“Enforcement Promotes Compliance” – HIPAA Audits Just Around the Corner


Published on

The US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) released further details on its plan to audit 150 covered entities under its pilot HIPAA audit program. What we find most interesting is...

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

“Enforcement Promotes Compliance” – HIPAA Audits Just Around the Corner

  1. 1. Enforcement Promotes Compliance – HIPAAAudits Just Around the CornerEarlier this month, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR)released further details on its plan to audit 150 covered entities under its pilot HIPAA audit program. Periodicaudits of the HIPAA privacy, security and breach notification standards are required of the HHS Secretaryunder Section 13411 of the 2009 HITECH Act (2009). In June of 2011, OCR awarded a $9.2 million contract tothe consulting firm KPMG to develop an audit methodology and pilot program, and to conduct the first 150audits. (Ironically, KPMG was selected despite having been responsible for a breach that included the loss of anunencrypted flash drive and affected more than 4,500 patient records at a New Jersey medical facility in May2010 – Oh well, no one’s perfect!)Of further note, the pilot program will be limited to 150 HIPAA covered entities and will not include businessassociates (BA’s) although OCR stated that BA’s will be subject to audits at a later date. This despite the factthat 55% of all major breach incidents since September 2009 (those involving 500 or more individual’s records)occurred at BA’s. In addition, less than 50% of healthcare organizations conduct any kind of pre- or post-contract compliance assessments of their BAs. But more on BA’s later. First here’s the planned roll-out of thepilot program for covered entities:
  2. 2. The HIPAA auditors plan to notify covered entities that they are among the lucky 150 by mail. What we findmost interesting is that they then have 10 days to provide the auditor with documented evidence of how theyhave complied with the HIPAA privacy and security standards, as well as breach notification rules, including acopy of their most recent HIPAA Risk Analysis. That’s right, their HIPAA Risk Analysis. As you may or maynot recall, the HIPAA Security Risk Analysis requirement is not just a Core Measure of attesting to meaningfuluse, it’s been a requirement under the HIPAA Security Rule since 2005. If you’re at all concerned aboutmaking a good first impression on the auditor, we’d suggest you don’t send them a HIPAA Risk Analysis that ismore than 2 years old.OCR is also getting serious about enforcement. The KPMG contract itself requires their auditors to informorganizations in advance that “OCR may initiate further compliance enforcement action based on the contentand findings of the audit.” Since taking office, the mantra of OCR’s new director, former prosecutor LeonRodriguez, has been “enforcement promotes compliance.”Now onto business associates. While OCR opted not to include auditing business associates themselves in theirpilot HIPAA program, covered entities are not relieved of their obligation to monitor PHI safeguards at theirBA’s. In fact, a significant concern at hospitals should be business associate oversight, a complex andcumbersome, thus oft-neglected responsibility.For business associates themselves, protecting the security and privacy of ePHI/PHI will shortly become both afiduciary responsibility and potentially a competitive issue. The OCR has confirmed that direct liability for abreach will extend to BAs at the end of 2012 raising the likelihood of civil penalties. As hospitals begin to feelincreased audit pressure, they may insist that BAs provide them with documented policies, procedures, andthird-party network security assessments prior to signing or renewing business contracts. Publicly- disclosedviolations or civil penalties assessed to BAs could be brand-damaging at the least and a company killer at theirmost severe.Whether you’re a covered entity or a business associate, we recently published a list of 10 things we’drecommend to best prepare yourself for the inevitable day the HIPAA auditor arrives. You can download thefull Audit Advisory here: http://www.redspin.com/resources/whitepapers-datasheets/request_HIPAA-security_audit_advisory.php WEB PHONE EMAIL WWW.REDSPIN.COM 800-721-9177 INFO@REDSPIN.COM