HHS Audits the 1% … and the Rest: First HIPAA Privacy and Security Audits Begin

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has begun the process of notifying covered entities that they are among the unlucky few who have been selected for the first Health Insurance Portability and Accountability Act of 1996 (HIPAA) privacy and security audits under the Health Information Technology for Economic and Clinical Health (HITECH) Act. The selected entities represent a cross sample of the health care industry—from billion-dollar health care systems to small physician practices. Audited entities will undergo comprehensive reviews of their privacy and security policies and procedures, documentation, and operations.

While the first 20 covered entities have been selected, approximately another 130 remain in this audit round. HHS has indicated that it hopes to continue with proactive audits in the future and expects to become more aggressive in its enforcement of complaints. Accordingly, now is a good time to ensure that:

• Policies, procedures, and documentation comprehensively address all privacy and security requirements;
• Privacy and security training has been completed and documented;
• Actions taken as part of the HIPAA compliance program has been documented, such as complaints and any resulting investigations, findings, and mitigation; and
• Your security risk assessment and documentation of your risk management decision-making process are up to date.

The unlucky winners

HHS divided the covered entity population into four levels and various types of covered entities.

The audit notification letters have gone out to the above health plans, hospitals, pharmacies, health care clearinghouses, and small practices. Site visits are expected to begin in mid-January.

What audited entities can expect

We anticipate that the selected covered entities received notification letters, coupled with requests for documentation. These covered entities may have as little as 10 business days to respond. The requested information may include policies and procedures, training materials and documentation, a security risk analysis, and other documentation required by the HIPAA regulations.

The site visits, which likely will begin next month, will include a team of auditors spending between three and 10 business days on site, interviewing leadership and inspecting the premises. The auditors may review administrative, physical, and technical safeguards of written, oral, and electronic protected health information.

How to prepare

The audits represent a good opportunity to take stock of your privacy and security programs and make improvements. OCR has indicated that, after publication of final rules modifying the HIPAA regulations in accordance with the HITECH Act, they will more aggressively pursue complaints where there are indications of noncompliance due to willful neglect. Preparing for the current wave of HIPAA audits will help prepare your organization for this heightened enforcement.

A few steps that your organization can take to help prepare for audits include:

• Addressing the entire lifecycle of electronic and hard copy protected health information, identifying where such information is created throughout the organization, how it is maintained, and how it is disposed of;
• Creating a compliance cycle that regularly modifies policies and training in response to recurring issues and emerging threats; and
• Conducting a comprehensive review of policies, procedures, other documentation, and training.