The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has begun auditing covered entities for compliance with the Health Insurance Portability and Accountability Act (HIPAA) under the HIPAA Audit Program (Audit Program). The Audit Program is funded by the Health Information Technology for Economic Clinical Health (HITECH) Act and requires HHS to conduct periodic audits to ensure both covered entities and business associates are complying with the HIPAA Privacy and Security Rules, as well as all Breach Notification standards.
This first round of audits is being conducted through OCR’s Pilot Phase. OCR, the agency which enforces the HIPAA Privacy and Security Rules, anticipates that it will audit approximately 150 covered entities through December 2012. Under the Audit Program, every covered entity and business associate is eligible for an audit. However, based on the objectives of the Pilot Phase, OCR will only audit a range of covered entities, including small provider practices, medical centers, insurance companies, local pharmacies, and national health care chains. While covered entities of all sizes and functions are subject to an audit in 2012, OCR intends to include business associates in future audits.
Last week, OCR stated that the first 20 audits have been conducted, and the remaining covered entities slated for audits in 2012 will be notified within the next few weeks. OCR also stated that the audits have already uncovered significant security vulnerabilities.
Historically, OCR’s enforcement has been complaint driven; however, the agency has become increasingly proactive in sighting out noncompliance and opening compliance reviews. The Audit Program is a formal method of this proactive approach, as it allows OCR to examine the methods, policies and procedures, compliance risks, and vulnerabilities of a selected entity by initiating an audit.
Although OCR states that the Audit Program is not an official investigation, where an audit uncovers compliance concerns, covered entities and business associates will be subject to an official compliance review. Compliance reviews can result in civil monetary penalties (CMPs) of up to $50,000 per violation, and corrective action plans (CAPs), which have the potential to remain in effect for years after an entity has achieved full compliance.
All audits conducted under the Pilot Phase will consist of a document review, including all applicable privacy and security policies and procedures, as well as an onsite visit from OCR. OCR will conduct these audits through government contractor KPMG LLP, using accepted Government Auditing Standards issued by the Government Accountability Office.1 KPMG’s requests during the audit will carry the full weight of the federal government.
If selected to participate in the Audit Program, an entity will receive written notification of the audit. The entity will then have 10 days to provide the requested documentation and a minimum of 30 days to prepare for the onsite visit. The site visit will extend anywhere from three to 10 days and likely include the interviewing of key staff members and the observance of physical plant operations.
Upon reviewing the entity’s Data Response, observing the physical plant, and documenting its findings, KPMG will draft a report to OCR for review and, if appropriate, possible enforcement action. Each audit will result in a report issuing a statement of compliance findings. The selected entity will be provided with a copy of the draft report prior to final submission to OCR, and the entity will have 10 days to provide a written response to this report’s findings. Before finalization, the auditors will include in the report any steps the entity has taken to resolve identified compliance concerns.
In the Pilot Phase, and through the entire Audit Program, OCR is specifically looking for entities to have in place a full set of compliant policies and procedures. Failing to have a complete set of policies and procedures that are reasonably designed for the entity allows the auditors to immediately uncover noncompliance. Failing to have physical safeguards in place is another easily observed area of noncompliance. Considering the HIPAA Privacy Rule has been in effect for nearly 10 years, OCR is likely to have little tolerance for these kinds of violations.
OCR’s Post-Audit Action
Notwithstanding the discovery of a HIPAA violation resulting in a compliance review or other enforcement, OCR will not publically post the findings or participation of individual entities. At this time, OCR plans to use the audit reports to better understand the compliance challenges covered entities face and what technical and other guidance may be most valuable in the agency’s efforts to provide ongoing assistance.
OCR will continue to accept complaints from consumers and members of the industry, but it hopes the Audit Program’s proactive approach will generate greater insight into the status of HIPAA compliance efforts and practices. OCR has stated that it will also share the results of the Pilot Phase so as to promote best practices and address specific compliance issues.
Although covered entities and business associates do not need to be concerned about unscheduled or undercover auditing, there are several steps entities can take to prepare for an audit. Such steps will also help support an entity’s HIPAA compliance, should an investigation be launched pursuant to an independent complaint.
In general, covered entities and business associates must be prepared to respond to an OCR Data Request. OCR directly contacts Privacy Officers, Legal Departments or Chief Executive Officers when attempting to communicate with an entity. Establishing a good point of contact is important early on in an OCR audit or investigation. Knowledge of whether the requested information exists and where such information is located is also important in providing a complete and timely response.
Steps Covered Entities and Business Associates Can Take to be Prepared for a Possible Audit
Centralize HIPAA compliance documents, including:
- Privacy and Security Rule notices, policies, and procedures,
- Medical record request forms,
- Staff training dates and educational training material,
- Security Rule risk analyses,
- Breach Notification protocols,
- Business Associate Agreements, and
- Any documentation regarding mitigating or corrective action measures in conjunction with incidents of noncompliance.
- Review Privacy and Security Rule policies and procedures for adequacy;
- Identify policies and procedures not currently or properly implemented;
- Ensure safeguard protocols are properly implemented and system vulnerabilities are documented and actively addressed; andI
dentify key staff to whom auditors should speak, including:
- Chief Information Officer,
- Medical Records Director, and
- Compliance Officers.
- Confirm key staff is well-versed in the privacy and security policies, staff training initiatives, and internal grievance processes;
- Confirm staff is trained and aware of the personal liability associated with HIPAA noncompliance; and
- Prepare to fully cooperate and accommodate OCR and its auditors.
OCR has previously addressed the unresponsive and uncooperative behavior of an entity with severe enforcement action. On the other hand, OCR has welcomed the opportunity to provide technical assistance to entities and, in the past, has favorably considered an entity’s voluntary corrective actions.
President Obama has proposed a five-to-eight percent cut for OCR’s 2013 fiscal year budget. Nevertheless, OCR has no intention of curbing the Audit Program or its enforcement actions. In fact, OCR staff has stated that it is looking to take greater control over its enforcement ability by focusing on increased efficiency and high-impact cases.
As provided for under the HITECH Act, CMPs issued by OCR for noncompliance are also retained by the agency. Because of this arrangement, there is concern OCR budget cuts will create an incentive for OCR to pursue enforcement actions resulting in CMPs. Although OCR states that it is committed to transparency, since 2010, it has been significantly more aggressive in pursuing enforcement and compliance through CMPs. Moreover, the HITECH Act has increased the minimum penalty amount for HIPAA violations in addition to issuing a “willful neglect” standard. Where “willful neglect” exists, CMPs must be imposed. Therefore, it is expected penalties for noncompliance will be issued with more frequency and in much greater amounts.