OCR’s Audit Program, which began in December 2011, is part of HHS’ efforts under HITECH to assess HIPAA compliance by covered entities, identify best practices, and discover risks and vulnerabilities in protecting the privacy and security of PHI which may not have come to light through OCR’s complaint investigation and compliance reviews.
OCR has repeatedly stated that its Audit Program is intended to serve as a compliance improvement tool, not an enforcement tool. To that end, a HIPAA complaint to OCR does not trigger an audit (at least not yet). Nevertheless, OCR has warned that while an Audit may uncover issues that can appropriately be addressed through voluntary corrective action, if an audit indicates serious noncompliance, it could trigger a separate enforcement action.
OCR’s Audit Program is being conducted in two phases. The initial audit phase – to test OCR’s newly developed audit protocol – involved the identification of 20 covered entities (10 providers, 8 health plans and 2 health clearinghouses) to audit. The first 20 entities were divided into four different groupings:
- Level 1 entities – large provider or plan with over $1 billion in revenues and extensive HIT use.
- Level 2 entities – regional providers or plans with revenues between $300 million to $1 billion with paper and HIT enabled workflows.
- Level 3 entities – community hospitals, regional pharmacies, self-insured health plans that do not adjudicate their own plans with $50-$300 million in revenues and some HIT use.
- Level 4 entities – small providers, community hospitals or rural pharmacy with revenues less than $50 million and little to no use of HIT.
These initial audits are now complete, and on June 7, 2012, Linda Sanches, OCR Senior Advisor, Health Information Privacy Lead, HIPAA Compliance Audits, presented initial audit findings at the OCR/NIST conference, Safeguarding Health Information: Building Assurance through HIPAA Security.
Here is a brief summary of her findings:
- More organizations had trouble with security compliance than privacy compliance;
- Smaller organizations had more difficulties establishing HIPAA compliance programs than larger organizations;
- Many organizations have failed to conduct regular risk assessments;
- Many organizations are not paying enough attention to third party risks, including business associate compliance;
Top Security Issues:
- User Activity Monitoring
- Contingency Planning
- Authentication and integrity
- Media Reuse and Destruction
- Conducting risk assessments
- Granting and/or modifying user access
Top Privacy Issues:
- PHI uses and disclosures related to deceased individuals
- PHI uses and disclosures related to personal representatives
- Business associate contracts
- Disclosures for judicial and administrative proceedings
- Verification of the identity of an individual requesting PHI
The second phase of OCR’s Audit Program, which will involve an additional 90 audits of covered entities, is now underway. 25 additional audit letters have been issued to covered entities, and OCR anticipates sending an additional 70 letters to covered entities shortly with a goal to complete 115 audits by the end of 2012. OCR plans to audit Business Associates in a later audit wave.
OCR advises that all covered entities take the following next steps based on these initial audit findings:
- Conduct a robust HIPAA compliance review and risk assessment.
- Identify Lines of Business affected by HIPAA.
- Map PHI flows within the organization as well as flows to and from third parties.
- Identify all of your organization’s PHI.
- Seek guidance available on OCR website.
Indeed, each of these steps are critical for all covered entities and business associates to achieve HIPAA compliance.
While the fate of a covered entity who becomes the subject of an OCR HIPAA audit cannot be predicted, OCR has signaled that compliance efforts do count for something even if strict HIPAA compliance has not yet been achieved. Conversely, covered entities and business associates who fail to move HIPAA compliance to the top of their organization’s priority list risk the enforcement wrath of OCR, including the civil monetary penalties, investigation costs and reputational damage that can result from noncompliance.