Preparing for HIPAA Compliance Audits

The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), the office responsible for administering and enforcing the Health Insurance Portability and Accountability Act of 1996 (HIPAA), will continue to audit HIPAA covered entities and business associates in 2015. OCR conducted its first phase of the HIPAA audit program, known as “the pilot audits,” in 2011 and 2012. Earlier in 2014 OCR announced plans for Phase 2 audits, including plans to audit both covered entities and their business associates. OCR has since delayed its initial timeframe for the Phase 2 audits and has indicated changes to the program, but covered entities and business associates can rest assured: HIPAA audits are coming. After the pilot audits concluded, OCR reported that 56% of audited entities became aware of additional HIPAA requirements as a direct result of being audited. The middle of an OCR HIPAA audit is not the time to be learning about additional HIPAA requirements; instead, covered entities and business associates should review their HIPAA compliance now. Pilot Audit Program While the next phase of audits may look very different from the pilot program in a number of ways, the pilot audits still provide a valuable learning opportunity, especially because OCR has consistently stated that the pilot audits have informed plans for future audits. The pilot audits, conducted by a contractor in 2011 and 2012, were comprehensive onsite audits, evaluating 115 covered entities against set protocols related to more than a dozen provisions of the Security Rule, approximately two dozen Privacy Rule provisions, and four provisions related to the Breach Notification Rule.[1] Of the 115 entities audited in the pilot program, 47 were health plans, 61 were health care providers, and seven were health care clearinghouses.[2] OCR categorized all covered entities into four “levels” based on size and characteristics to ensure entities of all sizes and types were audited. OCR audited more small health care providers (24 out of the 115) than any other type or size of covered entity.[3] Only 11% of the 115 audited entities did not have a finding or observation, according to OCR. In the pilot audits, OCR found that “Security [Rule provisions] accounted for 60% of the findings and observations – although only 28% of the [total number of audited provisions].”[4] OCR also noted that two-thirds of the audited entities did not have a complete and accurate risk assessment, including 47 out of the 59 health care providers.[5] Accordingly, covered entities and business associates are likely to see a greater focus on Security Rule compliance in upcoming audits. Phase 2 Audits The next phase of OCR HIPAA audits is expected to begin in 2015. Although some of the audit program’s details are still in flux, it is expected that OCR will conduct limited scope offsite or “desk” audits of both covered entities and business associates in 2015. The return of comprehensive onsite audits appears likely, but when they will begin is one of the biggest questions remaining for the audit program. Unlike the pilot audits, OCR plans to conduct future audits using primarily internal staff, rather than contractors. OCR announced this fall that it would be conducting approximately 200 offsite audits of limited scope, targeting areas of high compliance failures such as the Security Rule’s risk analysis requirement.[6] Onsite audits are expected to be much more comprehensive and will be conducted on a resource dependent basis.[7] While OCR originally stated in March 2014 that it would be conducting audits beginning in October 2014, OCR later announced that it was delaying the audits to implement new technology for surveys, document submissions, and data analytics.[8] This should be good news to covered entities and business associates as it not only gives them more time to prepare, but also will hopefully allow for more seamless audits. OCR is expecting to contact approximately 550–800 covered entities for a pre-audit survey.[9] It is anticipated that OCR will use the results of the survey to group covered entities, perhaps similar to how OCR grouped covered entities into “levels” for the pilot audit selection process. OCR has announced that it will use random selection when possible to select entities within certain types or groups.[10] Once a covered entity is selected for an OCR HIPAA audit, it can expect to receive a data request that will include a request to identify all of its business associates.[11] OCR has stated that it will only give audited entities two weeks to respond to the data request.[12] It is therefore critical that covered entities prepare for HIPAA audits before they are selected for an audit. OCR also has stated that all information submitted must be current as of the date of the data request. In other words, after an entity has received an audit notification letter should not be the time to start reviewing and updating its HIPAA policies.[13] Particularly for offsite audits, covered entities should be aware that OCR may not consider late data submissions, and that covered entities may not have additional opportunities to clarify information or communicate with auditors.[14] OCR also has made it clear that failure to respond to an audit request may lead to a referral for a compliance review (i.e., an investigation that may lead to an enforcement action).[15] Although not final, OCR has indicated that the 2014 audits (presumably now the 2015 audits) will focus on risk analysis and risk management, the content and timeliness of breach notifications, individual access to protected health information, and notice of privacy practices.[16] This focus is presumably for the limited-scope offsite audits; however, covered entities should also prepare for comprehensive onsite audits of privacy, security, and breach notification requirements. Preparing for HIPAA Audit Covered entities should be prepared to do more than hand over HIPAA policies and procedures if they are selected for an OCR audit. Covered entities should start thinking about how they will demonstrate implementation of their policies and procedures. For example, covered entities will want to make sure they not only have an appropriate sanctions policy, but that they can demonstrate consistent implementation. To demonstrate compliance with the breach notification requirements, covered entities should review breach policies and procedures, workforce training and sanctions, documentation of incidents that have occurred, and, where applicable, documentation of notifications or a breach risk assessment as required by the Breach Notification Rule. Covered entities should take advantage of this delay in the next round of HIPAA audits and ensure their most recent risk analysis assesses potential risks and vulnerabilities to all information systems, devices, and media containing electronic protected health information. Covered entities and business associates should review OCR’s Security Risk Analysis guidance and NIST Special Publication 800-30 as they update their risk analysis and risk mitigation plan. Smaller entities also may want to consider using the HHS’ Security Risk Assessment tool. Covered entities also should be thinking about their vendor management process. OCR will ask covered entities for a list of business associates, but covered entities should take this opportunity, before they are selected for an OCR HIPAA audit, to go through all vendors and ensure they have identified those that are in fact HIPAA business associates. Covered entities should ensure they have updated business associate agreements to reflect the Omnibus Rule changes. While likely further off, OCR has indicated that business associate audits are coming in 2015. For many business associates, this may be their first interaction with OCR. Although business associates will want to make sure they can demonstrate compliance with the Security Rule, particularly the risk analysis and risk management requirements, they also should think about demonstrating compliance with the Breach Notification Rule and the Privacy Rule, such as documentation of reporting breaches to covered entities and business associate agreements with subcontractors. Covered entities can consider using OCR’s audit protocol to prepare for an OCR audit, available on OCR’s website, but should recognize that OCR has not updated the protocol to reflect Omnibus Rule changes, leaving significant gaps. Unfortunately, OCR has not published a business associate audit protocol. Conclusion Covered entities and business associates that have not already begun preparing for OCR HIPAA audits should do so now. Without knowing when the OCR audits will begin or how quickly OCR will move forward with entity selections and document requests once the next round of audits begin, covered entities should use this time to review their HIPAA compliance, updating risk analyses and risk management plans, policies and procedures, business associate agreements, and notices of privacy practices as needed. This article was originally published in AHLA Weekly.