HIPAA Audits: A Progress Report20 Complete; 95 to Come; Protocol to be Published
Federal authorities have selected another 95 healthcare organizations that will be audited for HIPAA compliance this year and notification is continuing.
The Department of Health and Human Services' Office for Civil Rights has completed its initial 20 audits that tested the program mandated by the HITECH Act, says Susan McAndrew, deputy director at OCR. But those organizations have not yet received their final audit reports, she notes.
"Data collection on the next wave of 25 has begun," McAndrew tells HealthcareInfoSecurity. The other 70 will be notified in phases in the months ahead.
The audits assess compliance with the Health Insurance Portability and Accountability Act's privacy and security rules.
The consulting firm KMPG will complete all 115 planned audits of covered entities by year's end, McAndrew says. Officials had originally said as many as 150 audits might be conducted this year, but the number was scaled back. Business associates will not be audited this year.
McAndrew declines to offer specific details regarding how those to be audited were selected. But she reiterates the following statement, which OCR provided earlier:
"OCR identified a pool of covered entities that broadly represent the diverse range of healthcare providers, health plans and healthcare clearinghouses operating today. Using this spectrum of audit candidates permits OCR to assess HIPAA compliance in a variety of entities with unique operating environments and relationships with patients. Among the specific criteria used to select particular candidates are whether the entity is public or private, the size of an entity, affiliation with other healthcare organizations, the type of entity and relationship to patient care, and past and present interaction with OCR concerning HIPAA enforcement and breach notification. OCR also considers geographic factors in the selection process."
Protocols to be Published
OCR plans to publish the audit protocol on its website "in the near future," McAndrew says. "As part of this pilot program, OCR has developed a specific audit protocol manual to be used for conducting audits. The protocol is also designed so OCR can use it as the basis for our audit work in the future, regardless of the staffing approach we take long term."
McAndrew declines to discuss whether OCR is moving ahead with plans for continuing the audit program beyond this year. She points out that OCR will offer a report on the aggregate findings of its audits after all of this year's audits are complete.
In an earlier interview, Leon Rodriguez, OCR director, said there's a "reasonable likelihood" the audit program will continue beyond this year, despite budget cuts. "This audit program has exposed vulnerabilities and issues that we can't find any other way," he notes. "I think it will be good policy for us to really keep this audit program going."
Asked about action that OCR might take as a result of the audits, McAndrew pointed to an audit overview on the OCR Website, which states:
"Audits are primarily a compliance improvement activity. OCR will review the final reports, including the findings and actions taken by the audited entity ... The aggregated results of the audits will enable OCR to better understand compliance efforts with particular aspects of the HIPAA rules. Generally, OCR will use the audit reports to determine what types of technical assistance should be developed and what types of corrective action are most effective. Should an audit report indicate a serious compliance issue, OCR may initiate a compliance review to address the problem. OCR will not post a listing of audited entities or the findings of an individual audit which clearly identifies the audited entity."
Audit Preparation Advice
Mac McMillan, a consultant who recently advised a hospital that was one of the first 20 pilot audit sites - and was on hand for the auditors' visit - offers audit preparation advice based on that experience.
McMillan, co-founder and CEO of CynergisTek, says conducting a thorough risk assessment is essential. He also advises covered entities to:
- Ensure that the program you document and the controls you employ "reflect what you have learned from that risk assessment experience. Make sure you can demonstrate the remediation steps you have taken since conducting your risk analysis and that this is an ongoing business process."
- Establish and document policies and procedures to address all HIPAA security and privacy requirements and the practices that demonstrate compliance with HIPAA and your policies.
- Train the workforce, emphasizing the practical aspects of how security and privacy fits within their job performance. "Orientation and annual refresher training are important, but not adequate to address realistic user awareness," he stresses. "Ensure there are periodic reminders provided on relevant topics from the top of the organization to the bottom."
Here's how McMillan sums up audit preparation: "Organizations that can explain their risk areas, have clearly articulated policies and procedures and documented practices, and a well-informed workforce will be able to demonstrate they have a culture of compliance and a reasonable approach to information security - and will be audit-ready."