Background
In 2011-2012, the U.S. Department of Health and Human Services Office for Civil Rights conducted a pilot audit program (Phase 1) to evaluate covered entities compliance with HIPAA privacy, security and breach notification rules. The results of those audits demonstrated findings in all areas, but the most common finding was “entity unaware of the requirement of the rule.” While this finding applied to privacy, security, and breach notification rules, the privacy and security rules demonstrated the majority of the findings. Other findings included lack of application of sufficient resources, incomplete implementation, and complete disregard of the rules. While the pilot is complete and reports have been issued, the OCR is now preparing to initiate Phase 2 audits.
Currently, the audits are delayed as the OCR works to roll out a Web portal through which the covered entities subject to audit will be able to submit their audit data. While this work is pending, the covered entities and business associates that could experience a HIPAA audit should be getting their policies and procedures in place to ensure they fare well in the event they are chosen for audit.
What to Expect
Expected audit focus for Phase 2 includes security risk analysis and risk management for both covered entities and business associates. Breach notification content and timeliness of notification will be a focus for covered entities, and breach reporting standards to the covered entity by business associates. Privacy notice and access for covered entities will also be a focus. Secondary focus on covered entities may include security device and media controls and transmission security as well as privacy safeguards and training to policies and procedures. Finally, security including encryption and decryption, facility access control, and any other areas of high risk identified by the earlier audits, breach reports and complaints are likely to receive attention in the future.
What to Do to Get Ready
In order to avoid sanctions following audit, several tasks can be performed before the Phase 2 audits begin. Since issues related to the security rule accounted for approximately 60% of the findings and observations during Phase 1, covered entities and business associates would be well advised to get their “security house” in order. Suggestions include completing a security risk assessment, implementing any implementation standards identified or documenting why these tasks are not being done. In order to be in compliance with the privacy rule, covered entities should be sure to update and implement policies and procedures in compliance with the HIPAA Final Rule, and be able to demonstrate an active HIPAA compliance program. Finally, covered entities and business associates need to be able to demonstrate a comprehensive breach response plan incorporating the changes included in the HIPAA Final Rule.
Why Does it Matter?
While most providers will not be audited due to the small sample size, the sanctions that could be imposed remain significant. In addition, even if a covered entity or business associate is not audited, they remain subject to possible sanctions resulting from an OCR investigation in the event of a breach or patient complaint. By being prepared and compliant with the Final Rule, covered entities and business associates will be better prepared to respond to audits as well as investigations.
Covered entities and business associates should get ready for the upcoming audits, as well as prepare for the event of an investigation following a breach or patient complaint.
By Denise Bloch
