Now that it appears the long-awaited HIPAA audits of healthcare organizations and their business associates are actually starting, it’s worth noting that not everyone is thrilled about the prospect.
Indeed, one consultant told me that a lot of IT folks at provider organizations were in a state of near panic after getting emails earlier this week from the HHS Office for Civil Rights (OCR) verifying their addresses so the audit process could begin in earnest.
Some prospective auditees were even frantically checking their spam folders for the email, as recommended by the OCR.
Healthcare consumers and patient advocates are welcoming the audits as a major step in enforcing compliance with the health data privacy and security law. However, for most healthcare organizations, being audited won’t be pleasant, even if they’re prepared. And most — especially smaller physician practices — aren’t.
Audits will involve a lot of electronic paperwork, emails back and forth with OCR, and, after an anticipated round of desk audits this year, likely on-site visits from auditors in 2017.
Oh yeah, there is also the quite real possibility of fines for organizations and business associates that haven’t conducted rigorous security assessments or let breaches go unreported. Now that’s something to worry about.
Beyond the generalized anxiety, though, some providers have already expressed criticism of the audit process, particularly of perceived unfairness in the process OCR is using to select what the agency considers a representative sample of organizations to be audited.
In a story from the National HIPAA Summit at which OCR Director Jocelyn Samuels first revealed that the audit process had triggered, Bloomberg BNA reported that Kirk Nahra, a lawyer with Washington, D.C. firm Wiley Rein, complained that the first phase of audits in 2011 and 2012 was “burdensome.”
And while the second phase that is starting now will also only involve a small percentage of organizations, likely well under 10% of covered entities and their business associates, Nahra told Bloomberg BNA, he doesn’t like them either.
“The problem with audits are their overall burden, the risks resulting from the audits and the potential unfairness of picking people largely at random,” Nahra was quoted as saying.
The business news service also reported that Samuels said the current round of audits isn’t intended to be punitive, but will allow OCR to gauge compliance with HIPAA across the entire healthcare industry.
Another group that is not entirely happy with the audits is the College of Healthcare Information Management Executives (CHIME).
In February, CHIME and its sub-group, the Association for Executives in Healthcare Information Security (AEHIS), submitted comments critical of OCR’s audit methodology as part of their response to the National Institute of Standards and Technology’s (NIST) request for information for NIST’s national framework for improving cybersecurity.
“It is still unclear to providers how much ‘is enough?’ Providers are left with the impression that what they are doing is enough until they are breached and it was retroactively determined it was not enough,” the CHIME and AEHIS people wrote. “They further note ongoing challenges within the healthcare community at large and within their own organizations to devote more effort to manage IT risk and in particular security-related risks in the wake of competing priorities and resources.