HIPAA Audits Wrapping UpPlans for 2013 Not Yet Firmed Up
HIPAA compliance audits will be completed for 115 healthcare organizations by year's end, and federal officials are investigating options for how to continue the program beyond this first round.
The audits, mandated under the HITECH Act, are measuring conformance with the HIPAA privacy, security and breach notification rules.
All organizations to be audited this year have been notified, says Susan McAndrew, deputy director of health information privacy at the Department of Health and Human Services' Office for Civil Rights, which manages the audit program. The consulting firm KPMG is conducting the audits under a contract that expires at year's end.
"We are committed to continuing the audit program and actively engaged in looking at alternatives for moving this initiative forward," McAndrew says. "We have already seen the very positive impact the audit program has had on compliance efforts even as a pilot program, and we want to build on the momentum that this effort has begun."
OCR will issue a summary of the results of a comprehensive review of HIPAA audit findings next year, McAndrew notes. "OCR will not be able to provide a comprehensive review until all final reports are issued and we have had time to analyze the results," she says.
Audits in 2013?
One observer questions whether any HIPAA audits actually will be conducted in 2013, given all that's on OCR's to-do list.
"I'd be somewhat surprised if there were audits conducted next year," says Adam Greene, a former OCR official who now is a partner at the law firm Davis Wright Tremaine.
He points out the evaluation of 2012 audit results likely will be time-consuming, and the results could influence whether the audit protocol will be altered - another time-consuming process. Plus, it will take some time for OCR to enter a new contract with a consulting firm to run the next phase of the program. And funding must be finalized as well. Earlier, OCR officials indicated financial penalties imposed as a result of HIPAA settlements could be one source of funding for audits.
Back in June, OCR officials summarized the results of the initial 20 audits (see: HIPAA Audits: A Preliminary Analysis). For example they pointed out that more organizations had trouble with security compliance than privacy compliance, and smaller organizations had more difficulties than larger ones. And they said that many of the audited organizations hadn't been conducting regular risk assessments.
In a presentation Oct. 1 at the American Health Information Management Association conference in Chicago, Allen Killworth, partner at the law firm Bricker and Eckler, offered audit preparation advice:
- Frequently review the audit protocol posted on the OCR Web site (see: HIPAA Audit Protocol Revealed). He noted that the protocol has been revised since it was issued earlier this year, and could be further revised next year.
- Assess the status of your HIPAA compliance program.
- Review all privacy and security policies and procedures and make sure all documentation is easily retrievable.
- Make sure your notice of privacy practices is complete and up-to-date and that patients routinely receive it.
- Ensure retention of all other relevant documents, including those that provide evidence of how all HIPAA complaints were handled and what staff compliance training was offered.
- Identify all business associates and make sure BA agreements are in place. "Being able to identify who all your business associates are is a bigger challenge than most people realize," he said.
- Create a team responsible for responding in the event of an audit notice. "When you have 15 days to produce documents, you need to be acting quickly. ... Have an audit team ready to go."