Federal Government Releases Protocol for HIPAA Privacy, Security and Breach Notification Audits

more+
less-

[author: Michael A. Igel]
On June 26, 2012, the Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) released on its website the protocol that it has developed to serve as a guideline for recently-implemented HIPAA compliance audits (the “HIPAA Audit Program”). The HIPAA Audit Program was mandated by the health care reform legislation. The Audit Program is intended to assess covered entity and business associate compliance with HIPAA’s privacy, security and breach notification rules. To emphasize the wide net already being cast by auditors, OCR has stated that audits have been conducted on physician practices, a laboratory, a dental practice, a pharmacy and a custodial care center.
How We Got Here
In June 2011, the OCR contracted with KPMG to develop a comprehensive protocol for the HIPAA Audit Program, and then to conduct audits under the protocol. OCR initially aimed to audit 150 covered entities, but ultimately decreased the number of initial audits targets to 115. To develop the protocol, OCR and KPMG first developed an original protocol and a sample of audit targets. OCR and KPMG then audited 20 covered entities in an initial test phase designed to fine-tune the protocol. Following the test phase, OCR and KPMG stated that they planned to refine the audit protocol and move on to audit the remaining 95 covered entities. The recently-released protocol provides insight into the HIPAA areas that auditors will scrutinize, and how compliance will be assessed.
What HIPAA Requirements Does the Protocol Cover?
The protocol directs auditors to conduct an all-inclusive review of the HIPAA Privacy, Security and Breach Notification Rule requirements. Very few regulatory requirements are excluded from review.
HIPAA Security Rule – The HIPAA Security Rule, which, in part, requires that administrative, physical and technical safeguards be implemented by covered entities and business associates, is covered in especially great detail in the protocol, with 77 performance criteria established. Criteria under the HIPAA Security Rule include an examination of whether the covered entity:
  • Conducts risk assessments;
  • Develops and employs an information system activity review process;
  • Develops and implements employee training criteria;
  • Selects and adopts a clear job description for a security official; and
  • Evaluates existing security measures.
Notably, the protocol criteria related to the HIPAA Security Rule distinguish between practices and procedures that are required of the covered entity, and those that are simply “addressable.” For the practices and procedures that are addressable that the covered entity has chosen not to implement, the protocol directs the auditor to confirm that the covered entity has written documentation as to what aspects of the practice or procedure it has chosen not to implement, and the rationale for choosing not to implement those items.
HIPAA Privacy Rule – The protocol includes 88 performance criteria related to the HIPAA Privacy Rule and HIPAA Breach Notification Rule.
The audit protocol covers the HIPAA Privacy Rule’s detailed and onerous requirements for:
  • Notice of privacy practices for protected health information (“PHI”);
  • Rights to request privacy protection for PHI;
  • Access of individuals to PHI;
  • Administrative requirements;
  • Uses and disclosures of PHI;
  • Amendment of PHI; and
  • Accounting of disclosures of PHI.
Covered entities must also perform several general HIPAA-related activities, including:
  • Obtaining valid authorization for the use or disclosure of PHI;
  • Disclosure of PHI for oversight activities; and
  • Compliance with the “minimum necessary” requirements for uses and disclosures of PHI.
HIPAA Breach Notification Rule – The criteria in the protocol that are related to the HIPAA Breach Notification Rule address many aspects of the breach notification process that was implemented as part of the health care reform law. The measures required of a covered entity include:
  • Implementing a breach risk assessment and notification procedure; and
  • Implementing a procedure for providing notification to the media and the federal government, if necessary as required by law.
From a practical perspective, auditors will be seeking to determine whether a covered entity or business associate has:
  • Drafted policies and procedures to address HIPAA compliance;
  • Implemented those policies and procedures into practice;
  • Updated those policies and procedures to address any regulatory changes;
  • Appropriately trained professional and non-professional staff; and
  • Documented all compliance activities.
What Should I Do?
Some criteria will require a covered entity to produce incredibly detailed supporting responses and documentation. For example, one audit procedure requires the auditor to produce risk assessment documentation of uses or disclosures of PHI that were determined not to be breaches. Yet another requires auditors to obtain a computer screen shot to determine whether certain technical capabilities have been met.
The burden that will be placed on an organization that is audited for HIPAA compliance, and there is significant risk of violation if criteria are not being met. Now is the time to assess whether your organization is meeting its requirements under HIPAA. If your organization is not ready, now is the time get prepared. For more information please contact Michael Igel at migel@trenam.com or 727-820-3963.