Coming Soon to a Covered Entity Near You … HIPAA Audits

In 1996, the Health Insurance Portability and Accountability Act (HIPAA) was approved by Congress and signed into law by President Bill Clinton. Since then, the landmark legislation has been substantially amended to further define expectations for security, privacy and breach notification.

The HITECH (Health Information Technology for Economic and Clinical Health) provisions of the American Recovery and Reinvestment Act of 2009, not only added another layer of regulations … but also of regulatory oversight. Previously, HIPAA compliance reviews for covered entities were “event driven,” explained Susan McAndrew, deputy director of Health Information Privacy for the Department of Health and Human Services’ (HHS) Office of Civil Rights (OCR). A complaint from the public or a news report could lead OCR to open an investigation.

However, she continued, HITECH upped the enforcement ante by requiring HHS to conduct periodic HIPAA compliance audits for both covered entities and business associates. “The implicit authority for OCR to conduct audits also arose out of that February 2009 HITECH Act,” she noted.

To implement the mandate, OCR has launched a pilot audit program, which is to be completed by the end of 2012. “The original plan was to do up to 150 audits,” McAndrew said. “Now, for a variety of reasons, we are looking to complete 115 audits under the pilot.”

The audits are designed to examine compliance procedures, identify best practices and bring to light risks and vulnerabilities. The hope is that audit findings will assist OCR in determining what types of technical assistance might be needed to improve compliance and which corrective actions are most effective.

The second half of 2011 was devoted to audit protocol development. The protocols, explained McAndrew, are “comprehensive modules that permit the auditing to move forward on a uniform basis.” She continued, “They are essentially the roadmap or the way the auditor would approach their assessment of any entity for privacy, security and breach notification compliance.” Additionally, she said, “To the extent the requirements are the same, then the protocol would be the same.” However, McAndrew noted, there are some protocol adaptations for specific segments of covered entities in cases where regulations vary for that sector.

From January-March, McAndrew said, “We dedicated the first 20 audits to be a field test of the protocols. We have looked at the results from the first 20 in order to evaluate whether there would need to be changes to the protocols themselves.”

For the most part, she continued, the tweaks to the established protocols have been relatively minor. McAndrew said field auditors, which have been contracted through public accounting firm KPMG, did find some redundancies so the process is being slightly streamlined. The plan, she added, is to make the finalized protocols available for online viewing. However, since the audit process includes a mechanism for constant feedback from the field, she noted, “It’s also true the protocols will always be somewhat of a work in progress.”

McAndrew said the focus of the audits has been proactive in nature. “The objectives really were to help us focus on where the weaknesses were in the compliance programs of entities so we could discover risks and vulnerabilities before they became an enforcement problem. It’s a way of closing the barn door before the horse gets out,” she said.

Ultimately, McAndrew continued, “We are looking for ways of sharing the results in an aggregate form so that entities can learn from one another, proactively self-assess, and make corrections before it becomes a compliance issue or before there is a complaint.”

While the emphasis is on compliance improvement, covered entities should in no way be lulled into thinking an audit letter from OCR is of little concern. “This does take the realm of a normal audit,” said McAndrew. “Findings will go back to the auditee with corrective actions.” She added a final report would be issued after those being audited have reviewed the draft and had the opportunity to address concerns and outline corrective actions that have been implemented. In cases where an audit uncovers serious issues, a separate compliance review, with the full potential for civil monetary penalties, could be opened.

With 20 audits down and 95 to go this year, any covered entity is fair game. OCR has stated an intent to audit a wide range of types and sizes of covered entities including individual and organizational providers, healthcare clearinghouses, and health plans. Business associates will be included in future audits.

The new HIPAA audits follow a similar process to other audits. Selected entities will receive a letter from OCR informing them of the audit and requesting documentation of the covered entity’s privacy and security compliance efforts. During the pilot phase, every audit will include a site visit, which could range from 3-10 days, where auditors will interview key personnel and observe processes and operations. Within a month of the visit, the auditor will develop a draft report to which the covered entity has 10 business days to reply and address any concerns. The auditor will complete the final report within 30 business days of receiving the auditee’s comments and submit the report to OCR.

Compliance experts are adamant that the time to think about a HIPAA audit is long before a letter ever arrives from OCR. Instead, covered entities and business associates are strongly encouraged to immediately begin proactive preparation for audits by assessing and documenting all policies and procedures tied to HIPAA requirements.