In 2011 the Department of Health and Human Services’ Office for Civil Rights (OCR) established the HIPAA Pilot Audit Program to ensure compliance with HIPAA’s privacy, security and breach notification rules.
The first round of the audits were conducted between 2011 and 2012, examining the efforts of 115 covered entities (no business associates were audited). Findings from these first audits were published in 2013, and the overall results were less than encouraging. OCR found that most entities evaluated did not meet HIPAA standards.
The push for enforcement is not showing any signs of slowing down. In February 2014, OCR began the process for its next round of audits by initiating a pre-audit survey of some 1,200 organizations (approximately 800 covered entities and 400 business associates) from which it intends to select audit targets. OCR will conduct this second phase of audits “in-house” (rather than utilizing third-party contractors). Additionally, OCR will increase its focus on “high risk” areas, such as security risk analysis and portable devices. Most importantly, OCR will cast a much wider net—auditing not just covered entities but also business associates.
Scope of Audits
Of the 1,200 entities surveyed in the pre-audit, OCR intends to conduct a full audit of:
- 350 Covered Entities—2/3 of which will be providers and 1/3 of which will be health plans or clearinghouses. Those audits are expected to be conducted between October 2014 and June 2015.
- 50 Business Associates—70% of which are expected to be information technology-related business associates and 30% of which will be non-IT business associates, such as billing companies and TPAs. Audited business associates will be drawn from a pool of BAs identified by the audited covered entities. Those audits are expected to commence in 2015.
About 1/3 of the covered entities reviewed will be specifically audited on the privacy rule, another 1/3 on breach notification, and the remaining 1/3 on the security rule. Business associate audits will follow a similar track.
Timeline for Audits
- OCR will begin sending audit notification and data request letters beginning later this summer and into early fall.
- Covered entities and business associates will have two weeks following receipt to respond to the initial data requests. OCR will not consider data submitted late.
- OCR will conduct audits remotely through “desk audits.” Desk audits will be made using an updated audit protocol which OCR has not yet made available.
- Audit participants will not have an opportunity to provide clarifications or supplemental information after responding to the initial data request.
- Within 60 days following their submissions, audit participants will be presented with a draft version of OCR’s final report for review prior to publication.
What you need to do now
The most important thing to do right now is to take the steps necessary to come into compliance with HIPAA’s privacy, security and breach notification requirements. Practically speaking, that means at a minimum doing the following:
- Adopt written HIPAA policies and procedures addressing the privacy, security and breach notification rules;
- Designate a HIPAA privacy official and a HIPAA security official;
- Conduct a detailed analysis of the risks and vulnerabilities of electronic PHI;
- Develop and enforce specific policies limiting or curtailing use of portable media devices;
- Utilize encryption when transmitting PHI via e-mail or through patient portals; and
- Train your workforce.