Is Your HIPAA Compliance Program Audit Ready?
The Department of Health and Human Services (“DHHS”) announced that it has launched a pilot program to assess covered entities’ compliance with HIPAA’s privacy and security requirements. The HITECH Act, adopted in 2009 as part of the American Recovery and Reinvestment Act, requires DHHS to conduct periodic audits to ensure covered entities and business associates are complying with the HIPAA Privacy and Security Rules and Breach Notification standards. During the pilot program, the Office for Civil Rights (“OCR”), which is responsible for enforcing HIPAA, will perform up to 150 audits of covered entities. These audits began in November, 2011, and will conclude in December, 2012.
Although HITECH mandates audits of both covered entities and business associates, the pilot program will focus on covered entities (“CE”). Covered entities to be audited will include a selection of individual and organizational health care providers, health plans of all sizes and functions, and health care clearinghouses. If selected for audit by OCR, the CE will be asked to provide documentation of its privacy and security compliance activities and will be subject to a site visit. During the site visit, which may last three to ten days, auditors will interview key staff and will observe the CE’s processes and operations to assess compliance. Upon the completion of the site visit and review of the CE’s documentation, the auditor will prepare a draft audit report, to which the CE may respond. The auditor’s final report to OCR will include a description of the CE’s best practices and the steps the CE has taken to address concerns identified by the auditor.
Although DHHS has stated that the audits are primarily intended to be a compliance improvement activity, OCR may initiate a further review to address serious compliance issues. Should that occur, the CE could be subject to civil money penalties of up to $1.5 million.
Given the relatively small number of audits to be conducted, the odds that a particular CE will be selected for audit during the pilot program are slight. Nonetheless, the audits will afford those CEs selected only a very limited time in which to submit documentation, respond to the auditor’s concerns and implement, if necessary, a plan of correction. Documentation of the CE’s privacy and security compliance activities must be submitted within ten days of the auditor’s request. Similarly, CEs will be given only ten days to prepare and submit a written response and plan of correction.
Covered entities that do not already have a robust HIPAA compliance program in place should adopt and implement HIPAA policies and procedures and educate their workforces regarding HIPAA’s privacy, security and breach notification requirements. Covered entities with active HIPAA compliance programs should review their policies and procedures to ensure that they conform to current requirements. They should also provide refresher training to their workforces, particularly those personnel who are likely to be interviewed in an audit.
Areas of non-compliance identified in prior OCR audits included:
• risk assessment;
• currency of policies and procedures;
• security training;
• workforce clearance;
• workstation security; and
Covered entities should be prepared to address these issues, as well as the breach notification requirements mandated by the HITECH Act. By ensuring that their HIPAA policies and procedures are up to par now – rather than waiting until the auditor is knocking at the door – CEs can minimize the risks of an OCR audit.
Vanessa A. Reynolds is Of Counsel in the Fort Lauderdale office of Broad and Cassel. She can be reached at (954) 764-7060 or firstname.lastname@example.org.