The US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) released further details on its plan to audit 150 covered entities under its pilot HIPAA audit program. What we find most interesting is...

1. Enforcement Promotes Compliance – HIPAA
Audits Just Around the Corner
Earlier this month, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR)
released further details on its plan to audit 150 covered entities under its pilot HIPAA audit program. Periodic
audits of the HIPAA privacy, security and breach notification standards are required of the HHS Secretary
under Section 13411 of the 2009 HITECH Act (2009). In June of 2011, OCR awarded a $9.2 million contract to
the consulting firm KPMG to develop an audit methodology and pilot program, and to conduct the first 150
audits. (Ironically, KPMG was selected despite having been responsible for a breach that included the loss of an
unencrypted flash drive and affected more than 4,500 patient records at a New Jersey medical facility in May
2010 – Oh well, no one’s perfect!)
Of further note, the pilot program will be limited to 150 HIPAA covered entities and will not include business
associates (BA’s) although OCR stated that BA’s will be subject to audits at a later date. This despite the fact
that 55% of all major breach incidents since September 2009 (those involving 500 or more individual’s records)
occurred at BA’s. In addition, less than 50% of healthcare organizations conduct any kind of pre- or post-
contract compliance assessments of their BAs. But more on BA’s later. First here’s the planned roll-out of the
pilot program for covered entities:

2. The HIPAA auditors plan to notify covered entities that they are among the lucky 150 by mail. What we find
most interesting is that they then have 10 days to provide the auditor with documented evidence of how they
have complied with the HIPAA privacy and security standards, as well as breach notification rules, including a
copy of their most recent HIPAA Risk Analysis. That’s right, their HIPAA Risk Analysis. As you may or may
not recall, the HIPAA Security Risk Analysis requirement is not just a Core Measure of attesting to meaningful
use, it’s been a requirement under the HIPAA Security Rule since 2005. If you’re at all concerned about
making a good first impression on the auditor, we’d suggest you don’t send them a HIPAA Risk Analysis that is
more than 2 years old.
OCR is also getting serious about enforcement. The KPMG contract itself requires their auditors to inform
organizations in advance that “OCR may initiate further compliance enforcement action based on the content
and findings of the audit.” Since taking office, the mantra of OCR’s new director, former prosecutor Leon
Rodriguez, has been “enforcement promotes compliance.”
Now onto business associates. While OCR opted not to include auditing business associates themselves in their
pilot HIPAA program, covered entities are not relieved of their obligation to monitor PHI safeguards at their
BA’s. In fact, a significant concern at hospitals should be business associate oversight, a complex and
cumbersome, thus oft-neglected responsibility.
For business associates themselves, protecting the security and privacy of ePHI/PHI will shortly become both a
fiduciary responsibility and potentially a competitive issue. The OCR has confirmed that direct liability for a
breach will extend to BAs at the end of 2012 raising the likelihood of civil penalties. As hospitals begin to feel
increased audit pressure, they may insist that BAs provide them with documented policies, procedures, and
third-party network security assessments prior to signing or renewing business contracts. Publicly- disclosed
violations or civil penalties assessed to BAs could be brand-damaging at the least and a company killer at their
most severe.
Whether you’re a covered entity or a business associate, we recently published a list of 10 things we’d
recommend to best prepare yourself for the inevitable day the HIPAA auditor arrives. You can download the
full Audit Advisory here: http://www.redspin.com/resources/whitepapers-datasheets/request_HIPAA-
security_audit_advisory.php
WEB PHONE EMAIL
WWW.REDSPIN.COM 800-721-9177 INFO@REDSPIN.COM