WITH HHS ACTIVELY AUDITING COVERED ENTITIES
This month, the United Stated Department of Health and Human Services (HHS) Office of Civil Rights (OCR) likely will conclude an initial round of about 20 test audits to ensure covered entities and business associates are complying with the HIPAA privacy and security rules and breach notification standards.
These initial audits, which began in November 2011, are being conducted pursuant to an audit pilot program whereby OCR is using consulting firm KMPG as its contractor. KPMG plans to perform up to 150 audits of covered entities to assess privacy and security compliance by December 2012 in order to help HHS meet requirements set forth in the American Recovery and Reinvestment Act of 2009. According to Leon Rodriguez, OCR’s director, in a recent interview with Government Information Security: “Our objective is not to go out there and start banging [organizations] with penalties; it’s really to take a good look at them, find out where there opportunities for improvement are and help them improve. Having said that, I think we know that there are cases where we’re going to find some significant vulnerabilities and weaknesses. And in those cases, we may be pursuing significant corrective action.”
HHS imposed civil monetary penalties (CMP) for HIPAA privacy rule violations for the first time in February 2011 when it imposed a $4.3 million CMP against Cignet Health of Prince George’s County, Maryland, which operates a family practice physician group with four Maryland locations and a health insurance plan. Since that time, HHS become active in imposing fines in relation to HIPAA privacy rule complaints and requiring covered entities to undertake corrective action plans where there are HIPAA compliance issues.
The Audit Process
OCR plans to only audit covered entities during the pilot program, but expects to commence a permanent HIPAA audit program that will include audits of business associates beginning in 2013. OCR is selecting the covered entities to be audited in the pilot program and informing them of the audits in writing. Selected entities are required to provide documentation of their privacy and security efforts within ten business days of a request. During the pilot program, OCR site visits will be mandatory and may include interviews of personnel and observation of compliance processes. Selected entities will be notified between 30 and 90 days prior to a scheduled site visit. Depending on the size and complexity of the selected entity, site visits will last between three and ten business days, according to OCR.
Following a site visit, the OCR auditor (i.e., KMPG) will issue a draft report to the selected entity and allow ten business days for that entity to review and comment on the report. At this time, the selected entity must also address corrective actions that will be taken in response to the auditor’s findings. Within 30 days of receiving the selected entities comments, the auditor must finalize the report. OCR will use finalized reports to determine what types of technical assistance OCR should develop in the future and which corrective action plans are most effective.
Should an audit report indicate a serious compliance issue, OCR may initiate a compliance review to address the problem. However, OCR will not post a listing of audited entities or the findings of an individual audit which clearly identifies the audited entity.
What Does This Mean for Covered Entities
With audits underway, healthcare organizations interested in improving compliance with HIPAA privacy and security rules and breach notification standards are advised to:
• Check that risk assessments are up to date;
• Make sure senior managers are supportive of risk mitigation strategies;
• Review existing compliance programs as well as staff training;
• Ensure vigilant implementation of privacy and security policies and procedures, as well as tough sanctions for violating them;
• Conduct frequent internal compliance audits; and
• Develop a plan for prompt response to breach incidents.
More information about the HHS HIPAA audit pilot program is available at: HYPERLINK "http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/index.html" http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/index.html.