The U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) has announced that it is gearing up for its second round of HIPAA compliance audits later this year. The HIPAA Audit Program is authorized under Section 13411 of the HITECH Act and is intended to assess compliance with the HIPAA Privacy, Security, and Breach Notification Rules. While this next round of audits will be narrower in scope than OCR’s 2012 pilot audit program, OCR will include business associates as well as covered entities.
In a February 24, 2014 Notice in the Federal Register (“Notice”) , OCR announced that it will soon launch a survey of 1,200 organizations – 800 covered entities and 400 business associates — as a first step toward selecting those organizations to be audited. In a presentation that same day at the 2014HIMSS Annual Conference, Susan McAndrew, OCR Deputy Director, explained that the survey will seek to verify if the entity, which has been chosen from a large OCR database, is a suitable candidate for a HIPAA audit by asking questions, such as “Is the organization still in business?” and “Is the organization the healthcare entity indicated by the database?”
OCR stated that the survey “will gather information about respondents to enable OCR to assess the size, complexity and fitness of a respondent for an audit.” Among other things, OCR intends to collect “recent data about the number of patient visits or insured lives, use of electronic information, revenue and business locations.” Not all organizations that are surveyed will be audited.
OCR’s 2012 HIPAA pilot audit program uncovered a wide variety of HIPAA compliance failures, including Privacy Rule failures (such as a lack of NPPs, use and disclosure violations, and minimum necessary violations), Security Rule failures (such as incomplete risk analyses, improper media disposal, and inadequate access controls), and administrative failures (such as lack of training and failure to update policies and procedures). In fact, OCR’s analysis of the 2012 pilot audit data revealed that two-thirds of the entities audited did not have a complete and accurate risk assessment.
Thus, one of the primary areas of focus in the 2014 audits likely will be whether covered entities and business associates alike have conducted timely and thorough security risk assessments as required by HIPAA. Indeed, on September 23, 2013, OCR Director Leon Rodriguez reported at the HIMSS Privacy and Security Forum in Boston that the covered entities audited in the pilot program often had conducted a “shallow risk analysis” that was not properly updated as circumstances changed, such as the when the entities developed new business strategies or implemented new information systems. Director Rodriguez observed, “With any business change, an entity must review its risk analysis; yet, two-thirds of pilot participants – including 80 percent of providers – did not have a complete and accurate risk analysis.”
Another issue which is expected to be a focus of the 2014 audit program is the use of data encryption and an organization’s underlying risk analysis in deciding whether to encrypt or not encrypt. Under the Security Rule, encryption is an “addressable” requirement. Therefore, an organization which fails to encrypt must, through documentation, justify its decision and then select and implement a reasonable alternative. At the May 2013 OCR/NIST 6th Annual Conference on Safeguarding Health Information, Director Rodriguez reported that OCR’s pilot audit program revealed that encryption was not always implemented (or even considered) by organizations. He observed that organizations either implemented encryption or did nothing at all in justifying and documenting reasonable alternatives. Thus, Director Rodriguez stressed the importance of conducting a risk analysis related to encryption implementation in which an organization must weigh the pros and cons of encryption in making the final decision to encrypt or not to encrypt.
Finally, OCR also has stated that it is revising its audit protocol for the HIPAA Audit Program to reflect the changes included in the HIPAA Omnibus Rule that became effective on September 23, 2013.