Since November 2011, the U.S. Department of Health and Human Services (HHS), through its Office for Civil Rights (OCR), has been conducting audits of covered entities (the “HIPAA Audit Program”) for compliance with the privacy and security requirements under HIPAA1 and the HITECH Act2 (collectively, the “Privacy & Security Rules”).3 While the Internal Revenue Service and the Department of Labor have conducted audits with respect to HIPAA’s portability requirements in the past, the HIPAA Audit Program is a new enforcement effort for HHS/OCR,4 which until now relied mainly on complaint-based investigations and reviews. This advisory summarizes the HIPAA Audit Program as we currently understand it and provides some basic compliance reminders that may be helpful in preparing for such an audit.
As a pilot program, the initial phase of the HIPAA Audit Program consists of 20 audits that are intended to fine-tune OCR’s audit protocols. Upon completion of the initial phase (which we understand has been completed or is near completion), OCR intends to use its revised audit protocols to conduct up to 130 additional audits in 2012. OCR has engaged KPMG, a national accounting firm, to develop audit protocols and assist in operating the HIPAA Audit Program.
For 2012, the HIPAA Audit Program is targeting a wide range of types and sizes of covered entities in order to make a broad assessment of Privacy & Security Rule compliance. OCR expects to expand its scope of audits to include business associates in the future.
Audit Parameters and Consequences
When a covered entity such as a health plan is selected for an audit, OCR will notify the covered entity in writing. The audit notification will explain the audit process and expectations, and request the production of certain documents and information. OCR expects covered entities that are selected for the audit to produce the requested documents and information within 10 business days.
Audited entities can expect an onsite review that may take between three and 10 business days, depending on the complexity of audited entity and the auditor’s need to access materials, observe operations and meet with individuals, including:
- interviews with the entity’s leadership, such as the chief information officer, privacy officer, legal counsel and health information management/medical records director;
- examinations of the entity’s physical features, operations and adherence to its policies; and
- observation of the entity’s compliance with HIPAA regulatory requirements.
After completion of the onsite visit, the auditor will provide the covered entity with a draft final report that describes its findings, which may include a list of alleged violations of the Privacy & Security Rules. A covered entity will generally have 10 business days in which to review and provide any written comments to the auditor. The auditor will then complete its final audit report, generally within 30 business days after the covered entity’s response and submit it to OCR. In the event the audit report indicates a serious compliance issue, OCR may initiate a formal compliance review to address that issue.
OCR has indicated that the primary purpose of the HIPAA Audit Program is to promote compliance improvements and that it will not post a list of audited entities or audit results that clearly identify the audited party. OCR, however, retains the authority to impose severe sanctions on violators, including (i) injunctions, (ii) imposition of $100-per-violation penalties (up to $50,000 per incidence for willful neglect) that can accrue until correction (with a $1.5 million calendar-year cap for all violations of the same regulatory requirement) and (iii) criminal penalties for knowing violations.
Internal Compliance Review
With the HIPAA Audit Program underway, covered entities and business associates should take this opportunity to “brush the dust off” their HIPAA policy and procedures manuals and other implementation documentation. We suggest preparing by identifying all of the HIPAA policies, procedures and documentation and reviewing them for compliance with the Privacy & Security Rules. Such actions should, at a minimum, include the identification and review of the following (this is a non-exhaustive list):
- HIPAA notice of privacy practices;
- identification of HIPAA privacy and security official(s) and documentation of their authority (e.g., appropriate resolutions appointing and authorizing such individuals);
- plan document(s), including any amendment(s) relating to HIPAA privacy and security (for group health plans);
- HIPAA business associate agreements;
- identification of employees authorized to access protected health information (PHI) and documentation of their HIPAA training, attendance and training materials;
- updated policies implemented to address potential HIPAA breaches;
written policies and procedures that are designed to comply with the Privacy & Security Rules and that documents, in detail, all of the entity’s HIPAA privacy and security practices, including those relating to:
- the use, disclosure, maintenance, documentation and safeguard measures (administrative, physical and technical) with regard to all PHI;
- prevention, detection, containment and correction of security violations (including breach under the HITECH Act);
- contingency and backup plans, and emergency access to electronic information systems;
- employee training; and
- sanctions for employees who violate the covered entity’s HIPAA policies or procedures;
- documentation of required HIPAA privacy and security risk assessments and analyses on which the HIPAA compliance policies and procedures are based; and
- documentation of actions taken in accordance with the HIPAA policies and procedures, including documentation of identification, investigation and resolution of HIPAA security incidents and complaints.
For further information on HIPAA and HITECH compliance obligations, see our prior advisories linked below: