The HHS Office of Civil Rights (“OCR”) has failed to comply with the HITECH Act’s mandate to audit HIPAA covered entities and business associates, according to a recent report published by the HHS Office of Inspector General (“OIG”). The OIG said that OCR “had not assessed the risks, established priorities, or implemented controls for its HITECH requirement to provide for periodic audits . . . as a result, OCR had limited assurance that covered entities complied with the SecurityRule[.]” HIPAA compliance audits are here to stay, according to the OIG, whether OCR (and especially covered entities) like it or not.
We previously reported on the HITECH Audit Program established in 2011. At the time of that post, 20 audits had been completed, with another 95 covered entities to be audited by the end of 2012. These 115 audits have been the only HITECH-mandated audits conducted by OCR . 47 health plans, 61 health care providers, and 7 clearinghouses were audited. Several clear trends emerged from the Pilot Program, notably, that health care providers had greater compliance gaps than health plans and clearing houses, and audits revelaed proportionally more findings of noncompliance at smaller providers.
Although the Pilot Program seems to have been a relative success, its momentum has stalled. According to OCR, budgetary constraints are to blame. In its comments to the preliminary OIG report, OCR noted that the funding for the Pilot Program expired in 2012, preventing it from undertaking any more audits.
Notwithstanding the expiration of funds designated for audits, the Report recommends OCR to provide for periodic audits in accordance with HITECH to ensure Security Rule compliance at covered entities. The Pilot Program was a nice start, but it is not enough, according to OIG. As a result, it seems likely that OCR will be forced to re-prioritize auditing internally, and possibly use this Report as a vehicle to obtain additional funding. The law requires the audits to be on-going. As HIPAA covered entities continue to work toward establishing an environment of HIPAA compliance, this Report serves as another reminder that procecting the privacy and security of health information must be a priority.