HIPAA Audits Move Forward
First 20 Organizations Getting Site VisitsIt's official: The new HIPAA compliance audit program has begun. The 20 organizations selected for the initial test phase of the program are preparing for site visits in the coming weeks, federal regulators confirm. After that, about 130 more organizations will face audits later this year.
For those who believed that the audits would focus only on larger organizations, security consultant Mac McMillan has some news: That's not the case. McMillan is advising a small Texas hospital that is preparing for a site visit by auditors later this month. "So they're not just going after the big guys," stresses McMillan, CEO of CynergisTek.
HITECH Act Mandate
The Department of Health and Human Services' Office for Civil Rights announced the audit program last year. The HITECH Act, part of the economic stimulus package passed in 2009, mandated the audit program to improve compliance with the Health Insurance Portability and Accountability Act's privacy and security rules.
In an recent interview, Leon Rodriguez, the new head of the OCR, described the goals of the audit program, which is focusing this year on auditing covered entities rather than their business associates. "Our first objective is not to go out there and start banging [organizations] with penalties; it's really to take a good look at them, find out where their opportunities for improvement are and help them improve," he said. "Having said that, I think we know that there are cases where we're going to find some significant vulnerabilities and weaknesses. And in those cases, we may be pursuing significant corrective action. And in some of those cases, we may be actually pursuing civil monetary penalties. But that's really not the primary goal of the audit program."
Who's Being Audited?
In the pilot phase, OCR is auditing eight health plans, two claims clearinghouses plus 10 provider organizations, including three hospitals, three physicians' offices, and a laboratory, a dental office, a nursing/custodial facility and a pharmacy. That information was first reported in a blog by Adam Greene, partner at the law firm of Davis Wright Tremaine, who formerly was an OCR official. OCR officials confirm that the blog's description of the types and counts of covered entities selected for the test audits is accurate.
Greene expects that KPMG, the consulting firm hired to conduct the audits, will work with OCR to "revisit the audit protocol" and make adjustments once the first 20 test audits are wrapped up. OCR officials say most of the rest of the audits will "go out in the field in the second half of 2012."
Documentation Required
Letters to the first 20 audit subjects were mailed Dec. 1, and the organizations had 10 days to provide a long list of required information, McMillan says. For example, the hospital he's advising had to provide copies of its HIPAA privacy and security compliance policies as well as its plan for complying with the HIPAA breach notification rule.
The letter to the Texas hospital indicated that three to five auditors would likely spend five business days at the facility, McMillan says. Larger organizations, he notes, can expect a visit that could last up to 10 days.
Once the auditors prepare their report, the hospital will have the opportunity to file a response. Then OCR will review both documents and determine any follow-up action, which McMillan notes could range from an informal resolution agreement to a wider-scale investigation.
Selecting Those to be Audited
OCR officials provided HealthcareInfoSecurity with a general explanation of how the agency is selecting organizations to audit: "OCR identified a pool of covered entities that broadly represent the diverse range of healthcare providers, health plans and healthcare clearinghouses operating today. Using this spectrum of audit candidates permits OCR to assess HIPAA compliance in a variety of entities with unique operating environments and relationships with patients."
Specific criteria used to select particular candidates, according to OCR, include: "whether the entity is public or private; the size of an entity; affiliation with other healthcare organizations; the type of entity and relationship to patient care; and past and present interaction with OCR concerning HIPAA enforcement and breach notification." The agency also says it considers geographic factors in the selection process.
As part of this pilot program, OCR has developed an audit protocol manual, agency officials say. "It is comprehensive, but designed so that OCR can select modules of particular interest or concern for examination. The protocol is also designed so OCR can use it as the basis for our audit work in the future, regardless of the staffing approach we take long term."
Audit Prep Advice
McMillan is advising his client to document in advance of the audit the areas where it needs to work on compliance and the steps it plans to take, as well as acknowledge its willingness to address any issues the auditors raise. "As long as you recognize gaps and identify a reasonable path for remediating those, the auditors will give you time to do that," the consultant predicts.
Greene advises organizations to prepare for an audit by taking several steps, including:
- Addressing the entire life cycle of electronic and hard copy protected health information, plus identifying where such information is created throughout the organization, how it is maintained and how it is disposed of;
- Creating a compliance cycle that regularly modifies policies and training in response to recurring issues and emerging threats; and
- Conducting a comprehensive review of policies, procedures, other documentation and training.
OCR has a summary of the audit program on its website.