What's Ahead for HIPAA Audits?OCR's McAndrew Describes Timeline, Offers Insights
The HIPAA compliance audit program will not resume until after the current federal fiscal year ends Sept. 30, says Susan McAndrew of the Department of Health and Human Services' Office for Civil Rights, which enforces HIPAA.
A contractor is evaluating the results of last year's 115 HIPAA compliance audits conducted as part of a pilot project. "We're looking to the evaluation as helping guide us as to where we can best concentrate our efforts, and clearly the funding situation needs to be sorted out for the audit function," McAndrew says in an interview with HealthcareInfoSecurity (transcript below).
"But I think we're pleased enough with the impact of the audit and its reception within the community to know that this does look like a very fruitful approach to gauging and ensuring compliance."
Late last year, OCR Director Leon Rodriguez said future audits would be funded primarily through monetary penalties that OCR imposes as a result of its various HIPAA enforcement actions.
OCR has not yet determined precisely when the audit program will resume nor how large the program will be, McAndrew says. The agency, however, will update the audit protocol this year to reflect the HIPAA Omnibus Rule, she adds.
The compliance deadline for the omnibus rule, which modifies the HIPAA privacy, security and enforcement rules, is Sept. 23.
Preparing for Audits
In the interview, McAndrew also:
- Explains that last year's audits confirm that many organizations still have a lot of work to do when it comes to privacy and security. Only a very small number of audits came away with no findings, she says.
- Describes why it's essential that organizations carefully assess whether encryption is "reasonable and appropriate" for safeguarding patient information. She notes that roughly 15 percent of organizations audited last year failed to make such an assessment as required.
- Urges healthcare organizations to "make sure that their risk assessment and their policies and procedures are up to date."
As the Department of Health and Human Services' Office for Civil Rights' deputy director, McAndrew has responsibility for implementing and enforcing the HIPAA Privacy Rule, which she helped develop. She has more than 20 years of federal government experience. Before joining HHS, she practiced law in the District of Columbia.
Insights from HIPAA Audits
HOWARD ANDERSON: What were some of the major insights gathered as a result of the 115 HIPAA compliance audits conducted for your office last year?
SUSAN MCANDREW: Just to be clear, we're still assessing and working with the final reports that we got from KPMG at the end of last year. A lot of these are just top-level preliminary observations. We're hoping to put together a much more sophisticated analysis as soon as we can. The most obvious takeaway from the audit is there's a lot of work that needs to be done to ensure that all entities are in compliance with both the privacy and security rules. We audited entities of all sizes and types, and in only a very small proportion of those audits [we] came away with absolutely no findings. There's a lot of work for everyone to do, and it's a good time to turn your attention to what needs to be done within your entity to ensure compliance with both the privacy and the security side.
The second observation was that, while the privacy findings tended to be a little more focused, on the security side there were plenty of findings across the array of security rule requirements. Particular attention needs to be placed in making sure that your security standards are being met, and, of course, that all starts with a risk assessment or a risk analysis, and making sure that you address any vulnerabilities that the risk analysis points you to.
The third observation that we have coming out of the audits is that - not surprising - the smaller entities are struggling most with compliance. While the larger entities may have isolated privacy and/or security concerns, it's the smaller entities where you will find multiple observations about non-compliance on both sides of the fence, privacy and security.
ANDERSON: In OCR Director Leon Rodriguez' presentation at the HIMSS Conference, he pointed out some findings ... where some folks ... who were not using encryption ... were not documenting what they were doing as an alternative. Can you talk about that a little bit?
MCANDREW: As you know, encryption is what we call an addressable implementation specification. What that means is you need to do encryption to protect information both at rest and in transmission to the extent it's reasonable and appropriate to do so. If for your particular organization you want to make the case that it's not reasonable and appropriate, the flexibility in the security rule allows you to do so, but it does require that you document why it's not reasonable and appropriate, and you document what you're doing in lieu of encryption that would provide a reasonable and appropriate protection if you do not encrypt.
What the audits are finding is that if you go through that addressable analysis for encryption, we're finding that entities do encrypt. At the end of the day, they do find that encryption is a reasonable and appropriate way of protecting the data. The other entities that don't encrypt didn't even bother to go through the analysis.
ANDERSON: So they hadn't conducted a risk assessment at all?
MCANDREW: They may have conducted some form of a risk assessment, but they did not specifically focus on the implementation specification of encryption, and so they didn't even think about whether or not that was reasonable and appropriate, and what else can we do to have an equivalent means of protection if we decide not to encrypt. They just did nothing.
ANDERSON: How common was that?
MCANDREW: ... I think in the security area the findings were fairly well distributed, so maybe about 15 percent of the cases had that problem with encryption.
ANDERSON: What's the moral of the story there?
MCANDREW: The moral of the story is that when you look at breaches and look at the number of thefts, losses and other issues that result in a breach that involve portable media - laptops, thumb drives and others - if you had gone through the encryption analysis and had encrypted the data, then all you would have been left with is lost property, but there would not have been an information endangerment on top of the lost property. It's the information loss that could eventually hurt you if we wind up in an enforcement action. This is one of the areas where if we investigate a breach and what was done in the breach, and it comes to light that you did not do an encryption analysis, then you're potentially facing penalties as a result of your failure to follow the security rule.
Publishing Audit Results
ANDERSON: Do you know yet when you'll be publishing the results of your analysis of the first round audits last year?
MCANDREW: I don't know exactly when. We're in the process now of putting the 115 audit reports into our database for analysis purposes. We're also in the process of doing an evaluation. We have another contractor who will do a formal evaluation of the audit pilot program. And we will be looking at that evaluation as well in terms of what to do with the final analysis of the findings that were coming out of the audit process.
ANDERSON: Is it too soon to tell whether any of the first round audits will result in settlements or penalties?
MCANDREW: Not as a result of the audit process, per say. We did say that we were not going to use the audit results to impose penalties. But we did reserve the right, in the appropriate cases, if the audit finding was of a degree of seriousness, that those findings would be moved into a compliance review arena and result [in] a further investigation through that compliance review, and there could well be some enforcement action. It will take getting all of these reports put into the system and looked at very closely.
Next Phase of Audits
ANDERSON: You're still projecting the next phase of the audits could resume toward the end of this year or beginning of the next?
MCANDREW: We're very hopeful that we can, as a result of the evaluation and our analysis of the results, resume the audit function. I think we're looking to the evaluation as helping guide us as to where we can best concentrate our efforts, and clearly the funding situation needs to be sorted out for the audit function. But I think we're pleased enough with the impact of the audit and its reception within the community to know that this does look like a very fruitful approach to gauging and ensuring compliance. Already I think it's produced some tools that will have good effect within the industry, particularly in their ability to take the protocol which we have on our website, and to use that for their own purposes.
We're also in the process of updating that protocol now to ensure it reflects the changes that are coming at the end of September [when the HIPAA Omnibus Rule will be enforced]. Right now, we're all going to be concentrating on the implementation of the omnibus rule and then looking to pick up with audits after the end of this fiscal year.
ANDERSON: Is it too soon to tell how many audits will be conducted in the next phase, how long it will last and all those details?
MCANDREW: It's really too soon to tell.
Tips for Audit Preparation
ANDERSON: To sum up, what are your tips on preparing for the audits that will resume here sometime soon?
MCANDREW: The tips are the same that we had when we got into the project. This is an opportunity for covered entities to be able to take a systemic look, go back and make sure that their risk assessment and their policies and procedures are up to date. It clearly behooves them to do that as they approach the implementation of these omnibus rule changes. It's a nice time to do that and ... ensure that compliance is a daily task. It needs support through an organized program within the covered entity. Whether it's a self-audit process or an external audit process, this is a good discipline for covered entities to engage in, in order to ensure that the information that they have from patients is both private and secure.