally describe how the audit was conducted, discuss any findings, and contain entity responses to the draft findings."
Eventually, some audits will be conducted onsite, examining a broader scope of requirements from the HIPAA rules than desk audits, OCR says. "There will be fewer in-person visits during these phase two audits than in phase one," OCR notes. "Auditees should be prepared for a site visit when OCR deems it appropriate."
How Many Audits?
In an interview with Information Security Media Group during the recent HIMSS 2016 conference, Deven McGraw, OCR deputy director of health information privacy, said OCR plans to conduct this year about 200 remote desk audits focusing on only a small subset of HIPAA requirements, plus 10 to 25 "full scale audits" that will involve onsite visits.
McGraw said OCR is "on track" to issue a new audit protocol in April and will seek public comment before finalizing the protocol that will be used in the audits. "We are planning to revise the entire protocol even though for the desk audits we are only going to be auditing for selected provisions," McGraw said.
OCR's March 21 announcement about phase two HIPAA audit plans, however, does not specify when a draft audit protocol will be released. "OCR will post updated audit protocols on its website closer to conducting the 2016 audits," OCR says, adding that the updated protocol "can be used as a tool by organizations to conduct their own internal self-audits as part of their HIPAA compliance activities."
Permanent Program Repeatedly Delayed
OCR officials had hinted as far back as 2013 that its next phase of audits would be the launch of a permanent HIPAA audit program, as called for under the HITECH Act (see HIPAA Audits: More to Come in 2014).
But so far, Congress has largely snubbed HHS' budget requests for additional money to fund a permanent program.
"The fiscal 2016 and fiscal 2017 HHS budget proposals asked Congress to appropriate several million dollars allowing OCR to implement a permanent audit program," says privacy attorney David Holtzman, vice president of compliance at the security consulting firm CynergisTek and a former senior adviser at OCR. "This multimillion dollar budget appropriation would create new staff positions and support ancillary travel and equipment."
Under the proposed fiscal 2016 budget, HHS sought an OCR budget of $42.7 million, up from nearly $39 million for fiscal 2015, with the bulk of the increase going toward funding a permanent HIPAA compliance audit program. But in fiscal 2016 appropriations approved by Congress, OCR did not receive a budget increase.
OCR signed a contract last fall with FCi Federal to help launch the next round of HIPAA audits. However, OCR's current funding for the project only supports a small round of mostly remote audits, Holtzman says. "The current contract vehicle to support the OCR audits calls for spending only $770,000 through December 2016," he notes.
President Obama's proposed fiscal 2017 budget for OCR again calls for about a 10 percent increase to $43 million. In HHS' fiscal 2017 budget document released last month, OCR noted that additional funding was being sought "to conduct comprehensive and desk audits of covered entities and business associates."
When a permanent program will get off the ground following phase two of the audits is anyone's guess, Holtzman says. "The development and implementation of the permanent audit program is dependent on the availability of funding. The big question is will [OCR] change course and use the funds it collects through its [HIPAA] resolution agreements to hire outside contractors to carry out its permanent audit program? Only time will tell."
Check Your Spam Folder
As for OCR's process of emailing covered entities and business associates about a potential audit, the agency warns it will seek other ways of obtaining requested information if an organization fails to respond.
"An entity that does not respond to OCR may still be selected for an audit or subject to a compliance review," OCR notes. "Communications from OCR will be sent via email and may be incorrectly classified as spam. If your entity's spam filtering and virus protection are automatically enabled, we expect entities to check their junk or spam email folder for emails from OCR."
In the meantime, Holtzman says covered entities and business associates should take steps now in case they are selected for an audit. Those include reviewing and updating their policies and procedures in the key areas identified by OCR as likely target areas in the upcoming audits, such as enterprisewide risk assessments of IT used to handle PHI. Other key issues include meeting the HIPAA Privacy Rule standards for the Notice of Privacy Practices and having policies in place to provide patients access to the PHI; and meeting the requirements of the HIPAA Breach Notification Rule.
"One thing is for sure: You don't want to wait until you get a notification letter from the OCR to start preparing for a HIPAA compliance audit," he says. "Organizations that are going through audits have only one chance to submit all requested documentation, so it's crucial to get it right."
Although OCR says the audits "are primarily a compliance improvement activity ... to help OCR better understand compliance efforts with particular aspects of the HIPAA Rules," a poor audit could result in additional scrutiny. "Should an audit report indicate a serious compliance issue, OCR may initiate a compliance review to further investigate," the office warns.