The Department of Health and Human Services’ Office for Civil Rights (OCR) recently announced it will resume its HIPAA compliance audit program — launched as a pilot program in 2012 — on a permanent basis in 2014. In preparation, OCR is undertaking a survey of 1,200 organizations to determine appropriate audit candidates by gathering information on the size, complexity and fitness of respondents for an audit.
The Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH) provide standards for the privacy of protected health information (PHI), the security of electronic protected health information (ePHI), and breach notification to individuals. OCR enforces these standards through periodic audits to assess the controls and processes implemented by covered entities to protect the privacy of PHI. It can also review HIPAA/HITECH compliance through its routine complaint and investigation process.
In 2012 — before the program stalled amid budgetary issues in Washington — OCR visited over 100 organizations, including health plans of all types, health care clearinghouses and individual and organizational providers. The results of these audits were released in April 2013, revealing —
Most covered entities were not in compliance with all three audit areas: security, privacy and breach notification;
Comprehensive, accurate security risk-assessments were not performed by two-thirds of those audited;
The most common reason for noncompliance was that an entity was unaware of the HIPAA requirement; and
Non-compliance in all three audit areas was more likely with smaller healthcare providers, which accounted for 65% of all policy violations.
Based on these results, the upcoming HIPAA audits are expected to focus on risk assessments in particular, as well as risk mitigation plans, breach notification procedures, encryption, policies and procedures and employee training.
HIPAA requires that all covered entities and business associates have policies and procedures for formal risk assessments designed to locate and address any gaps or shortfalls in their compliance programs that would jeopardize PHI. The new auditing program is expected to start up in October next year, and organizations should ensure their HIPAA compliance programs are prepared for potential audits. Training employees on their role in compliance is crucial for avoiding violations and protecting PHI.