Officials in the Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS) have indicated that OCR will begin a new phase of audits of covered entities' compliance with the Health Insurance Portability and Accountability Act (HIPAA) beginning early next year. OCR announced the audits in a September 23, 2015 response to a report by the HHS Office of the Inspector General (OIG), which criticized OCR for its lack of enforcement of HIPAA.

Background

OCR is responsible for administering and enforcing the regulations promulgated under HIPAA: the Privacy, Security and Breach Notification rules. Generally, OCR has enforced the rules by investigating complaints and breaches, as well as performing education and outreach to foster compliance. It has historically conducted only a limited number of "compliance reviews" and the OIG has long criticized the agency for not pursuing more aggressive enforcement efforts. In 2011, for example, the OIG released a report indicating that HHS's oversight and enforcement actions were not sufficient to ensure that covered entities effectively implemented the HIPAA Security Rule. The OIG offered similar criticism in two new reports, released last month, entitled "OCR Should Strengthen Its Oversight of Covered Entities' Compliance with the HIPAA Privacy Standards" and "OCR Should Strengthen Its Followup of Breaches of Patient Health Information Reported by Covered Entities."

Section 13411 of the Health Information Technology for Economic and Clinical Health (HITECH) Act requires HHS to periodically audit the compliance of covered entities and their business associates with the Privacy, Security and Breach Notification rules. As required by HITECH, OCR designed, tested and evaluated an audit function as part of a pilot program a few years ago, during which it engaged KPMG to perform pilot compliance audits of covered entities throughout the country.

OCR finished the audits in the first quarter of Fiscal Year 2013 and spent the balance of the year conducting a formal program evaluation. The evaluation concluded in the first quarter of Fiscal Year 2014. According to OCR, the experience from the pilot audit program provided the agency with an enhanced understanding of current privacy and security risks to health information. The evaluation noted strengths of the program design and suggestions for establishing a permanent program. OCR intends to draw on this information when it launches what it is calling "phase 2" of the audits in early 2016.

OIG Criticism

In the OIG report titled "OCR Should Strengthen its Oversight of Covered Entities' Compliance with the HIPAA Privacy Standards," the OIG found that OCR's oversight and enforcement of HIPAA is "primarily reactive; it investigates possible noncompliance primarily in response to complaints." According to the OIG, "in about half of the closed privacy cases, OCR determined that covered entities were noncompliant with at least one privacy standard. In most cases in which OCR made determinations of noncompliance, it requested corrective action from the covered entities. OCR documented corrective action in its case-tracking system for most of these cases; however, OCR did not have complete documentation of corrective actions taken by the covered entities in 26 percent of closed privacy cases." Further, although 71 percent of OCR staff at least sometimes checked whether covered entities had been previously investigated, some rarely or never did so.

In the second OIG report titled "OCR Should Strengthen Its Follow-up of Breaches of Patient Health Information Reported by Covered Entities," the OIG found that "although OCR documented corrective action for most of the closed large-breach cases in which it made determinations of noncompliance, 23 percent of cases had incomplete documentation of corrective actions taken by covered entities. OCR also did not record small-breach information in its case-tracking system, which limits its ability to track and identify covered entities with multiple small breaches."

Among other recommendations, the OIG suggested that OCR engage in the following in an effort to improve its oversight and enforcement of HIPAA:

  • Fully implement a permanent audit program;
  • Enter small-breach information into the Program Information Management System (PIMS) or a searchable database linked to it;
  • Maintain complete documentation in PIMS for corrective action;
  • Develop an efficient method in PIMS to search for and track covered entities that reported breaches;
  • Develop a policy requiring OCR staff to check whether covered entities previously reported prior breaches; and
  • Continue to expand outreach and education efforts to covered entities.

Phase 2 Audits to Begin Early 2016

OCR has indicated that phase 2 of the audit program, which will launch in early 2016, will include a combination of desk reviews of covered entities' HIPAA policies, as well as on-site reviews; it will target specific common areas of noncompliance; and it will include HIPAA business associates. Over the next several months, OCR will update the audit protocols; refine the pool of potential audit subjects; and implement a screening tool to assess size, entity type, and other information about potential audit subjects. OCR also will update PIMS to build capacity to support an internal audit program. OCR noted that while it is moving forward with phase 2 of its audit program, the long-term scope and structure of the audit program will ultimately depend upon the availability and allocation of resources for the program (i.e., OCR's budget allocation).

Preparing for Phase 2 Audits

Covered entities and business associates should begin preparing now for the possibility that they may be audited during phase 2 of the program. Most importantly, covered entities should ensure that they have recently performed a risk analysis, which serves as the basis for all HIPAA security rule compliance.

Covered entities also should ensure that they have identified all of their business associates and that updated business associate agreements are in place with each of them. Business associates should be prepared to demonstrate compliance with the Security Rule, the Breach Notification Rule and the Privacy Rule. Mock internal audits can be conducted to mirror the process OCR is likely to utilize. The OCR audit protocol from the last round of audits provides a good starting point for this exercise.