DEPARTMENT OF HEALTH AND HUMAN SERVICES LAUNCHES HIPAA AUDIT PROGRAM

November 14, 2011

OVERVIEW

The HITECH Act, a portion of The American Recovery and Reinvestment Act of 2009 (ARRA), requires the Department of Health and Human Services (HHS) to provide for periodic audits to ensure covered entities and business associates are complying with the HIPAA Privacy and Security Rules and Breach Notification standards. To implement this requirement, the HHS Office for Civil Rights (OCR) is piloting a program to perform up to 150 audits of covered entities to assess privacy and security compliance. OCR is the agency charged with HIPAA privacy and security compliance. Audits during the pilot phase will begin November 2011 and conclude by December 2012. It is anticipated that additional audits will continue after the initial pilot program.

Audits present a new opportunity to examine mechanisms for compliance, identify best practices and discover risks and vulnerabilities that may not have come to light through OCR’s ongoing compliance investigations and compliance reviews. OCR plans to share information gleaned through the audit process and issue guidance targeted to observed compliance challenges.

WHO WILL BE AUDITED?

OCR may audit a wide range of covered entities such as covered individual and organizational providers of health services, health plans of all sizes and functions and health care clearinghouses. Business associates will not be included in the initial audit pilot program but will be included in future audits.

HOW WILL THE AUDIT PROGRAM WORK?

Entities selected for an audit will be informed by OCR of their selection and asked to provide documentation of their privacy and security compliance efforts. In this pilot phase, every audit will include an onsite visit and result in an audit report. During onsite visits, auditors will interview key personnel and observe processes and operations to help determine compliance. Following the onsite visit, auditors will develop and share with the entity a draft report, audit reports that generally describe how the audit was conducted, what the findings were and what actions the covered entity is taking in response to those findings.

Prior to finalizing the report, the covered entity will have the opportunity to discuss concerns and describe corrective actions implemented to address concerns identified. The final report submitted to OCR will incorporate the steps the entity has taken to resolve any compliance issues identified by the audit, as well as describe any best practices of the entity.

WHAT IS THE GENERAL TIMELINE FOR AN AUDIT?

OCR expects to notify selected covered entities between 30 and 90 days prior to the anticipated onsite visit. Onsite visits may take between three and 10 business days depending upon the complexity of the organization and the auditor’s need to access materials and staff. After fieldwork is completed, the auditor will provide the covered entity with a draft final report; a covered entity will have 10 business days to review and provide written comments back to the auditor. Should an audit report indicate a serious compliance issue, OCR may initiate a compliance review to address the problem. OCR will not post a listing of audited entities or the findings of an individual audit which clearly identifies the audited entity.

SUMMARY

It is expected that the majority of covered entities selected for the pilot audit program will be medical providers and insurance companies. However, based on the description of the audit process provided by HHS, it is likely that a number of employers’ group health plans will be included in the program. Now would be a good time for employers who sponsor group health plans subject to the HIPAA privacy and security rules to review their existing HIPAA policies and procedures.