The Department of Health and Human Services' Office for Civil Rights (OCR) announced on Monday the launch of "round two" of its HIPAA1 Audit Program, officially ending a long delay on the program's rollout.2 This means that HIPAA covered entities (which include most providers, health plans, and healthcare clearinghouses) and their business associates may soon find themselves under review for compliance with the HIPAA privacy, security and breach notification rules.
Background and Pilot Audit Results: Eyes on Security
The HIPAA Audit Program was created pursuant to Congress' mandate in the Health Information Technology for Economic and Clinical Health Act, which required that OCR develop a program to assess covered entities' and business associates' compliance with the HIPAA rules.3 OCR launched a "pilot" audit program in 2012, covering an initial sample of 115 covered entities. Overall findings from the pilot program revealed that nearly 90% of auditees had one or more deficiencies, with the security rule accounting for the majority of these findings.4 Specifically, a significant number of healthcare providers and health plans lacked an accurate security risk assessment, a tool that, according to OCR guidance, "form[s] the foundation upon which an entity's necessary security activities are built."5 Moreover, the failure to have an accurate and complete risk assessment can have significant consequences in the event of a breach or complaint; recent enforcement actions demonstrate that OCR may penalize companies for lacking a risk analysis that sufficiently, and across the organization's entire system, identifies vulnerabilities to patient health information, as well as for the failure to respond to such vulnerabilities by implementing appropriate safeguards.
OIG Charges OCR with Proactive Enforcement
The launch of this next round of audits comes just several months after the Office of Inspector General of the Department of Health and Human Services (OIG) called on OCR to take more effective action in overseeing covered entities' compliance with HIPAA. In a report released in September 2015, OIG concluded that OCR's enforcement efforts are limited to responsive inquiries and investigations, rather than proactive oversight. Taking note of OCR's delay in launching the second round of audits, OIG stated, "OCR has not fully implemented the required audit program to proactively identify possible noncompliance" from entities subject to HIPAA.6 Without fully implementing a permanent audit program, OIG claimed, "OCR cannot proactively identify covered entities that are noncompliant with the privacy standards." Just several months later, in the wake of OIG's incitement to OCR to "strengthen oversight" of HIPAA compliance, auditees can expect a more stringent level of review in the upcoming audits.
Who is Subject to a HIPAA Audit?
OCR seeks to create a pool of auditees that represent "a wide range" of covered entities and business associates, based on criteria such as an entity's level of revenue, scope of patient population, number of employees, type of entity and its relationship with individuals, geographic location, and affiliation with other healthcare organizations. Notably, OCR also indicates that "present enforcement activity with OCR" will be considered, although it will not audit entities with an open complaint investigation or that are currently under compliance review.
Unlike the pilot program, the second round of HIPAA audits will include business associates. Covered entities receiving a pre-screening questionnaire will be asked to identify those organizations that act as their business associates. From that pool of named organizations, OCR will randomly select business associates to include in the audit.
The Audit: What to Expect
OCR plans to conduct this round of audits in three phases: the first phase will be desk audits of covered entities, the second will consist of desk audits of business associates, and the final phase will include onsite review and will evaluate compliance with a "broader scope of requirements from the HIPAA Rules" than desk audits. Covered entities and business associates subject to an initial desk audit have an additional incentive to ensure their documentation is in order – some desk auditees may be subject to a subsequent, onsite audit during the final phase of review.
The initial steps in the round two audits are already underway. However, entities receiving communication from OCR at this point are not guaranteed an audit. OCR is currently in its selection process, and will use this initial process of communicating with entities to gather data about the size, type and scope of operations of the potential auditees to determine its pool. After OCR's pool has been determined, selected auditees will receive a document request and specific instructions on how to provide all requested materials.
What You Can Do to Get Ready
In the past, OCR has stated that the HIPAA audits will function mainly as a compliance improvement activity, rather than a basis for penalties or enforcement action. However, in the current climate of high-stakes breaches, increased HIPAA enforcement, and mounting pressure from OIG to proactively monitor compliance, we can't be certain the second round of audits will follow suit.
Healthcare organizations subject to an audit should expect a broad document request in the initial stages of review, along with a potentially quick deadline for response. Providers, health plans, and healthcare clearinghouses, as well as their business associates, can prepare by locating and reviewing for updates their HIPAA policies and procedures, security analyses, business associate agreements, and any other documentation maintained pursuant to HIPAA. OCR's recent enforcement actions, however, indicate that it may look for more than just documentation and may expect an organization to demonstrate adherence to its policies and procedures. Further, OCR will likely look for evidence of an organizational commitment to HIPAA compliance – including evidence of training workforce members, mitigation of privacy and security incidents, breach risk assessments and other measures.