A Critique of the New HIPAA Audit PlansCompliance Experts Offer Mixed Reviews
As the Department of Health and Human Services' Office for Civil Rights gears up to begin its next round of HIPAA compliance audits, security and privacy experts are giving OCR's plans mixed reviews.
When OCR resumes its audit program in the coming months, the agency plans a limited number of narrowly focused "desk audits." Comprehensive on-site audits will be performed only "as resources allow," says an OCR spokeswoman. OCR plans to audit 350 covered entities beginning in the fall and 50 business associates in 2015 (see HIPAA Audits: Round 2 Details Revealed).
Some security and privacy experts say OCR's new approach to offsite, highly focused audits could help the agency become more efficient in reviewing the compliance of covered entities and business associates. But others believe the plans will come up short in driving compliance, compared with more in-depth, on-site audits, as were conducted during a pilot in 2012.
OCR's audits of covered entities will focus on specific areas of HIPAA compliance, according to a recent presentation at the Health Care Compliance Association Conference by Linda Sanches, OCR senior adviser for health information privacy. That includes 100 audits focused on the HIPAA privacy rule, especially privacy notices and compliance with individuals' right to access their protected health information; 100 audits on compliance with the HIPAA Omnibus breach notification rule; and 150 focused on the security rule, especially risk analysis.
The business associates audits will focus on compliance with the risk analysis and breach notification requirements, according to Sanches' presentation.
The first round of pilot audits conducted in 2012 by OCR's contractor, consulting firm KPMG, involved on-site visits that all examined a broad list of HIPAA compliance issues at 115 covered entities. In contrast, the next phase of desk audits will be conducted by OCR's staff.
Selected covered entities will receive notification and data requests in fall 2014, while business associates will be notified in 2015, the OCR spokeswoman says.
Onsite vs. Offsite Audits
Privacy and security expert Rebecca Herold, a partner at consulting firm Compliance Helper and CEO of The Privacy Professor, says OCR's new focus on desk audits is a good idea.
"It is a very good move to improve efficiency and widen the numbers of CEs, and BAs, that are being audited," she says. "I've done over 250 HIPAA audits since 2000. After you've gotten a good methodology down for performing HIPAA audits, you can then learn from your experiences, know the areas of most common non-compliance and risk, and then refine your audit methodology accordingly."
Security expert Brian Evans, principal consultant at Tom Walsh Consulting, offers a similar perspective. "I'm not surprised with OCR's new audit approach because I can appreciate their limited staffing and financial resources in addition to the fact that this is their first year of the program," he says. "Offsite 'desk audits' can still be a cost-effective way of gathering compliance data and cover more of the population than onsite audit."
But Jennings Aske, CISO at speech recognition software vendor Nuance, which is a business associate under HIPAA, is not sold on the idea of OCR concentrating on mostly desk audits, rather than onsite assessments.
"It's too bad they can't do both," he says. "Onsite audits allow a dialogue between regulators and healthcare providers," says Aske, who joined Nuance in January after leaving his post as chief information security and privacy officer at Partners HealthCare, an integrated health delivery network in Boston. "Remote audits will miss that dynamic.
"I understand that budgets are tight, but I'm surprised OCR isn't getting more funding for this, or can use enforcement money that's been collected" to expand the audit program, Aske says.
Kate Borten, president and founder of the security consulting firm The Marblehead Group, says she's disappointed with the desk audit approach planned for the next phase of the program. "These are much more limited than the anticipated audits. And I expect they fall short of Congress' intent," she says, referring to HIPAA compliance audits being mandated by Congress in the HITECH Act. But, she adds, "These audits are certainly better than nothing."
The lack of a more aggressive audit program could hurt efforts to boost compliance, Aske argues. The HIPAA audit program should aim to "help push the healthcare vertical forward to complying with privacy and security issues, but this will adversely impact that," he contends. "We expected a robust audit program and heavy fines on organizations. I'm surprised that's not happening."
Additionally, document-based audits could lead to "erroneous findings and gaps" by OCR for some organizations, Aske says. OCR needs to consider ways of mitigating the risks that come from miscommunication or misinterpretation, he adds.
No Sure Bets
Even if an organization passes an off-site audit without major findings, "a successful outcome is not assurance of compliance," Borten stresses. "Of course, even a thorough audit can miss things. But these documentation audits just scratch the surface" because they each will deal with only narrow aspects of HIPAA, she notes.
Although the next round of audits will be narrower, OCR has made it clear that results could lead to non-compliance enforcement actions by the agency, says privacy attorney Adam Greene, a partner at law firm Davis Wright Tremaine.
This threat of potential OCR sanctions following an audit is a strong driver for compliance, Evans says. "Managing information risk is a constant for every organization. But managing compliance risk and the chance of being fined or penalized is a fairly new endeavor in healthcare," he says. "So, I believe the audit plan serves as an additional motivator for CEs and BAs to protect patient information more effectively."
Herold believes that the resumption of the audit program alone "initially will drive compliance actions by a small percentage of covered entities and BAs, whose business leaders are savvy and responsible enough to see that compliance is not a choice, but a legal obligation."
But she anticipates that a majority of organizations will not be inspired to action "until they start hearing of the penalties received by those who are audited during the earlier weeks and months of the audit activities."
Selecting Audit Candidates
OCR plans to survey 550 to 800 covered entities chosen from a list of CEs that was prepared from a number of databases, according to Sanches' presentation. The survey will help OCR confirm information, such as e-mail addresses. From that pool, OCR then will select about 350 entities to audit. Business associates will be chosen for audits based on the lists of vendors that surveyed covered entities provide, according to the presentation.
"I would like to see a larger number of organizations surveyed even though an actual audit may not occur," Evans says. "Increasing the candidate pool heightens organizational readiness to pursue and maintain compliance. It also provides a more representative sampling of data for future OCR audits."
Herold would like to see OCR remind organizations that there are several ways a HIPAA compliance review can be triggered, including as a result of complaints or breaches. "There needs to be more clear indication that all CEs and BAs are subject to audit, though, not just those who received a survey," she says.
She also suggests that OCR provide a website to enable patients to answer a short survey if they want to nominate a specific organization to be considered for an audit. "This should help ensure those entities with the least compliance are considered and not overlooked simply because they fell outside of the survey pool," she says.