The Department of Health and Human Services has contracted with two different parties to conduct audits of entities covered by the 1996 Health Insurance Portability and Accountability Act.
What that means for covered entities “is that the audit program is coming,” cautioned Adam H. Greene, a partner in the Washington, D.C. office of Davis Wright Tremaine who formerly worked at HHS’ Office for Civil Rights and focuses his practice on HIPAA compliance.
Under the auspices of the 2009 HITECH (Health Information Technology for Economic and Clinical Health) Act, HHS was mandated to conduct audits of covered entities to ensure compliance with data security and privacy requirements.
Prior to HITECH, HHS investigated potential HIPAA violations based on specific complaints. But HITECH imposed a requirement to conduct periodic audits to ensure that covered entities and business associates are complying with the HIPAA rules.
“Covered entities” include health care providers, health plans (including insurance companies and HMOs) and health care clearinghouses, such as billing services for physicians. “Business associates” are entities that perform functions on behalf of covered entities that involve disclosure of protected health information, such as medical data contractors or law firms that represent health care providers.
In June, the department awarded two contracts related to the audit requirements. The first went to Booz Allen Hamilton, for $180,000 for “audit candidate identification.”
The department then awarded a $9.2 million contract to KPMG to create an audit protocol and conduct up to 150 audits of covered entities by Dec. 31, 2012.
According to the contract synopsis, each audit will include a site visit with interviews with various leadership officials (such as the chief information officer, legal counsel and director of medical records) and an examination of the physical features, operations and adherence to policy.
In addition to data from the site visit, reports would include a timeline and methodology of the audit as well as specific recommendations the entity can take to address identified compliance problems, complete with a corrective action plan.
Recommendations for HHS regarding oversight and the need for any corrective action will also be included.
With audits set to begin late this year or in early 2012, covered entities should prepare themselves now, Greene said.
On the privacy side, they should make sure they “have comprehensive policies and procedures that are up-to-date and reflect the issues of the organization,” he said.
For example, an organization that bought a canned set of policies and procedures eight years ago might have since discovered that its biggest issues are the improper disposal of paper records and the inappropriate snooping by employees into electronic records.
If those issues aren’t reflected in their policies and procedures, “that will not look good to OCR and the auditors,” Greene said.
Covered entities should also ensure that they have conducted comprehensive training, especially for new staff.
“You don’t want someone who has had exposure for nine months to personal health information simply waiting until the annual training comes around,” Greene said. “And again, you want the training to reflect not just general HIPAA issues, but those specific to your organization.”
Finally, he suggested that entities that have never imposed an internal HIPAA-related sanction may have a problem.
Not having issued a sanction “doesn’t mean you have never had a HIPAA violation,” Greene said. “Have a written sanctions policy that you have trained employees on so that they know the repercussions if they violate the privacy and security requirements.”
Focusing on data security, covered entities should perform “a good risk analysis, which is the foundation of a HIPAA security program,” Greene said, with a comprehensive risk management plan in place. “The risks identified in the analysis should be reflected in the reasonable and appropriate safeguards necessary to respond to those risks.”
In a recent podcast, Susan McAndrew, the deputy director of privacy at OCR, indicated that “if an audit finds a major violation then it will be handled in the same way as an investigation,” meaning that it could lead to an enforcement action, Greene explained. The audits “will not be limited to a strictly educational function.” Narrowing the potential scope of audit candidates, McAndrew also mentioned that the audits will primarily, if not entirely, be conducted upon covered entities, not business associates as defined by HIPAA.
While that shortens the list of potential businesses to audit, Greene acknowledged that the odds of being audited remain low, given the number of covered entities.
“Think of it as losing the lottery,” he said. “Even if the odds are low, some people are going to have their number drawn.”