Following the conclusion of the Health Insurance Portability and Accountability Act (HIPAA) pilot audit program in 2012, speculation began about the timing of the permanent program of periodic HIPAA audits. Originally, the Department of Health and Human Service’s Office of Civil Rights (OCR) scheduled the permanent audit program for 2014. However, personnel and budget limitations delayed the launch, and the year came and went without implementation of the program.
With 2015 nearing its close, advisors in the health data industry may have felt like they were crying wolf while encouraging clients to take this time to review and improve HIPAA compliance efforts given the impending audits. Finally, however, in late September 2015, the OCR announced that the permanent audit program will launch in early 2016. Reports indicate that the OCR has already sent out inquiries to covered entities confirming contact information for possible follow-up.
Why is the OCR Auditing Entities?
The HITECH Act requires that the OCR implement audits to proactively assess covered entities’ compliance with the privacy and security standards set out in HIPAA. The audits provide valuable insight into areas where entities are having trouble complying with HIPAA requirements. The OCR can issue guidance addressing those problems to help all entities meet HIPAA compliance obligations. The audits also permit the OCR to assess whether the audited entities are adhering to HIPAA rules. When it finds potential non-compliance, the OCR may choose to launch an investigation and issue fines, require corrective action plans, and impose other remedies in the event HIPAA violations are found.
Which Entitites Will Be Audited?
The OCR is expected to audit approximately 400 entities, including both covered entities and business associates. The OCR will randomly select the entities, likely selecting organizations within certain segments based on size of the entity, patient volume, and other criteria.
Most Audits Likely to Be “Desk Audits”
Given the OCR’s lack of resources, most of the audits are likely to be documentation reviews. However, the OCR expects to perform some on-site audits as well. The OCR may also attempt to gauge how well policies and procedures have been implemented, and it remains to be seen what evidence the OCR will want to review.
Possible Foci of Audits
OCR has communicated that it intends to focus on key common compliance failures, rather than auditing everything. The findings from the pilot audit program and the settlements following data breach investigations may provide insight into the direction of the audits. The OCR is expected to release the audit protocol prior to the start of the audits to provide more guidance to audited entities. However, entities should not wait to use the audit protocols to select which HIPAA rules to direct compliance efforts toward. We believe the OCR is likely to focus on subjects such as whether:
- Security risk assessments were completed and documented (a major problem area identified during the pilot audit program)
- Policies and procedures address the vulnerabilities identified in the risk assessment
- Written policies and procedures reflect the entity’s compliance efforts with HIPAA, including the Privacy and Security rules
- Device and media controls are used
- A data incident response plan is in place
- HIPAA training is given to employees
- Appropriate business associate agreements are in place
Audits Not the Only Tool in the OCR Toolbox
The OCR commonly investigates data breaches, particularly those that affect more than 500 individuals. The OCR also responds to complaints filed by patients and others. If an investigation shows an entity’s failure to meet its HIPAA-related obligations, the OCR may impose civil fines, action plans, and other obligations.
Entities required to comply with HIPAA should consider reviewing their compliance efforts immediately to identify areas of improvement and take any necessary steps to resolve issues. The OCR has indicated that when it reviews entities during audits and investigations, it will consider how well entities have historically complied with HIPAA. Therefore, entities likely benefit from long-running compliance efforts, even if such entities are not fully compliant with HIPAA. However, organizations should avoid relying too heavily on compliance efforts made years ago, as HIPAA requires entities to update their policies and procedures to mitigate risks from the security vulnerabilities identified in an annual risk assessment and from material changes to operations and business environment. The OCR may view stale policies and procedures just as negatively, given the rapid changes in technology. HIPAA compliance is an ongoing commitment, and those organizations that have well-documented policies and procedures that meet HIPAA requirements and are regularly reviewed and improved will likely have little trouble when the OCR auditors arrive.