HIPAA Audits: A Preliminary AnalysisSecurity a Bigger Challenge Than Privacy
The initial 20 HIPAA compliance audits found that more organizations had trouble with security compliance than privacy compliance, and smaller organizations had more difficulties than larger ones, a preliminary analysis by federal officials shows.
Many of the audited organizations hadn't been conducting regular risk assessments, says Linda Sanches, a federal official involved in supervising the audits. For some of the organizations audited, "HIPAA hasn't been a priority for several years. ... Risk assessments were done six years ago and haven't been looked at since," she says.
The Department of Health and Human Services' Office for Civil Rights is coordinating the audit effort, which was mandated under the HITECH Act. Sanches, OCR's senior adviser and health information privacy lead, summarized a preliminary analysis at the recent HIPAA Security Conference sponsored by the National Institute of Standards and Technology and OCR. A webcast of her presentation is now available; it's the second half of the HIPAA Day 2, Part 1 file. Her slides also are available online.
Top Security Issues
The top HIPAA Security Rule compliance issues identified in the first round of audits, Sanches says, included:
- User activity monitoring;
- Contingency planning;
- Authentication and integrity;
- Media reuse and destruction;
- Risk assessments;
- Granting or modifying user access.
Many smaller entities, in particular, are having trouble setting up HIPAA compliance programs and implementing them, Sanches says. "Larger institutions are getting better at that," she adds.
The first round of audits also showed that many organizations aren't paying enough attention to managing third-party risks, including monitoring whether there have been issues with business associates that need to be addressed, Sanches adds.
Top Privacy Issues
Top issues that emerged regarding HIPAA Privacy Rule compliance included:
- Personal health information uses and disclosures related to deceased individuals;
- Protected health information disclosures and uses by personal representatives;
- Business associate contracts;
- Disclosures for judicial and administrative purposes;
- Verification of the identity of those requesting PHI.
Some organizations "have no policies or procedures, or are not following them," she says, referring to HIPAA privacy compliance.
Auditors identified cases where organizations asked individuals to sign a document that says they received a privacy notice, but then failed to actually provide the patient with the notice, Sanches says.
HIPAA Compliance Advice
Based on the preliminary round of audits, Sanches advises healthcare organizations to take certain steps, including:
- Conducting robust reviews and assessments;
- Identifying lines of business affected by HIPAA;
- Mapping PHI movement within an organization as well as exchanges with third parties;
- Identifying all locations where PHI resides within an organization;
- Turning to the OCR website for guidance
OCR expects to provide additional insights about its ongoing audit program in December, Sanches says. The analysis of the audits will enable OCR to compile a guide to HIPAA compliance best practices next year, she adds.
Audit Program Details
OCR isn't disclosing many details about how it's selecting organizations to audit, other than to say it's seeking a mix of different sizes and types of provider organizations, health plans and claims clearinghouses. Business associates aren't being audited in the first phase this year.
If a HIPAA complaint has been filed against an organization, OCR conducts an investigation, and that doesn't trigger an audit - at least not yet, Sanches says. That's because OCR doesn't want to create potential conflicts between open complaints that are under investigation and the work of the audit teams, she explains. Eventually, however, organizations that are the subject of repeated HIPAA complaints will become more likely candidates for an audit, she adds.
Federal authorities have selected another 95 healthcare organizations that will be audited for HIPAA compliance this year, and notification is continuing (see: HIPAA Audits: A Progress Report).
The consulting firm KMPG, which OCR hired for the program, will complete all 115 planned audits of covered entities by year's end, Susan McAndrew, OCR's deputy director of health information privacy, recently told HealthcareInfoSecurity. Officials originally said as many as 150 audits might be conducted this year, but the number was scaled back.
OCR plans to soon publish the audit protocols on its website.
In an earlier interview, Leon Rodriguez, OCR director, said there's a "reasonable likelihood" the audit program will continue beyond this year, despite budget cuts. "This audit program has exposed vulnerabilities and issues that we can't find any other way," he noted. "I think it will be good policy for us to really keep this audit program going."