HIPAA Audits: A Status Report
Planning continues; kickoff could be this year
In the next few weeks, Booz Allen Hamilton will provide a status report on its compliance audit study for the Office for Civil Rights in the Department of Health and Human Services, the governmental unit that enforces the privacy and security rules, says Susan McAndrew, OCR's deputy director for privacy.
The timing of the start of the HITECH Act's mandated audit program "will really depend on the ultimate selection of what model we use" and how fast that model can be implemented, McAndrew told HealthcareInfoSecurity.com. in a May 11 interview. Her comments came at the Washington, D.C. conference: "Safeguarding Health Information: Building Assurance through HIPAA Security," sponsored by OCR and National Institute of Standards and Technology.
Outsourcing anticipated
"I'm fairly sure audits will be outsourced," McAndrew added. "We really don't have the budget capacity right now to hire the number of people that we would likely need for an effective audit program."
But in the meantime, investigators in OCR's 10 regional offices are conducting "compliance reviews" in the wake of certain breach incidents to help organizations take corrective action to avoid future incidents, she explained.
In contrast, the audit function will be "proactive," in hopes of pinpointing areas of compliance weakness so that breaches can be avoided, she added.
HITECH shifted responsibility for enforcement of the HIPAA security rule from the Centers for Medicare & Medicaid Services to OCR, which had been enforcing the HIPAA privacy rule since 2003.
Once the security rule audit program begins, auditors will check that organizations have completed a risk assessment and implemented appropriate administrative, technical and physical safeguards, McAndrew said.
Because so many of the major breaches reported to OCR so far have involved the theft of computer devices, "physical safeguards need more attention," she stressed. Plus, mobile devices should be encrypted, she added.
"I am continually surprised by the fact that you actually have to lose your laptop before the light bulb goes off and you say, 'Gee, maybe I need an encryption policy. You're a lot better off if you can learn from your neighbor. Don't let it happen to you. Encrypt now."
The HITECH Act breach notification rule contains a safe harbor exempting organizations from reporting breaches if the information involved is encrypted in a specific way.
Audits for compliance with the privacy rule, McAndrew said, will focus on organizations' efforts to uphold individual's rights, such as their right to access their own medical records. Auditors also will look at whether organizations have proper internal controls in place to limit unauthorized access to patient information, she said.
