HIPAA Audits: A Status Report

Planning continues; kickoff could be this year
HIPAA Audits: A Status Report
The new federal HIPAA privacy and security rule compliance audits of healthcare organizations and their business associates likely will start later this year once a report on a model for the program is completed, a key federal privacy official says.

In the next few weeks, Booz Allen Hamilton will provide a status report on its compliance audit study for the Office for Civil Rights in the Department of Health and Human Services, the governmental unit that enforces the privacy and security rules, says Susan McAndrew, OCR's deputy director for privacy.

The timing of the start of the HITECH Act's mandated audit program "will really depend on the ultimate selection of what model we use" and how fast that model can be implemented, McAndrew told HealthcareInfoSecurity.com. in a May 11 interview. Her comments came at the Washington, D.C. conference: "Safeguarding Health Information: Building Assurance through HIPAA Security," sponsored by OCR and National Institute of Standards and Technology.

Outsourcing anticipated

"I'm fairly sure audits will be outsourced," McAndrew added. "We really don't have the budget capacity right now to hire the number of people that we would likely need for an effective audit program."

But in the meantime, investigators in OCR's 10 regional offices are conducting "compliance reviews" in the wake of certain breach incidents to help organizations take corrective action to avoid future incidents, she explained.

In contrast, the audit function will be "proactive," in hopes of pinpointing areas of compliance weakness so that breaches can be avoided, she added.

HITECH shifted responsibility for enforcement of the HIPAA security rule from the Centers for Medicare & Medicaid Services to OCR, which had been enforcing the HIPAA privacy rule since 2003.

Once the security rule audit program begins, auditors will check that organizations have completed a risk assessment and implemented appropriate administrative, technical and physical safeguards, McAndrew said.

Because so many of the major breaches reported to OCR so far have involved the theft of computer devices, "physical safeguards need more attention," she stressed. Plus, mobile devices should be encrypted, she added.

"I am continually surprised by the fact that you actually have to lose your laptop before the light bulb goes off and you say, 'Gee, maybe I need an encryption policy. You're a lot better off if you can learn from your neighbor. Don't let it happen to you. Encrypt now."

The HITECH Act breach notification rule contains a safe harbor exempting organizations from reporting breaches if the information involved is encrypted in a specific way.

Audits for compliance with the privacy rule, McAndrew said, will focus on organizations' efforts to uphold individual's rights, such as their right to access their own medical records. Auditors also will look at whether organizations have proper internal controls in place to limit unauthorized access to patient information, she said.

About the Author

Howard Anderson

Howard Anderson

Former News Editor, ISMG

Anderson was news editor of Information Security Media Group and founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.