HIPAA Audits Round Two: Is Your Organization Prepared?
On February 24, 2014, The U.S. Department of Health and Human Services, Office for Civil Rights (OCR) announced that it will begin a second round of HIPAA compliance audits. The audits will address compliance with the HIPAA Privacy, Security and Breach Notification Rules. The audit program will affect covered entities, including hospitals, physician offices, health plans, health care clearinghouses and other health care providers. Also, for the first time, the audit program will review business associates’ compliance with HIPAA. It is imperative that covered entities and business associates be prepared for these upcoming audits.
Initially, OCR will conduct a pre-audit survey of up to 1,200 covered entities and business associates. Through these surveys, OCR will gather information on the “size, complexity, and fitness of an organization for an audit.” The brief notice of the pre-audit survey in the federal register noted that information collected will include, among other things, recent data about the number of patient visits or insured lives, use of electronic health information, revenue and business locations. OCR has not stated the form or manner in which surveys will be conducted. Covered entities and business associates should be alert and watch for surveys delivered electronically and/or via mail or fax. If your organization receives a pre-audit survey, procedures should be in place to notify and coordinate the survey response through the organization’s privacy officer, compliance officer and legal counsel. OCR does not plan to publish the survey tool or the selected entities’ responses.
Based on responses from the pre-audit survey, OCR will select organizations for an audit. OCR has not released a precise number of entities to be audited; in fact, OCR is being a bit ambiguous about many of the details regarding the second round of audits. Many speculate that the actual audit program details are not yet finalized and will become final once the pre-audit survey results are collected. Some outlets are reporting that OCR has announced specific issues on which it will audit, including security risk assessments. OCR officials later commented that OCR is not formally announcing specific issues to be addressed throughout the audits at this time, other than confirming business associates will be subject to audit. However, previous reports on the OCR’s 2012 pilot audit program revealed numerous HIPAA compliance issues among those organizations audited including use and disclosure violations, failure to perform an adequate security risk assessment, lack of training, and failure to adopt and implement effective policies and procedures. We think these deficiencies, particularly the inadequate security risk assessments, will likely be covered by the second round of audits.
OCR is updating the audit protocol to address compliance with provisions of the Omnibus Final Rule, although there has been some question about whether that protocol will be made public. A recent article reports that Rachel Seeger, OCR spokeswoman, confirmed in a statement to Report on Patient Privacy that “I cannot anticipate whether we will make these protocols available publicly, but we will continue to share details about our process.” We anticipate they will eventually be made public, as they were during the last round of audits. So, what can your organization do to prepare for a HIPAA audit? Begin by assessing your current HIPAA compliance structure. This includes reviewing and updating policies and procedures, including a review to ensure compliance with the Omnibus Final Rule; conducting or reviewing your organization’s security risk assessment; identifying business associates or subcontractor business associates and ensuring an updated business associate agreement is in place; and continuing to educate and train your workforce on the HIPAA rules. Whether or not your organization is selected for a pre-audit survey, you should not wait to begin preparing for the upcoming audit process.