CHICAGO -- The first phase of HHS Office of Civil Rights' (OCR) HIPAA audit program is coming to a close this November. Next year, auditors will step up their scrutiny of health care providers' compliance by dispatching teams of auditors to facilities; the bigger the HIPAA-covered entity or business associate, the bigger the auditor team and length of visit.
More resources for HIPAA audit compliance
Retool business associate agreements for HIPAA
Creating access reports to meet HIPAA compliance
How the HITECH Act changes HIPAA requirements
Fortunately, OCR has already revealed enough detail about how the audits work such that providers and their partners subject to HIPAA can start developing a compliance game plan that can stand up to auditor scrutiny, said Allen Killworth, a health care attorney for Columbus, Ohio, firm Bricker & Eckler. Presenting at the American Health Information Managers Association 2012 Annual Convention and Exhibit, he offered tips for sharpening compliance and preparing for an audit once a hospital is notified auditors are on their way.
Killworth said HIPAA cases -- helping providers deal with complaints, assisting on policy questions, working on data breach investigations -- now take up more than 50% of his legal practice. That makes sense, he said, because the typical fine for a lost laptop containing HIPAA-protected patient data is about $1.5 million, which has gotten administrators' attention.
"We've seen a lot of action the last 15 or so years that HIPAA's been around," Killworth said. "But these days, there's been a huge uptick; ever since the HITECH Act, there's been an enormous amount of tension and activity around HIPAA enforcement."
Auditors recruited from outside health care
So far, the audit program hasn't been exactly random, as OCR wanted test cases covering many sizes of health plans and providers, said Killworth, who broke down result of about 120 publicized OCR audits for the AHIMA 2012 audience.
Depending on a covered entity's size, they can expect three to five auditors on a team on site, and they will stay five to ten days. Upon selection, a provider being audited has three weeks to produce their HIPAA policies. Some facilities have many customized policies spread across different departments and buildings, making that a complicated task.
This early in the program it's difficult for OCR to discern who is a business associate and what their main types are, Killworth said, so how they figure into the audit program is yet to be made clear.
The process behooves providers and their business associates to form response teams now. They should familiarize themselves with the procedures, monitor updated information and guidance on audit procedures as OCR releases it, and be ready to pull together the necessary policies and other HIPAA-mandated documentation such as the breach and complaint logs.
While that gestalt might sound familiar to anyone who has dealt with Joint Commission surveys of health care facilities, Killworth told SearchHealthIT he's heard they are not modeled after Joint Commission, but instead general business financial audits.
"From what we've heard [audit contractor] KPMG was using more of its financial experience," Killworth said. "We've heard some anecdotal comments that the auditors aren't necessarily from a health care background. They have an auditing background. There's usually one person [on the auditing team] with dedicated health care experience, but from what I'm understanding the process is modeled after a business or financial audit rather than a Joint Commission or CMS clinical survey."
Results of HIPAA audits show potential compliance weak spots
Killworth said based on audit data so far, trends are becoming evident -- and are pointing out compliance weaknesses in some areas providers can review and shore up. He offered the following ideas and observations for compliance-minded providers:
They shouldn't give this deer-in-the-headlights stare when asked about HIPAA policies.
Allen Killworth, health care attorney, Bricker & Eckler
- Get your HIPAA policies written. Once a covered entity gets the audit notice, they have three weeks to produce their policy documents. One catch: No document that was created after the notice will be accepted, so make sure policies are in place now. Keep them fresh and keep employees updated on changes -- make it clear to auditors you're "living by these policies," Killworth said.
- Keep abreast of information OCR releases regarding HIPAA enforcement and audit procedures. Assign employees to monitor HIPAA enforcement guidance, especially procedural notifications surrounding audit protocols. "This is a living document," Killworth said. That way you'll be able to respond to the latest criteria upon which OCR will base audits.
- It's an audit, not an investigation. While it's obvious that a provider should address any deficiencies auditors find, remember it's not an investigation of a breach or complaint so those black marks remain on the record (i.e. it's not like a Joint Commission survey where negative findings can be corrected).
- Have legal counsel review policies as well as any formal response to OCR regarding audit findings. While these are generally confidential documents, they can potentially be made public in legal proceedings -- so providers should be cautious in what they reveal.
- Health plans have fared better in audits than large providers, who in turn far better than small providers. Based on the small sample size of audited entities, there are sore spots: Providers are revealing protected data of deceased patients to more parties than the law allows (i.e. the executor of the estate is typically the one representative). Also, the process in place for denying a patient access to his data and the appeals process HIPAA mandates the patient gets if it does happen. And, finally, simply notifying patients of privacy practices -- which typically is a check-box on a form the patient acknowledges he's read, whether he has or not.
Finally, drill key managers on HIPAA policies, and keep that training refreshed. Auditors will interview them, so get them ready for it well in advance of a three-week notice.
"They're going to be asking questions, so your CEO, COO need to be able to at least identify where these HIPAA policies are and be familiar with them," Killworth said. "They shouldn't give this deer-in-the-headlights stare when asked about HIPAA policies; they should at least be able to refer to the privacy officer, for example."