OCR Announces HIPAA Audit Program

Posted on November 8, 2011 by Joseph Lazzarotti

Today, the Office for Civil Rights formally announced it is implementing the audit requirement under the American Recovery and Reinvestment Act of 2009, in Section 13411 of the HITECH Act. The agency confirmed that it is piloting a program to perform up to 150 audits of covered entities to assess privacy and security compliance, and that the pilot phase will begin November 2011 and conclude by December 2012.

A new page on OCR's website answers some helpful questions for covered entities and business associates... 

When Will Audits Begin?

The pilot audit program is a three step process... OCR expects the initial audits to begin in November 2011.The results of the initial audits will inform how the rest of the audits will be conducted...All audits in this pilot will be completed by the end of December, 2012.

Who Will Be Audited?

Every covered entity and business associate is eligible for an audit. Selections in the initial round will be designed to provide a broad assessment of a complex and diverse health care industry. OCR is responsible for selection of the entities that will be audited. OCR will audit as wide a range of types and sizes of covered entities as possible; covered individual and organizational providers of health services, health plans of all sizes and functions, and health care clearinghouses may all be considered for an audit. We expect covered entities to provide the auditors their full cooperation and support and remind them of their cooperation obligations under the HIPAA Enforcement Rule.

Business Associates will be included in future audits.

So, it appears business associates will be spared for the first round of audits.

How Will the Audit Program Work?

The privacy and security performance audit process will include generally familiar audit mechanisms. Entities selected for an audit will be informed by OCR of their selection and asked to provide documentation of their privacy and security compliance efforts.

Accordingly, it is critical that covered entities be sure their policies and procedures are in order, including the new mandates under HITECH, such as breach notification policies.

In this pilot phase, every audit will include a site visit and result in an audit report. During site visits, auditors will interview key personnel and observe processes and operations to help determine compliance. Following the site visit, auditors will develop and share with the entity a draft report; audit reports generally describe how the audit was conducted, what the findings were and what actions the covered entity is taking in response to those findings. Prior to finalizing the report, the covered entity will have the opportunity to discuss concerns and describe corrective actions implemented to address concerns identified. The final report submitted to OCR will incorporate the steps the entity has taken to resolve any compliance issues identified by the audit, as well as describe any best practices of the entity.

Having written policies and procedures clearly is not going to be sufficient to survive an audit. Covered entities will need to be sure their workforce members have been trained and are performing their responsibilities consistent with HIPAA and the organizations' policies and procedures.

What is the General Timeline for an Audit?

When a covered entity is selected for an audit, OCR will notify the covered entity in writing. The OCR notification letter will introduce the audit contractor, explain the audit process and expectations in more detail, and describe initial document and information requests. It will also specify how and when to return the requested information to the auditor. OCR expects covered entities and business associates who are the subject of the audit to provide requested information within 10 business days of the request for information.

In light of this 10-day time frame, be sure the appropriate persons are on the look out for a notice and prepared to respond in a timely manner. Here is the kind of notice they should be looking for.

OCR expects to notify selected covered entities between 30 and 90 days prior to the anticipated onsite visit. Onsite visits may take between 3 and 10 business days depending upon the complexity of the organization and the auditor’s need to access materials and staff. After fieldwork is completed, the auditor will provide the covered entity with a draft final report; a covered entity will have 10 business days to review and provide written comments back to the auditor. The auditor will complete a final audit report within 30 business days after the covered entity’s response and submit it to OCR.

What Happens After an Audit?

Audits are primarily a compliance improvement activity. OCR will review the final reports, including the findings and actions taken by the audited entity to address findings. The aggregated results of the audits will enable OCR to better understand compliance efforts with particular aspects of the HIPAA Rules. Generally, OCR will use the audit reports to determine what types of technical assistance should be developed, and what types of corrective action are most effective. Should an audit report indicate a serious compliance issue, OCR may initiate a compliance review to address the problem. OCR will not post a listing of audited entities or the findings of an individual audit which clearly identifies the audited entity.

Based on these statements, it appears that the audits are part of an overall learning process for the agency to better guide covered entities and business associates concerning compliance. However, it is not clear what the agency considers "a serious compliance issue."
Tags: , , , , , , , , ,

HIPAA Audits to Begin Early 2012

Posted on October 11, 2011 by Joseph Lazzarotti

CLICK HERE FOR UPDATED INFORMATION CONCERNING THE AUDIT PROGRAM

The Health Information Technology for Economic and Clinical Health law (“HITECH”) made a number of changes for HIPAA covered entities and business associates. One key change stems from Section 13411 of HITECH, which gives the Secretary of the Department of Health and Human Services authority to conduct “periodic audits to ensure that covered entities and business associates” comply with the privacy and security mandates under HIPAA. Susan McAndrew, the Deputy Director for Health Information Privacy at the Office of Civil Rights ("OCR"), has been speaking out about the nature, scope and timing of these audits, which are expected to begin in February 2012. A summary of reports about the audit program follows below.  

Covered entities and business associates need to be prepared and take stock of their HIPAA compliance. One hundred percent compliance can be an elusive goal, particularly in a short time frame. So, perhaps a more efficient way to prepare for the coming wave of audits it to look, at a minimum, for the low hanging fruit, such as: (i) having clear policies and procedures on topics such as access management, breach notification, discipline, passwords, managing portable data storage devices, distributing notices of privacy practices, and similar items, (ii) conducting and documenting training of workforce members, and (iii) ensuring appropriate agreements are in place with business associates and subcontractors.   

According to statements from Ms. McAndrew about the planned audits, as reported in Employer's Guide to HIPAA Privacy Requirements, a Thomson Publication, and elsewhere:

  • The 150 planned audits will likely commence in February 2012, and be completed by the end of 2012.
  • Covered entities will be the prime focus of this initial audit effort, however, the agency expects to also audit business associates.
  • The decision of what entities to audit will not be based on specific incidents, but on an objective process aimed to learn what are the compliance challenges for the entire industry. 
  • OCR decided to take a traditional approach to auditing - that is, on-site audits.
  • The audits are not part of the agency's enforcement function, but certainly could lead to enforcement based on the audit findings.
  • Audits likely will incorporate recommendations of HHS' Office of Inspector General
  • OCR will (i) provide advance notice of the audit; (ii) seek documentation well in advance of coming on-site, and (iii) provide an opportunity for the covered entity or business associate to comment on audit findings.
  • While audit findings will be made public, the agency likely will aggregate the audit findings before making them public.

On-site visits, to be performed by KPMG LLP, the contractor selected to design and perform the audits, will involve, among other things:

  • interviewing leadership, particuluarly those charged with privacy compliance,
  • examining physical features and operations,
  • assessing consistency of process to policy, and
  • observation of compliance with regulatory requirements.

KPMG will submit a report of its audit findings to OCR. Among other things, the report will include for each finding:

  • Condition: the defect or noncompliant status observed, and evidence of each
  • Criteria: a clear demonstration that each negative finding is a potential violation of the Privacy or Security Rules, with citation
  • Cause: the reason that the condition exists, along with identification of supporting documentation used
  • Effect: the risk or noncompliant status that results from the finding
  • Recommendations for addressing each finding
  • Entity corrective actions taken, if any

 
Tags: , , , , , , , , , ,

HHS to Help Train State Attorneys General to Enforce HIPAA

Posted on March 19, 2011 by Joseph Lazzarotti

HHS continues to show signs of increased enforcement of HIPAA. Earlier this month, the agency announced it would hold 2-day, instructor-led HIPAA Enforcement Training courses in 4 locations across the country. Some Attorneys General, such as Connecticut's former Attorney General Richard Blumenthal, have already used their new found authority to enforce HIPAA. This announcement follows two significant, high profile Office of Civil Rights (OCR) press releases touting its own enforcement activities, one involving the first imposition of penalties under HIPAA and the other involving a significant settlement with a Massachusetts hospital

The Health Information Technology for Clinical and Economic Health (HITECH) Act (pdf), part of the American Recovery and Reinvestment Act of 2009, gave State Attorneys General the authority to bring civil actions on behalf of state residents for violations of the HIPAA Privacy and Security Rules. The HITECH Act permits State Attorneys General to obtain damages on behalf of state residents or to enjoin further violations of the HIPAA Privacy and Security Rules.

Attendees at each of the HIPAA Enforcement Training sessions will receive instruction on a number of enforcement topics including:

  • Investigative techniques for identifying and prosecuting potential violations
  • A review of HIPAA and State Law
  • The role and responsibility of an Attorney General under HIPAA and the HITECH Act
  • Resources available to Attorneys General to pursue alleged HIPAA violations

In addition to training, OCR promises that it will collaborate with and assist State Attorneys General seeking to bring civil actions to enforce HIPAA and Security Rules. This collaboration and assistance will include OCR providing to Attorneys General (i) information upon request about pending or concluded OCR actions against covered entities or business associates related to attorney general investigations, and (ii) guidance regarding the HIPAA statute, the HITECH Act, and the HIPAA Privacy, Security, and Enforcement Rules as well as the Breach Notification Rule.  

While years of lax enforcement may have lulled many HIPAA covered entities and business associates to not take HIPAA seriously, these recent activities should spur renewed efforts toward compliance. 

Tags: , , , , , ,

HHS Posts On Its Website Covered Entities Reporting HIPAA Data Breaches

Posted on February 22, 2010 by Joseph Lazzarotti

On February 22, 2010, the Office of Civil Rights (OCR) posted on its website its first list of covered entities that have reported breaches of unsecured protected health information affecting more than 500 individuals. OCR acknowledged the HITECH Act requires HHS to make this information public by posting it on an HHS website.

The breach notification rule became effective on September 23, 2009. In short, as we reported previously, the rule requires covered entities to provide notification of breaches of unsecured protected health information directly to the Secretary of HHS, as well as to the affected individuals. Breaches that affect 500 or more individuals must be reported to HHS within 60 days, and covered entities must provide this notification via the online form on the OCR website.

Of course, covered entities need to be aware that breaches reported to HHS will be made public on its site. Some states, such as Maryland and New Hampshire, have had a similar policy in effect for some time for breaches of personal information affecting residents of their states.

Tags: , , , ,