The recent trend toward increased HIPAA enforcement is continuing with the recent announcement by the United States Department of Health and Human Services (“HHS”) that it would begin performing periodic audits to ensure covered entities and business associates are complying with the HIPAA Privacy and Security Rules and Breach Notification standards. Section 13411 of the Health Information Technology for Economic and Clinical Health Act (“HITECH”), which was passed by Congress in 2009 as part of the American Recovery and Reinvestment Act, specifically directs HHS to coordinate such audits. The recent announcement by HHS indicated that the audits would begin this month and would be conducted by the HHS Office of Civil Rights (“OCR”), which is responsible for HIPAA enforcement. By the end of 2012, OCR expects to conduct and complete 150 audits.
Purpose and Scope of the Audits
The audits are part of an HHS initiative to assess HIPAA compliance, identify best practices and discover previously unknown risks, weaknesses and vulnerabilities. Both covered entities and business associates are eligible for the audits, but HHS has indicated that only covered entities will be chosen for this initial round of audits. Covered entities of all sizes and types will be selected, including individual and organizational health care providers, health plans and health care clearinghouses. Business associates will be included in future audits.
Initial Audit Notification and Process
Covered entities chosen by HHS will receive a notification letter from OCR approximately 30-90 days before the audit is set to begin, a sample of which is available here. OCR has subcontracted with the public accounting firm KPMG, LLP to perform the audits. Covered entities will have 10 business days to provide any information requested by the auditor in the initial notification letter. OCR expressly noted in its announcement that it expects covered entities to fully cooperate with the auditors and to uphold their cooperation obligations under the HIPAA Enforcement Rule. Each audit will involve an on-site visit by the auditor and will result in a written audit report, as more fully described below.
On-Site Visit
Covered entities can expect the auditors to be on-site between 3-10 business days. During the on-site visit, the auditors will proactively interview key personnel as well as directly observe processes and operations to evaluate compliance. While it is unclear who qualifies as “key personnel,” covered entities can reasonably expect requests for access to individuals in both clinical and non-clinical positions. While details regarding how the auditors will conduct the audits are currently limited, OCR referred to the Government Accountability Office’s Government Audit Standards, more commonly known as “The Yellow Book,” which likely will serve as a guide to the auditors.
Audit Report
After the on-site visit, the auditor will issue a draft report. The draft report will summarize the audit process and detail the auditor’s conclusions and what actions, if any, the covered entity is taking in response to the auditor’s findings. The draft report also will highlight the covered entity’s best practices as appropriate. The covered entity will have 10 business days to review the draft report in order to raise concerns and propose any corrective actions in response to issues identified by the auditor. The auditor will submit a final report to OCR within 30 business days of receiving comments from the covered entity.
After the Audit
The audits are further evidence of HHS’s goal to place a higher priority on HIPAA compliance. That being said, OCR views the audits primarily as a compliance improvement activity rather than a means toward punishment. While OCR will not publicly identify the subjects of the audits or publish the findings of an individual audit, OCR does intend to share guidance and practices gleaned through the audits. Ultimately, OCR anticipates being able to develop tools and provide technical assistance as a result of the practices and behaviors that it identifies in the audits. However, covered entities should be aware that if the final report reveals any serious compliance issues, OCR may open a separate compliance review.
What Covered Entities Should Do
Given the large number of covered entities, the likelihood of a particular entity being selected for an audit is small. Nonetheless, the possibility of an audit presents an opportunity for covered entities to review their HIPAA compliance policies, procedures and practices to identify areas of weakness and resolve them. Such a review also will give covered entities a head start in determining what changes may be required when the final HITECH regulations are issued later this year or early next year. Since business associates will be impacted by those regulations and may be the subjects of future audits, business associates should consider reviewing their HIPAA policies, procedures and practices as well.
More information about the audit program can be found at the HHS HIPAA Privacy & Security Audit Program Site.
If you have any questions or concerns regarding the HIPAA Security & Privacy Audit Program, please feel free to contact Mark Swearingen at(317) 977-1458 or by email at mswearingen@wp.hallrender.com or Ammon Fillmore at (317) 977-1492 or by email at afillmore@wp.hallrender.com or your regular Hall Render attorney.
