Later this year, the Department of Health and Human Services (“DHHS”) is expected to launch its permanent HIPAA Audit Program. The HIPAA Audit Program is authorized under Section 13411 of the HITECH Act, and is designed to test entities’ compliance with the Privacy Rule, Security Rule, and Breach Notification standards.
Historically, the HIPAA regulations have been sparingly enforced. In recent years, however, the DHHS Office of Civil Rights (“OCR”) has demonstrated an increased willingness to levy heavy fines against entities for non-compliance. This trend is expected to continue, and will be further supported by the launch of the permanent HIPAA Audit Program. While all of the details surrounding the mechanics of the HIPAA Audit Program are unknown at this time, providers should expect that the program will operate similar to the pilot program that was conducted in 2012.
II. Pilot Program
During the pilot program, OCR engaged a professional accounting firm, KPMG, to conduct audits of 115 providers. The providers included entities of all types and sizes, including hospitals, pharmacies, physician practices, health plans, and dentists, among others. To facilitate the audit process, OCR developed a set of instructions (the “Audit Protocol”), that is designed to measure entities’ compliance efforts. The Audit Protocol is organized around three main modules that focus on compliance with the Security Rule, Privacy Rule, and Breach Notification Standards. A complete copy of the Audit Protocol can be accessed here.
While the complete results of the pilot program have not yet been made public, OCR has discussed the results at several conferences and through various interviews. As a result of these conversations, we learned that KPMG uncovered a wide variety of compliance failures, across a wide variety of subjects, including the following: (i) outdated policies and procedures; (ii) failure to properly implement policies and procedures; (iii) failure to conduct regular risk assessments; and (iv) lack of awareness of compliance requirements.
III. The Audit Process
In order to properly prepare for a HIPAA Audit, it is important for entities to understand the audit process. First, OCR has explained that a HIPAA Audit is not an investigation, and does not indicate that a complaint has been filed against the respective provider. Instead, audits are intended to be random, and are designed to test and improve compliance across all provider types.
With respect to logistics and timing, the audit will be commenced with a letter from OCR. Next, providers will be requested to provide documentation to the contractor to facilitate the review. In the pilot program, the request for documentation was followed by a site visit. It is not yet clear whether a site visit will be a component of all audits in the permanent program. In any event, the audit will be concluded with the issuance of a report from the contractor to OCR. OCR will then assess whether to open a separate compliance review in cases where an audit indicates serious compliance issues (which compliance review could result in fines, corrective action plans, etc.).
IV. Assess your Current HIPAA Compliance Program
As an initial matter, one of the most important things that you can do to prepare for a HIPAA Audit is to conduct a comprehensive examination of the effectiveness of your current HIPAA compliance program. For example, consider the following list of initial activities that can help you to gauge the effectiveness of your existing program:
Review your HIPAA policies and procedures – Do they accurately reflect the realities of your business? Do they meet legal requirements? If not, how can you address that shortfall? Can you modify your HIPAA policies and procedures, or do you need to modify your current business practices?
Talk to your Compliance Officer – Do they have any concerns? Do they understand patients’ rights to request information? What are they doing to prepare for HIPAA Audits?
Review your Notice of Privacy Practices – When were they last updated? Are they posted in a prominent location? Under the HIPAA Omnibus rule that was passed in 2013, certain updates to the Privacy Practices are required.
Evaluate your HIPAA Training – Has your entire staff received HIPAA training? How is this training documented? When was the last HIPAA refresher training? HIPAA training should be an ongoing activity, not a one-time event at the time of initial hire.
V. Preparing for an Audit
In addition to evaluating the effectiveness of your existing compliance program there are additional steps that entities can take to prepare for a HIPAA Audit. A good first step in preparing for a HIPAA Audit is to prepare a master HIPAA reference manual, that includes at least the following elements:
The Audit Protocol;
List of important people and their contact information (IT, Privacy Officer, etc.);
Policies and Procedures; and
Notice of Privacy Practices.
Making certain that all of these components are updated and contained in a central location will make responding to a request for documents in connection with a HIPAA Audit much easier, and hopefully less stressful.