HIPAA Audits: Round 2 Details RevealedNarrower in Scope, With Less Emphasis on Site Visits
The Department of Health and Human Services' Office for Civil Rights will resume its HIPAA compliance audit program this fall with a limited number of narrowly focused "desk audits," plus comprehensive on-site audits "as resources allow."
In contrast, the first, smaller round of pilot audits conducted in 2012 involved on-site visits that all examined a broad list of compliance issues.
"OCR's audit plans will focus on both covered entities and business associates," an OCR spokesperson tells Information Security Media Group. "We hope to audit 350 covered entities and 50 BAs in this first go around."
Selected covered entities will receive notification and data requests in fall 2014, while business associates will be notified in 2015, she says. "OCR will be conducting desk audits of select HIPAA privacy and security rule provisions, with comprehensive on-site audits conducted as resources allow," she notes.
Unlike the 115 pilot audits in 2012, which were conducted by KPMG, a consulting firm that OCR hired, the next round of audits will be performed by OCR staff.
OCR auditors will assess compliance efforts through an updated protocol, which will include new criteria that reflects HIPAA Omnibus Rule changes and more specific test procedures, according to a recent presentation at the Health Care Compliance Association Conference by Linda Sanches, OCR senior adviser for health information privacy.
The updated protocol will also reflect findings from the pilot program as well as post-audit surveys OCR conducted of entities that were audited in the pilot phase.
OCR plans to make its updated audit protocol available on its website so that entities can use it for internal compliance assessments.
"Desk audits will target particular provisions that were the source of a high number of compliance failures in the pilot audits," according to the presentation. For covered entities audited in 2014, areas of focus will be compliance with: the HIPAA security rule's requirement of risk analysis and risk management; the HIPAA breach notification rule, including content and timeliness of notifications; and the HIPAA privacy rule provisions requiring giving patients a notice of privacy practices and providing them with access to protected health information.
The focus of BA audits will be on HIPAA security risk analysis and risk management, as well as breach reporting to covered entities, according to the presentation.
OCR also projects that yet another round of covered entity audits later in 2015 will also include a focus on computing device and storage media security controls, transmission security, as well as HIPAA privacy rule safeguards, including workforce training, policies and procedures.
Looking ahead to 2016, OCR expects audits will include a focus on encryption and decryption; facility and physical access control; and other areas of high-risk as identified by 2014 audits, breach reports and complaints.
In February, OCR posted a notice in the Federal Register saying it planned in 2014 to survey covered entities and business associates to determine suitability for the OCR HIPAA audit program (see HIPAA Audits Step Closer To Resuming).
Under HIPAA Omnibus, business associates are directly liable for HIPAA compliance, and subject to OCR enforcement penalties ranging up to $1.5 million per HIPAA violation.
OCR will conduct address verification with covered entities surveyed this spring, according to the recent presentation by Sanches. Entities will receive a link to an online screening "pre-survey" this summer.
Of the 550 to 800 covered entities contacted for the survey, OCR will select about 350 to audit, according to the presentation. Those audits will be conducted from October 2014 through June of 2015, it notes.
Selected covered entities will receive audit notification and data requests in fall 2014, and will be asked to identify their business associates and provide those vendors' current contact information. OCR will then select business associate audit subjects for 2015 from among the BAs identified by covered entities, the presentation notes.
While one security expert says the resumption of the OCR audits will help spur compliance, no matter how many audits are conducted, another security expert is a bit baffled by OCR's approach to selecting candidates for the next round of audits and questions whether the audits will, in fact, boost compliance.
"I believe phase two of the OCR audit program could have a significant impact on covered entity's and business associates compliance activities," says David Holtzman vice president of privacy and security compliance services at security consulting firm CynergisTek.
"The first phase of OCR's HIPAA compliance audits found that a significant number of healthcare providers and healthcare facilities had not completed the risk assessment required by the HIPAA Security Rule or taken appropriate measures to address the threats and vulnerabilities identified through their risk assessments," says Holtzman, who was a senior advisor at OCR before joining CynergisTek earlier this year.
"These are foundational issues in safeguarding electronic health information and these compliance gaps were found to be especially widespread in smaller health care providers and hospitals," he says. "Requiring covered entities to provide documentation of their risk assessment and plans to remediate will be effective and forceful tools for extending the reach of OCR's audit resources."
Although OCR will be conducting a limited number of audits in its next round, the potential influence of those activities is nevertheless great, Holtzman contends. "The impact of the OCR audit program is amplified across all healthcare providers and organizations in raising the visibility of compliance with the HIPAA rules," he says.
"HHS is again demonstrating it is serious about HIPAA compliance and there will be serious consequences, reputational and financial, for failing to have safeguards in place to protect health information."
But another compliance expert questions whether OCR's new approach to audits will prove effective.
I believe the audit approach as announced is curious and would like to understand the rationale," says Gerry Hinkley, a healthcare and privacy attorney at Pillsbury Winthrop Shaw Pittman in San Francisco, referring to the OCR survey and selection process for audits.
"It may have a negative impact on compliance but I am hoping that other factors - positives like the HHS toolkit for risk assessment and negatives like OCR and state-level enforcement regarding data breaches - will help to keep CE and BA attention on the substantial work ahead."