[authors: Dianne Bourque and Stephanie Willis]

As promised by the Department of Health and Human Services’ Office of Civil Rights (OCR) and as reported here on June 11th, OCR has released its HIPAA privacy and security audit protocols.  The audit protocols are intended to cover the three main areas of HIPAA privacy and security enforcement:

  1. Privacy Rule requirements, specifically:
    • notice of privacy practices for Protected Health Information (PHI);
    • rights to request privacy protection for PHI;
    • access of individuals to PHI;
    • administrative requirements;
    • uses and disclosures of PHI;
    • amendment of PHI; and
    • accounting of disclosures.
  2. Security Rule requirements for administrative, physical, and technical safeguards.
  3. Breach Notification Rule requirements.

The protocol addresses 165 performance criteria, 77 of which focus exclusively on compliance with the Security Rule, and 88 in combination that deal with Breach Notification and Privacy Rule requirements.

Senior Advisor David Mayer of OCR, during his presentation at the 2012 American Health Lawyers Association Annual meeting in Chicago, Illinois, stated that the protocol presently on the website is actually an updated version of the protocol used to audit the first 20 covered entities who were selected for examination during the HITECH audit pilot program period.  He also stated that there are ninety-five more covered entities that will be audited to meet the OCR’s goal of auditing 115 entities and that OCR did not open any additional reviews related to the 20 audits it has completed so far.  Last, he noted that once the HIPAA Omnibus Rule is published, OCR will likely audit business associates thereafter.

Mr. Mayer also provided some of his preliminary observations gathered during the audit pilot program period.  An audible gasp rose from the crowd when he recounted a story where, when the KPMG auditors arrived to complete the audit of the covered entity, the covered entity’s representatives essentially said, “We have nothing; we are so glad to see you because we need your help.”  The audit was a wake-up call to the covered entity to prioritize HIPAA privacy and security compliance programs.

Mr. Mayer announced that OCR plans to continue its audit program in 2013 and 2014, and that the agency has been appropriated the money to do so.  All covered entities, particularly small providers (who historically have constituted a high proportion of HIPAA violations), should take the opportunity to use the audit protocols as a guide to draft or revamp their HIPAA compliance policies and procedures as well as to devise a plan of action to respond to audits in an organized and comprehensive manner.

Mr. Mayer noted to the audience that they’d be “surprised” at how many covered entities do not have HIPAA compliance policies and procedures in place.  But, all covered entities should take this comment to mean that it is not too late to put some in place rather than as a signal that there is still time to do so.