HIPAA Audits Will Continue in 2013OCR Confirms Plans, Describes Potential Protocol Refinements
HIPAA compliance audits will continue next year after the results of this year's pilot program are analyzed, an overseer of the program confirms. And the audit protocol released late last month could be refined based on the pilot.
Once the consulting firm KPMG completes this year's 115 audits in the pilot program, the Department of Health and Human Services' Office for Civil Rights will "take a step back and analyze the information to make an informed decision about the structure, focus and size of the ongoing audit program," says Linda Sanches, senior adviser and health information privacy lead at OCR.
"We'll be looking at the findings to see if there are any trends that will affect technical assistance or the initial guidance we just put out," she adds. The pilot program did not include audits of business associates, but they may be included in future audits, she adds.
So far, 20 compliance audits have been conducted, and 95 more are slated for completion by year's end. The HITECH Act mandated creation of the audit program. But until now, OCR had not confirmed definitive plans to continue the audits beyond the initial phase this year.
Protocol Will Evolve
The HIPAA audit protocol was developed, in part, using insights gleaned from the 20 initial audits, Sanches explains. But she acknowledges that those initial audits don't necessarily represent the same compliance challenge trends that will be discovered as more covered entities are audited.
"The protocol is a living document," Sanches says. Changes to the protocol are likely as OCR gains insights from further audits, she says. Plus, the final version of pending modifications to the HIPAA privacy, security, enforcement and breach notification rules could lead to protocol changes, she adds.
The development of the audit protocol was an iterative process that reflected KPMG's auditing knowledge and OCR's wealth of experience with the HIPAA rules, Sanches says. The two sides combined their expertise to work through several versions of the protocol before it was released.
Looking ahead, the protocol, which contains 165 areas of performance evaluation, will probably continue to be refined and clarified, she says. "We made some changes based on the experience of the first 20 audits, and I expect there will be further changes because ... we'll have more experience with the next group."
Sanches doesn't anticipate any large changes in the protocol. "We reached a point where we thought it would be helpful to put [the protocol] out there to the public so they can look at it," she says. "But I don't want to say it's static; it could be changed in the future."
Some observers have said that the protocol lacks specificity. For example, it calls for determining "if the covered entity risk assessment has been conducted on a periodic basis" without defining what "periodic basis" means.
While Sanches says she understands there is demand for specificity, she explains that the rules "weren't designed as one-size-fits-all set of requirements." In the end, she says such an approach would fail to provide adequate privacy and security protection to health information.
She also stresses: "We are not setting new standards through this [protocol] document."
The detailed protocol can prove useful for audit preparation as well as for overall compliance efforts, Sanches says. Hospitals, clinics and others can use the protocol to get a sense if their compliance efforts are as comprehensive as they should be, she says. "While the protocol wasn't designed for anything other than its use in compliance audits, we hope covered entities find it a helpful document as a check list for their own internal review of their compliance efforts."
In a recent presentation, Sanches said the first 20 audits showed that more organizations had trouble with security compliance than privacy compliance, and smaller organizations had more difficulties than larger ones (see: HIPAA Audits: A Preliminary Analysis).