- The Department of Health & Human Services (HHS) Office for Civil Rights (OCR) has reportedly begun to implement its next round of HIPAA compliance audits, set to take place in the early part of 2016.
Earlier this week, HealthITSecurity.com discussed the overarching details of HIPAA enforcement actions, and how healthcare organizations should be prepared for allegations against violating either the Privacy or Security rule. But what should covered entities know about the compliance audits? How is this different than a standard security risk assessment? What is the timeline for a HIPAA compliance audit?
We will review these issues and others to explain what may potentially be heading toward covered entities or business associates, and how they can work to get their ducks in a row before OCR comes knocking.
What is a HIPAA compliance audit?
The compliance audits are a way for OCR “to examine mechanisms for compliance, identify best practices and discover risks and vulnerabilities that may not have come to light through OCR’s ongoing complaint investigations and compliance reviews,” states the HHS website.
Essentially, the program will analyze any processes, controls, and policies that have been implemented as ways to meet the HITECH Act audit mandate.
“The privacy and security performance audit process will include generally familiar audit mechanisms,” HHS explains. “Entities selected for an audit will be informed by OCR of their selection and asked to provide documentation of their privacy and security compliance efforts.”
Both covered entities and business associates could find themselves on the receiving end of an OCR compliance audit notification letter. Screening audits have reportedly already been sent out, which are designed to gather data about an organization’s operations regarding its HIPAA procedures. Moreover, the next round of compliance audits could likely consist of either remote desk audits or on-site audits.
It is important to note that OCR will notify an organization in writing before an audit takes place. The entire process and expectations will be explained, and OCR will also specify what documentation and other information will be needed throughout the process.
It will also specify how and when to return the requested information to the auditor. OCR expects covered entities and business associates who are the subject of the audit to provide requested information within 10 business days of the request for information.
The audit protocol also covers Privacy Rule requirements in seven areas:
- Notice of privacy practices for PHI
- Rights to request privacy protection for PHI
- Access of individuals to PHI
- Administrative requirements
- Uses and disclosures of PHI
- Amendment of PHI
- Accounting of disclosures.
The breach notification rule and all three safeguard requirements - administrative, physical, technical - are also covered in the compliance audit protocol.
It is also important to note the “mere conduit” exemption with the OCR audits. Essentially, organizations that provide “mere conduit” service are excluded from HIPAA liability.
As explained by HealthITSecurity.com contributors Linda McReynolds and Ron Quirk, this exemption applies to telecom or information services that exclusively provide transmission or temporary storage of transmitted data incident to such transmission.
“The key difference between a conduit and Business Associate is the transient versus persistent nature of the opportunity to view the PHI,” the duo wrote. “To qualify as a conduit, a service provider must ensure that PHI is only temporarily stored. It is irrelevant whether the service provider actually views the PHI.”
The HIPAA compliance audits can help incentivize covered entities and business associates to not only stay HIPAA compliant, but can also help them improve privacy and security measures.
Being selected for the HIPAA compliance audits
OCR will reportedly audit approximately 150 of the 350 selected covered entities and 50 of the selected business associates for compliance with the Security Standards. OCR will audit 100 covered entities for compliance with the Privacy Standards and 100 covered entities for Breach Notification Standards compliance.
Should an organization be selected, it will receive a notification letter in the mail, which will describe the process. However, healthcare covered entities and business associates that perform comprehensive and periodic risk analyses and maintain thorough accounts of where ePHI is stored will be in good shape.
It will also be beneficial to ensure that business associate contracts or BAAs are thoroughly documented and kept in a safe place. All security training should also be properly documented, along with evidence of an organization’s encryption capabilities.
“Generally, OCR will use the audit reports to determine what types of technical assistance should be developed, and what types of corrective action are most effective,” HHS explains. “Should an audit report indicate a serious compliance issue, OCR may initiate a compliance review to address the problem. OCR will not post a listing of audited entities or the findings of an individual audit which clearly identifies the audited entity.”
While the next round of HIPAA compliance audits are expected to be slightly different than the previous one, healthcare organizations can still benefit from learning from the first round. The below table is from HHS and outlines basics of what will and will not occur for selected organizations in the audit process.
Failure to comply with HIPAA could result in hefty monetary sanctions. For example, OCR is authorized to dole out penalties of more than $50,000 per violation, even if it is determined that the breach was unintentional. OCR may also impose penalties of up to $1.5 million per calendar year.
Maintaining proper privacy and security measures year-round is essential. Organizations should regularly monitor all three safeguards and make adjustments as necessary. Documentation needs to be thorough and current, along with all BA partnerships. Periodic reviews and risk analysis will also be essential to ensuring that organizations are not only prepared for a potential HIPAA compliance audit, but also that they are able to keep sensitive data secure.
Image credit: Department of Health & Human Services