The U.S. Department of Health and Human Services’ Office of Civil Rights (OCR) – main enforcer of HIPAA patient data privacy and security laws – lifted the veil on its HIPAA audit process for health care providers, a program that went into effect earlier this year with 150 pilot providers up for audits in 2012.
In posting its proposed audit protocols, OCR indicated that its enforcement activity will focus on privacy, security and breach notification compliance programs HIPAA covered entities will have in place. Auditors will examine such documents as breach notification policies that define actions a covered entity will take once a breach is discovered, and delve into detailed matters such as how a covered entity manages an employee’s access to protected health data when he or she is promoted or transferred or retires – and how that differs from when an employee is terminated.
At the 2012 American Health Lawyers Association annual meeting, OCR senior advisor David Mayer discussed some early HIPAA audit experiences. The website JDSupra reports that Mayer related anecdotes of audited providers having little or no HIPAA compliance policies in place, and actually looked to auditors for guidance in setting them up.
Providers who want to steer clear of compliance issues can examine the protocols currently under development and see how their policies, procedures and technology to manage HIPAA compliance stacks up. Mayer said that as of late June, 20 covered entities had been audited, with a target of 95 more this year in the pilot program. Once the OCR publishes its HIPAA Omnibus Rule outlining enforcement procedures, then it will likely add business associate audits into the mix, too.