My colleagues Leeann Habte, Peter McLaughlin, Jackie Saue, and Mike Scarano wrote recently on the upcoming HHS audits, and the post is below.
The Office of Civil Rights (“OCR”) of the Department of Health and Human Services (“HHS”) has initiated a pilot audit program required by section 13411 of the HITECH Act . The Act requires HHS to provide for periodic audits to ensure covered entities and business associates are complying with the HIPAA Privacy, Security and Breach Notification rules. To implement this mandate, OCR has initiated a pilot program which will involve audits of up to 150 covered entities to assess their privacy and security compliance. Those audits will begin this month and will be completed by the end of 2012.
OCR has initiated the pilot audit program pursuant to a three step process. The first step entailed hiring a consultant, KPMG, to develop audit protocols and assist with the audits. KPMG was awarded a nine million dollar contract. Second, OCR will perform an initial wave of audits to test the protocols. The third step will involve performing the rest of the pilot audits using the protocols as revised.
Although both covered entities and business associates will ultimately be subject to the audits, OCR has indicated that only covered entities will be included in the initial round of audits. Covered entities selected in the initial round of audits will be designed to provide OCR with a broad assessment of compliance in the health care industry, including a wide range of types and sizes of covered entities.
OCR has indicated that the audit process will include usual and customary audit procedures. Entities selected for audit will receive a letter informing them of their selection and asking them to provide documentation regarding their privacy and security compliance efforts. Following these letters, auditors will conduct site visits, during which they will interview key personnel and observe processes and operations to determine whether the entity is in compliance. The visits are expected to last three to ten days, depending on the complexity of the organization. Following the site visit, auditors will develop and share with the entity a draft report, including proposed findings. Prior to finalizing the report, the entity will have an opportunity to discuss concerns and describe corrective actions implemented to address the identified concerns. The final report will not be posted on a public website or otherwise made publicly available in a manner which identifies the audited party.
OCR states on its website that the audits are primarily “a compliance improvement activity,” rather than an enforcement mechanism. OCR hopes to use the audit process to better understand compliance efforts, to determine what types of technical assistance should be developed and to determine the types of corrective action most effective. However, should an audit reveal a serious compliance issue, OCR may initiate a compliance review to address the problem. The review could lead to enforcement action.
The new audit program represents one more method by which OCR will ensure compliance with the Privacy, Security and Breach Notification Rules. Covered entities and business associates will be well advised to conduct their own internal self audits to assure they are in compliance with HIPAA’s numerous and complex requirements. Although the audit program is being characterized by OCR in relatively benign terms, recent enforcement actions by the agency indicate that it will treat serious violations harshly.