The Department of Health and Human Services’ Office for Civil Rights (OCR) announced on Monday the launch of “round two” of its HIPAA1 Audit Program, officially ending a long delay on the program’s rollout.2 This means that HIPAA covered entities (which include most providers, health plans, and healthcare clearinghouses) and their business associates may soon find themselves under review for compliance with the HIPAA privacy, security and breach notification rules.
Background and Pilot Audit Results: Eyes on Security
The HIPAA Audit Program was created pursuant to Congress’ mandate in the Health Information Technology for Economic and Clinical Health Act, which required that OCR develop a program to assess covered entities’ and business associates’ compliance with the HIPAA rules.3 OCR launched a “pilot” audit program in 2012, covering an initial sample of 115 covered entities. Overall findings from the pilot program revealed that nearly 90% of auditees had one or more deficiencies, with the security rule accounting for the majority of these findings.4 Specifically, a significant number of healthcare providers and health plans lacked an accurate security risk assessment, a tool that, according to OCR guidance, “form[s] the foundation upon which an entity’s necessary security activities are built.”5 Moreover, the failure to have an accurate and complete risk assessment can have significant consequences in the event of a breach or complaint; recent enforcement actions demonstrate that OCR may penalize companies for lacking a risk analysis that sufficiently, and across the organization’s entire system, identifies vulnerabilities to patient health information, as well as for the failure to respond to such vulnerabilities by implementing appropriate safeguards.
OIG Charges OCR with Proactive Enforcement
The launch of this next round of audits comes just several months after the Office of Inspector General of the Department of Health and Human Services (OIG) called on OCR to take more effective action in overseeing covered entities’ compliance with HIPAA. In a report released in September 2015, OIG concluded that OCR’s enforcement efforts are limited to responsive inquiries and investigations, rather than proactive oversight. Taking note of OCR’s delay in launching the second round of audits, OIG stated, “OCR has not fully implemented the required audit program to proactively identify possible noncompliance” from entities subject to HIPAA.6 Without fully implementing a permanent audit program, OIG claimed, “OCR cannot proactively identify covered entities that are noncompliant with the privacy standards.”
As with the pilot audit program, OCR has stated that the HIPAA audits will function mainly as a compliance improvement activity, rather than a basis for penalties or enforcement action. However, in the wake of OIG’s incitement to OCR to “strengthen oversight” of HIPAA compliance, auditees could see a more stringent level of review in the upcoming audits.
Who is Subject to a HIPAA Audit?
OCR is seeking to identify pools of auditees that represent “a wide range” of covered entities and business associates, based on criteria such as an entity’s level of revenue, scope of patient population, number of employees, type of entity and its relationship with individuals, geographic location, and affiliation with other healthcare organizations. Notably, OCR also indicates that “present enforcement activity with OCR” will be considered, although it will not audit entities with an open complaint investigation or that are currently under compliance review.
Unlike the pilot program, the second round of HIPAA audits will include business associates. Covered entities receiving a pre-screening questionnaire will be asked to identify those organizations that act as their business associates, and are encouraged to provide contact information for these service providers.
Once OCR has gathered information sufficient to identify the pools of auditees, it will randomly select organizations to be subject to the audit.
The Audit: What to Expect
OCR plans to conduct this round of audits in three phases: the first phase will be desk audits of covered entities, the second will consist of desk audits of business associates, and the final phase will include onsite review and will evaluate compliance with a “broader scope of requirements from the HIPAA Rules” than desk audits. Covered entities and business associates subject to an initial desk audit have an additional incentive to ensure their documentation is in order – some desk auditees may be subject to a subsequent, onsite audit during the final phase of review.
The initial steps in the round two audits are already underway. However, entities receiving communication from OCR at this point are not guaranteed an audit. OCR is currently in its selection process, and will use this initial process of communicating with entities to gather data about the size, type and scope of operations of the potential auditees to identify its “pools.”
Desk auditees will be notified in writing via email of their selection for the audit, and will receive a document request and specific instructions on how to provide all requested materials. OCR expects that organizations respond to its information requests within 10 business days, and documents will be submitted in electronic format. Onsite auditees will similarly receive notification via email of their selection, and then should expect a 3-5 day onsite audit (depending on the size of the entity).
In either case, after the audit is complete, the auditor will provide the entity with draft findings. The auditee will have 10 days to review the findings and provide written comments in response. The auditor will then submit to OCR a final audit report, which will be shared with the auditee.
What You Can Do to Get Ready
Healthcare organizations subject to an audit should expect a broad document request in the initial stages of review, and should note the tight (10 day) timeline for electronic response. Providers, health plans, and healthcare clearinghouses, as well as their business associates, can prepare by locating and reviewing for updates their HIPAA policies and procedures, security analyses, business associate agreements, and any other documentation maintained pursuant to HIPAA. OCR’s recent enforcement actions, however, indicate that it may look for more than just documentation and may expect an organization to demonstrate adherence to its policies and procedures. Further, OCR will likely look for evidence of an organizational commitment to HIPAA compliance – including evidence of training workforce members, mitigation of privacy and security incidents, breach risk assessments and other measures. Lastly, organizations should be on the lookout for contact from OCR, noting that OCR has warned its email communications may be classified as “spam.” Failing to respond to OCR’s initial questionnaire will not exempt an entity from being placed in the audit pool.
1 “HIPAA” as used herein refers to the Health Insurance Portability and Accountability Act of 1996, the Health Information Technology for Economic and Clinical Health Act, and their implementing regulations set forth at 45 CFR Parts 160-164.
2 See Press Release, OCR Launches Phase 2 of HIPAA Audit Program, available at http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/phase2announcement/index.html.
3 42 U.S.C. § 17940.
4 OCR representatives have presented OCR’s findings in various program guidance. See, e.g., http://csrc.nist.gov/news_events/hipaa-2013/presentations/day1/rinker_day1_215_hipaa_privacy_security_breach_audits.pdf.
5 HIPAA Security Standards: Administrative Safeguards, available at http://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/adminsafeguards.pdf; see also Guidance on risk analysis requirements under the HIPAA Security Rule (July 14, 2010), available at http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/rafinalintro.html.
6 Department of Health and Human Services’ Office of Inspector General, “OCR Should Strengthen Oversight of Covered Entities’ Compliance with the HIPAA Privacy Standards,” available at http://oig.hhs.gov/oei/reports/oei-09-10-00510.pdf.