The Health Insurance Portability and Accountability Act (HIPAA) has fundamentally changed the health care industrys privacy and security practices. However, the federal governments enforcement efforts historically have been complaint-driven and sporadic. As a result, HIPAA-covered entities and business associates typically have failed to make compliance a priority. In fact, in 2008, the federal Department of Health and Human Services Office of Inspector General published a report criticizing the governments HIPAA oversight, concluding that, reliance on complaints alone was ineffective for identifying noncompliance.
The era of reactive and passive enforcement has ended, however. In 2009, Congress enacted the Health Information Technology for Economic and Clinical Health Act (HITECH) as part of the American Recovery and Reinvestment Act, which included enhanced HIPAA enforcement provisions and increased penalties for noncompliance. Most notably, HITECH required the federal Department of Health and Human Services Office for Civil Rights (OCR) to conduct periodic HIPAA compliance audits. HITECH also imposed new HIPAA privacy and security requirements and expanded those already in place. Since HITECHs enactment, the Office for Civil Rights has imposed civil monetary penalties in seven cases, whereas it did so only in two cases between 2003 and 2010.
In November 2011, the office began conducting the now-mandatory HIPAA compliance audits through an initial audit pilot project. Although HITECH requires OCR to audit both covered entities and business associates, the pilot audit program includes only covered entities. OCR has not publicly identified which covered entities it will audit, but stated that, selections in the initial round will be designed to provide a broad assessment of a complex and diverse health care industry and that, OCR will audit as wide a range of types and sizes of covered entities as possible . . . OCR plans to include business associates in future audits.
OCR has posted an overview of the pilot audit program on its web site at www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/index.html. Initial audits will be conducted in accordance with the process currently described on the website, but revisions are expected over time.
The current process provides that selected entities will receive a letter requesting the production of documentation of HIPAA compliance within 10 days. Auditors will also conduct site visits to interview key personnel and observe operations. According to OCR, the auditors will provide between 30 and 90 days notice of an anticipated site visit, and the visits may take anywhere between three to 10 days, depending on the size and complexity of the organization.
OCR auditors will then draft an audit report, and the covered entity will have 10 days to submit a written response. Within 30 days of receiving the entitys comments, OCR will issue a final report.
On its web site, OCR emphasizes that the primary purpose of the audits is to, assess HIPAA compliance efforts by a range of covered entities . . . [and] examine mechanisms for compliance, identify best practices and discover risks and vulnerabilities that may not have come to light through OCRs ongoing complaint investigations and compliance reviews. However, OCR also notes that if a serious compliance issue is identified, a compliance review may be conducted to address the problem.
Although not stated explicitly, if a covered entity fails to cooperate fully during the audit and/or if the auditors identify instances of noncompliance, the covered entity could face sanctions. Notably, the sample audit notification letter that OCR made available on its web site states: We expect . . . your full cooperation and support and remind you of your cooperation obligations under the HIPAA Enforcement Rule. This is not a minor point as the largest civil monetary penalty imposed to date by OCR against a covered entity, in the amount of $4.4 million, was mainly as a result of the covered entitys failure to cooperate with OCRs investigation.
Because OCR HIPAA audits eventually will also include business associates, both business associates and covered entities should prepare now for the prospect of a HIPAA audit. Some suggested steps include:
Since audited entities must provide documentation of HIPAA privacy and security compliance within only 10 days, these materials should be readily available, up-to-date, accurate, and in full compliance with all applicable requirements. These include up-to-date policies and procedures and business associate agreements; documentation of HIPAA Security Rule compliance, including documentation of all risk assessments and implementation of appropriate safeguards that address all of the Security Rule standards; documentation of investigation and mitigation of all reported breaches; documentation of compliance with breach notification requirements; and documentation of employee training.