Until recently, a health care organization’s HIPAA compliance was put to the test only when a patient specifically filed a complaint with the U.S. Department of Health and Human Services Office of Civil Rights (OCR). But the HITECH Act has effected some changes in HIPAA compliance. The biggest change is the toughening up of data breach notification laws. Another big change is that HHS is required to conduct periodic audits of providers and business associates to ensure the organizations are HIPAA compliant.
OCR contracted with KPMG, LLP to develop the protocol for these HIPAA audits and to conduct 150 of them by December 31, 2012. Well, the hour is nigh: The first 20 audits — part of a pilot audit program to test the audit protocols — are slated to begin this month. OCR will select the entities to be audited, choosing a wide range of organization types and sizes.
Health care law expert David Harlow wonders if the HIPAA audits really matter, pointing out that the requirement for providers to publicly report data breaches affecting over 500 or more individuals has not, it seems, motivated a change in behavior.
And OCR is not exactly baring its teeth with these audits. According to the information posted about the HIPAA audit program on the HHS website, “Audits are primarily a compliance improvement activity. OCR will review the final reports, including the findings and actions taken by the audited entity to address findings.”
Penalties and audits aside, covered entities and business associates should be complying with HIPAA privacy and security rules simply as a matter of good business. After all, it’s the patient who could potentially suffer the most.