Late last year, members of the Senate Judiciary Committee challenged regulators to step up enforcement of the Health Insurance Portability and Accountability Act:
“… the Subcommittee made clear that the [Office for Civil Rights’] efforts fell far short of its expectations, pointing out that, of tens of thousands of HIPAA complaints received by OCR since 2003, the agency has levied only one formal civil monetary penalty and has settled only six other cases for monetary amounts…
The Director of OCR, Leon Rodriguez, responded … that the agency intends to put its fining authority to good use, stating ‘the real frontier is in our leveraging these new, stiff penalties that we have under the HITECH statute and expanding our utilization of those penalties’ to promote compliance.” (OCR Begins HIPAA Audits Under the Watchful Eye of Congress by Poyner Spruill LLP)
Accordingly, the OCR has begun to audit organizations that are required to comply with HIPAA Rules. For your reference, here are six questions and answers regarding the 150 audits they are planning for 2012:
1. What are regulators looking for?
“OCR has presented the audit pilot program as a ‘compliance improvement activity’ aimed at enabling OCR to better understand compliance efforts, additional types of technical assistance that would be useful, and the effectiveness of various corrective actions. However, covered entities should be mindful that if an audit reveals a serious compliance issue, OCR may initiate a compliance review to address the problem.” (HIPAA Privacy and Security Audit Program Begins This Month by Morgan Lewis)
2. Who will be audited?
“OCR has indicated that covered entities will be the focus of the initial round of audits. ‘Covered entities’ include: (1) health care providers such as doctors, clinics, nursing homes, pharmacies, etc., that transmit any information in electronic form in connection with transactions for which DHHS has adopted a standard; (2) health plans such as health insurance companies, HMOs and company-sponsored group health plans (e.g., major medical, dental, vision and health flexible spending accounts); and (3) health care clearinghouses.” (Office of Civil Rights to Conduct HIPAA Compliance Audits by Snell & Wilmer L.L.P.)
3. How are the audits structured?
“Each audit … will consist of interviews with leadership and key personnel (e.g., Privacy Officer, CIO, medical records department director), an inspection of operations with respect to privacy and security, and an assessment of compliance with HIPAA privacy and security regulations and the organization’s HIPAA policies.” (Audits for Compliance with HIPAA Privacy and Security Requirements Are on the Way – Are You Ready? by Thompson Coburn LLP)
4. How long will the audits take?
“OCR expects that an audit will typically last about 30 days. OCR’s contract auditor, KPMG, will typically be on site for 3 to 10 days of the audit, depending on the complexity of the systems involved.” (OCR Launches HIPAA Audit Program by Warner Norcross & Judd)
5. How likely is an audit?
“Given the large number of potential targets and the small sample size, it is unlikely that any particular HIPAA covered entity would be subject to this round of audits. However, the fact that OCR is commencing these audits with such fanfare is a strong indicator that HIPAA compliance is clearly on the radar of the regulatory agency. (HITECH’s Much-Anticipated HIPAA Audits Announced; 150 Unlucky Entities Will Soon Learn Their Fate by Jackson Walker)
6. How can covered entities prepare?
- Step up employee training:
“Keep in mind that HIPAA mandates training of individuals who have access to protected health information. Failure to train (and to properly document training) could result in significant liability.” (HHS Announces Immediate HIPAA Audit Initiative by Constangy, Brooks & Smith, LLP)
- Complete and compile the necessary paperwork:
“OCR expects covered entities and business associates who are the subject of the audit to provide requested information within 10 business days of the request for information. Such information will include, at minimum, documentation of their privacy and security compliance efforts (e.g. policies, forms, notices, training materials, etc.).” (OCR Publishes its HIPAA Audit Protocol: Focus to be on Data Gathering and Best Practices by Ober|Kaler)
- Conduct a security risk assessment to identify weaknesses in their procedures:
“Accordingly, it would be prudent for covered entities to revisit their policies and procedures for compliance with the Standards and ensure that they have completed and documented at least one security risk assessment consistent with the HIPAA security standards.” (OCR Rolls Out HIPAA Audit Program by McDermott Will & Emery)
- Be prepared to respond promptly to information requests:
“When a covered entity is selected for an audit, HHS will notify the covered entity in writing. The notification letter will introduce KPMG as the auditor, explain the audit process and set out the auditor’s initial document and information requests. It will also specify how and when to return the requested information to the auditor. HHS expects covered entities to provide requested information within 10 business days of the request.” (U.S. Department of Health and Human Services Announces Details of New HIPAA Audit Program by Manatt, Phelps & Phillips, LLP)
- Prepare employees who will speak to auditors:
“OCR will expect you to know which individuals in your organization can speak to each aspect of HIPAA implementation. You should make a list of these people now and ask them the kinds of questions OCR might pose.” (Audits Heat Up HIPAA Liability by Poyner Spruill LLP)
- Identify “high-impact” vulnerabilities before the audit:
“’High impact’ vulnerabilities are vulnerabilities that may (1) result in the highly costly loss of major tangible assets or resources; (2) significantly violate, harm, or impede an organization’s mission, reputation, or interest; or (3) result in human death or serious injury.” (The HIPAA Auditors Are Coming. Are You Ready? by Ropes & Gray LLP)
- Business Associates Beware: First HIPAA Enforcement Action Against a Business Associate (Davis Wright Tremaine LLP)
- OCR HIPAA Audits Finally Kick Off – Do They Matter? (The Harlow Group LLC)
- HHS Audits the 1% … and the Rest: First HIPAA Privacy and Security Audits Begin (Davis Wright Tremaine LLP)
- Office for Civil Rights to Begin HIPAA/HITECH Audits (Scott & Scott, LLP)