Whereas enforcement of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) has historically emphasized voluntary compliance, Section 13411 of the Health Information Technology for Economic and Clinical Health (“HITECH”) Act has set forth a new paradigm in compliance with and enforcement of HIPAA. The U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) is now required to conduct periodic audits to ensure covered entities and business associates are complying with the requirements of the HIPAA Privacy and Security Rules. While OCR had the ability to proactively conduct audits previously, these audits are now mandated by Congress on a periodic basis.
Consequently, OCR began implementing the HIPAA Compliance Audit Program (“Audit Program”) as part of it statutory mandate in 2011. The initial pilot program consists of 115 audits of covered entities to assess privacy and security compliance, beginning November 2011 and concluding in December 2012. Every covered entity (and business associate) is eligible for an audit. Although OCR states that the Audit Program is not an official investigation, where an audit uncovers compliance concerns, covered entities will be subject to an official compliance review. Compliance reviews can result in civil monetary penalties of up to $50,000 per violation, and corrective action plans. Therefore, it is expected penalties for noncompliance will be issued with more frequency and in much greater amounts.
So what does an audit entail? OCR will send a notification letter to start “Day 1” of the audit process, which will include a letter the requests certain information to be audited. Typically, the covered entity or business associate will have 10 days to submit requested information, and the audit will begin 30 to 90 days from the date of the notification letter. The audits will also include a site visit and an audit report.
The audits are known to include three main aspects:
(1) Policies and procedures review - The auditors will carefully survey policies and procedures against HIPAA requirements, assess how well policies and procedures meant to ensure HIPAA compliance protect protected health information (“PHI”), whether the policies and procedures are up-to-date, and whether staff have been adequately trained.
(2) Interviews with key organizational leaders - Interviews may include a wide range of personnel, depending on the type of organization, including the Chief Information Officer, the Privacy Officer, legal counsel, health information management and/or medical records management, and other technical staff.
(3) Scrutiny of physical operations - Site visits will review all aspects of the organization’s physical features and operations, including all controls in place to protect PHI and e-PHI, such as storage, maintenance, and use of PHI. The auditors will consider details like unlocked doors, unsecured wireless networks, and unencrypted servers.
After fieldwork is completed, the auditor will provide the covered entity with a draft final report; a covered entity will have 10 business days to review and provide written comments back to the auditor. The auditor will complete a final audit report within 30 business days after the covered entity’s response and submit it to OCR.
OCR will review the final reports, including the findings and actions taken by the audited entity to address findings. Generally, OCR will use the audit reports to determine what types of technical assistance should be developed, and what types of corrective action are most effective. Should an audit report indicate a serious compliance issue, OCR may initiate a compliance review to address the problem.
Thus, covered entities must now take a proactive approach to ensure full HIPAA compliance. First, covered entities must be well-versed in HIPAA’s requirements and review its policies and procedures to ensure compliance with the HIPAA Privacy and Security Rule, as well as breach notification requirements, and address any policy or procedural gaps. Second, covered entities should review and update as necessary the organization's risk assessment and related work plan and update privacy and security safeguards and implementation of corrective actions as necessary. Another important component is to update training and workforce education materials as necessary. Depending on the extent of the updating required, this may also require retraining staff and maintaining records that evidence the content of the training sessions and the attendance of workforce at training sessions. Increased regulatory and enforcement actions mean that covered entities need to proactively address HIPAA compliance.
This article was originally published in the July 2012 issue of Atlanta Hospital News.