Editor's Note: Now that the Department of Health and Human Services (HHS) has announced that it is beginning the next round of Health Insurance Portability and Accountability Act (HIPAA) compliance audits, organizations need to take specific steps to prepare, in case they are chosen for scrutiny. "Phase two" of the HIPAA compliance audits is expected to involve about 200 remote desk audits of covered entities (CEs) and business associates (BAs) that will be conducted by December 2016. After that, it's anticipated that the Office of Civil Rights (OCR) will conduct a smaller number of more comprehensive on-site audits.
In a new podcast for HealthcareInfoSecurity, summarized below, Manatt Health's Robert Belfort shares how CEs and BAs should prepare for a possible HIPAA compliance audit. He also discusses the possibility of OCR resolution agreements and settlements containing financial penalties for some auditees, the differences between what OCR will likely inspect during remote desk audits vs. more comprehensive on-site audits, and the likelihood that OCR will launch a permanent HIPAA compliance audit program. Click here to listen free to the full podcast.
What Should Organizations Do Now to Prepare for a Possible HIPAA Compliance Audit?
There are a few different steps that organizations can and should be taking to prepare for a possible audit. The first is that there should be an internal gap analysis conducted of the organization's HIPAA compliance program. The analysis should include comparing the organization's existing policies, procedures and practices against HIPAA requirements. Looking back at the audit tools that were used several years ago when a small number of HIPAA audits were conducted provides a helpful starting point for developing an effective gap analysis. If there are gaps identified, it's important to fill those quickly, before an audit commences.
Second, from an organizational standpoint, there should be clear lines of responsibility in terms of who is designated to handle an audit. There should always be one point person given the authority to interface with OCR. That person should have access to other staff who may be necessary to respond to the audit request. The infrastructure should be in place before the audit request comes in, because OCR has suggested that there may be a relatively short turnaround time for producing documents.
What Will OCR Look for During Remote Desk Audits?
Given OCR's resource constraints, audits will likely be targeted to the areas that OCR deems most important. One criterion for choosing auditees may be whether the organization has recently performed a security risk analysis that is sufficient to meet HIPAA requirements. OCR is going to want security analyses that have been conducted in the last year or two and that have the scope and the breadth to cover all the necessary issues.
On the privacy side, OCR will likely be looking at policies that govern the use and disclosure of information to make sure that those policies are in writing and track HIPAA requirements. OCR also will be determining whether the organization has policies and procedures in place to give patients access to their records, provide copies of patient records in a timely way, and ensure there are no obstacles to access.
In addition, OCR may target a few issues that have been sore spots with breaches in the past. For example, OCR is frustrated with the fact that there continue to be breaches involving lost or stolen laptops with unencrypted data on them. OCR believes that every organization should have addressed those kinds of issues a while ago, given the ease of encrypting laptops and the risks associated with mobile devices.
How Will On-Site Audits Differ from Remote Audits?
A desk audit is going to be focused on paper reviews. An organization should do reasonably well on a desk audit if it has the right documentation in place.
A desk audit, however, may not be that effective at getting underneath the policies and looking at how decisions are made on a day-to-day basis and whether there's compliance with the written policies. With an on-site audit, there's a lot more opportunity to get underneath the policies and look at actual operations. OCR will probably interview people within the organization and ask questions about how policies have been implemented, as well as how uses and disclosures are treated. OCR may even access an organization's information system to see how it functions. Overall, on-site audits provide a more intensive review of what's really going on in practice, while desk audits are more about documentation.
How Can CEs and BAs Avoid Triggers That Could Lead to More Comprehensive Compliance Reviews and OCR Investigations?
There are certainly areas of HIPAA compliance that are ambiguous. When it comes to interpretations of the rule, particularly on the security side, that involve judgment calls by providers, OCR is saying that it's looking to understand industry practice, to educate providers about expectations, and to provide some benchmarks that the industry can look to as to what's reasonable. On those types of judgment call issues, OCR is taking primarily an educational and corrective action type of approach.
There are certain hard-and-fast requirements, however, that OCR will look at from an enforcement standpoint. For example, if OCR discovers that an organization has never done a risk analysis, has never issued privacy notices to patients, or has no policies in place to handle patient requests for records, that could push the audit to the enforcement side.
Could Enforcement Activities Coming from Audits Involve Financial Penalties or Resolution Agreements or Settlements?
It depends on what OCR finds. There have been penalties imposed in breach notification cases that are linked to clear violations, such as unencrypted laptops, failure to have ever performed a risk analysis, or absence of business associate agreements with vendors who have access to significant amounts of protected health information. The agency could take the view that since it's imposed penalties for these kinds of violations when there's been a breach, if it finds organizations in clear violation of the rule, it could choose to impose penalties, even if no breaches have been reported.
How Likely Is It That a Permanent Audit Program Will Be Launched?
Whether or not a permanent audit program will be launched is, ultimately, a funding question. When HIPAA was first enacted, the agency had a cooperative mindset. Rather than aggressive enforcement, it wanted to give the industry time to work with the rules and come into compliance, and it viewed itself as a partner in that activity.
It's now been 13 years since the privacy rule became effective, however. Within the government, there is most likely the perspective now that the trial period has ended, and the industry should know the rule's requirements and be compliant with them. Recent penalties and settlements have shown that when the agency discovers noncompliance, it will impose multimillion-dollar penalties, particularly on larger organizations that can afford to pay them.
The main obstacle to a permanent audit program has been the lack of resources to fund auditors. As much as OCR may want to establish a permanent program and as much as high-tech obligates the agency to perform audits, an audit program can't happen if there is no funding.
The government tends to fund auditing activity that it believes will return funds back to the government. It considers auditing an investment and funds audits that will deliver a return on that investment. For example, the government has an extensive Medicare and Medicaid audit program because it more than pays for itself. So the dynamic probably will only shift if an approach is taken where penalties are sufficient to cover the cost of the auditing program.