OCR Begins Audits of Entities to Assess HIPAA Privacy/Security Compliance

Individual and organizational providers of health services, health plans of all sizes and functions, and health care clearinghouses should be prepared for an onsite visit from yet another HHS agency to ensure the entity is in compliance with the rules. The HHS Office for Civil Rights (OCR) has announced a pilot program to perform up to 150 audits of covered entities (CEs) beginning November 2011 and concluding December 2012 to assess privacy and security compliance. HHS must provide for periodic audits to ensure CEs and business associates (BAs) are complying with the HIPAA Privacy and Security Rules and Breach Notification standards as mandated by §13411 of the Health Information Technology for Economic and Clinical Health (HITECH) Act (included as part of the American Recovery and Reinvestment Act of 2009).

According to OCR, audits present a new opportunity to examine mechanisms for compliance, identify best practices, and discover risks and vulnerabilities that OCR may not discover through ongoing complaint investigations and compliance reviews. The audit program may uncover reasons many health information breaches are occurring and help OCR create tools for covered entities to better protect individually identifiable health information. OCR stated that it will broadly share best practices identified through the audit process and guidance targeted to observed compliance challenges via its web site and other outreach portals. OCR will not post a listing of audited entities or the findings of an individual audit that clearly identifies the audited entity.

The pilot audit program is a three step process:

  1. The first step entailed developing the audit protocols.
  2. The second step will be to conduct an initial limited number of audits to test the protocols. The results of the initial audits will inform how the rest of the audits will be conducted.
  3. For the third step, OCR will conduct the full range of audits using revised protocol materials.

Selection and notification of entities. Every CE and BA is eligible for an audit. OCR will select the entities to be audited and will audit as wide a range of types and sizes of CEs as possible, including covered individual and organizational providers of health services, health plans of all sizes and functions, and health care clearinghouses. OCR noted that BAs will be included in future audits.

OCR will inform entities of their selection for audit in writing entities between 30 and 90 days prior to an anticipated onsite visit. The notification letter will (1) introduce the audit contractor; (2) explain the audit process and expectations in more detail; (3) describe initial document and information requests, including documentation of their privacy and security efforts; and (4) specify how and when to return the requested information to the auditor. CEs and BAs selected for an audit expected to provide the requested information within 10 business days of the request for information.

Pilot phase. OCR expects CEs to provide the auditors their full cooperation and support as required by the HIPAA Enforcement Rule. Every audit in the pilot phase will include a site visit and result in an audit report. OCR may initiate a compliance review to address an audit report that indicates a serious compliance issue. An onsite visit may take between three and 10 business days depending upon the complexity of the organization and the auditor’s need to access materials and staff. The auditor will develop a draft final report when the field work is completed, which generally will include a description of how the audit was conducted, what the findings were, and what actions the CE is taking in response to those findings. CEs will have the opportunity to discuss concerns and describe corrective actions implemented to address concerns identified and will have 10 business days to review the draft report and provide written comments back to the auditor. The auditor must complete and submit the final audit report to the OCR within 30 business days after the covered entity’s response, incorporating the steps the entity has taken to resolve any compliance issues identified by the audit as well as describe any best practices of the entity.

OCR’s use of results. OCR stated that the aggregated results of the audits will enable it to better understand compliance efforts with particular aspects of the HIPAA Rules. In addition, concerns about compliance identified and corrected by an audit will serve to improve the privacy and security of health records. OCR said it will use the audit reports to determine what types of technical assistance should be developed and what types of corrective action are most effective. OCR believes that the technical assistance and best practices that it generates will assist CEs and BAs in improving their efforts to keep health records safe and secure.