HIPAA Privacy and Security Audits:

They Are Here - Are You Ready?

 

The U.S. Department of Health & Human Services' Office for Civil Rights (OCR) administers HIPAA (including the HITECH amendments) by investigating complaints, enforcing rights, promulgating regulations, developing policy and providing technical assistance and public education. Since the enactment of HITECH in 2009, OCR has assumed another function: compliance audits. HITECH requires periodic audits to ensure that covered entities and business associates are complying with the HIPAA privacy and security rules and breach notification standards. OCR has implemented a pilot program of up to 150 audits, to occur by December 2012 to assess compliance. Audits will be administered through a contracted public accounting firm, KPMG LLP.

 

Whereas past audits have been complaint (enforcement)-based, these are matrix (assessment)-based (OCR retained a contractor to help it select entities to be audited). The initial audits will be performed in two stages: a limited "test wave" of approximately 20 audits to try out existing protocols, and a full wave of up to 150 audits using revised protocols informed by the test wave. The test wave is expected to conclude by May 2012 at which time the remaining audits will take place.

 

Although all covered entities and business associates are eligible to be audited, OCR indicates that the initial audit program will be limited to covered entities ("Business Associates will be included in future audits"). OCR is responsible for selecting the audited entities – its stated goal is to "provide a broad assessment of a complex and diverse health care industry." Therefore, OCR plans to audit a wide range of sizes and types of covered entities (health care providers, plans and health care clearinghouses). OCR makes clear that it "expect[s] covered entities to provide the auditors their full cooperation and support."

 

Entities selected for an audit will receive an audit notification letter – OCR provides a sample on its website.

 

The letter will describe the audit process as well as the documentation the entity must provide in advance. Entities selected for audit will be under a tight initial timeline: the requested documentation must be provided within 10 business days. This is an additional sound reason to review your documentation now to ensure that it is in order and can be produced quickly. Requested documentation will likely include:

 

• Privacy, security and "incident response"/breach notification policies and procedures
• Signed copies of business associate agreements
• Entity-wide risk assessment and/or security plan
• Risk management plan (addressing risks identified in the risk assessment)
• Organization chart
• Training materials and documentation
• Data backup and disaster recovery plans
• Inventory log for portable devices containing electronic PHI
• Information systems inventory
• Network penetration testing policy and procedure
• List of user accounts with access to systems that store, transmit or access electronic PHI

 

Following production and review of the audited entity's documentation, the audit firm will conduct a site visit lasting between three and 10 business days. Site visits will typically occur within 30 to 90 days of the original audit notification, and will include personnel interviews. Potential interviewees include:

 

·       President, CEO or Director

·       Compliance/privacy officers

·       Human Resources representative

·       Individual responsible for training

·       Disaster recovery specialist

·       "Incident response" team leader

·       Network engineers

·       Physical security specialists

·       Computer hardware/software specialists

 

Based on recent and highly publicized enforcement incidents, audits are likely to focus on:

 

• An up-to-date security risk analysis
• Approved and implemented privacy, security and breach notification policies and procedures that reflect an informed analysis of the covered entity's structure and function
• Documentation of appropriate workforce training
• Security of protected health information contained on portable electronic devices (handhelds, thumb drives, tablets and laptops)
• Documentation related to exercise of individual rights – requests for restriction, access, amendment, accounting of disclosures (note that one recent enforcement action related to the covered entity's handling of requests to transfer records to new health care providers)
• Incident (breach) detection and response
• Appropriate role-based access
• Destruction and disposal of paper PHI

 

After this fieldwork is complete, the auditor will provide the audited entity with a draft final report, and the audited entity will have 10 business days to review and provide written comments. The auditor will complete a final report within 30 days of the audited entity's response and submit the final report to OCR.

 

OCR presents audits as "primarily a compliance improvement activity." OCR plans to review and aggregate the final reports, including remedial activities taken by the audited entities, to "better understand compliance efforts with particular aspects of the HIPAA rules." While OCR will generally use the audit reports to develop technical assistance and determine the most effective types of corrective action, a serious compliance issue may merit a compliance review of the audited entity – which, in turn, may lead to an enforcement action against the audited entity. OCR states that it will not post a listing of audited entities or the findings of an individual audit that clearly identify the audited entity.

 

While audit preparation is a complex process that will vary with the size, complexity, and functions of the covered entity (or business associate), it is clear that entities should take at least these initial steps immediately, to the extent they have not already done so:

 

(1)        Formally designate a privacy official (45 CFR 164.530(a)(1)) and security official (45 CFR 164.309(a)(2)) and document appropriate position descriptions.

 

(2)        Formulate an incident response team (for privacy and security breaches) and document appropriately.

 

(3)        Ensure that privacy and security rule policies and procedures, and those related to incident detection, response, and notification, are up-to-date, implemented, organized and accessible.

 

(4)        Ensure that training materials and documentation are up-to-date, complete, organized and accessible.

 

(5)        Evaluate understanding of and black-letter compliance with the privacy rule, security rule and breach notification rule. The "Administrative Requirements" sections of the privacy rule (45 CFR 164.530) and security rule (45 CFR 164.308) are excellent overall guides.

 

(6)        Perform and document a security rule risk analysis (45 CFR 164.308(a)(1)(ii)(A)) and implement and document a risk management plan (45 CFR 164.308(a)(1)(ii)(B)) based on the results. A risk analysis is an "accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of electronic protected health information held by" the covered entity or business associate. Id. A risk management plan is implementation of "security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level …." Id.

 

If your organization is selected for an OCR audit, your timelines will be short – but you will be expected to provide a thorough and timely response. Preparing ahead of time will lessen strain on the organization and will further your organization's ability to not only survive the audit process, but to receive an exemplary report.

 

For more information, please contact Kimberly Metzger at (317) 236-2296 or Kimberly.metzger@icemiller.com or any member of Ice Miller’s Privacy and Information Law attorneys.

 

This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader must consult with legal counsel to determine how laws or decisions discussed herein apply to the reader's specific circumstances.