Gajus - Fotolia
The HIPAA audit program is a reality now that 167 healthcare organizations have been selected for audits and must quickly return documentation to the Department of Health and Human Services' Office for Civil Rights, or OCR.
The covered entities that OCR will scrutinize under the HIPAA audit program received email notifications July 11 and participated in a private webinar with OCR officials two days later; they have about two weeks to respond.
Scramble on to collect information
"Covered entities are scrambling to collect and upload their information," said David Holtzman, vice president of compliance strategies at CynergisTek Inc., a healthcare security and privacy consulting firm in Austin, Texas.
As expected, the second round of the HIPAA audit program, which comes after a pilot round in 2012 and 2013, is examining organizations' compliance with the law's privacy and security rules. But half of the group will have to respond only to the privacy measures, and the other half to the security measures, according to Holtzman.
"It does temper some of the burden," Holtzman, a lawyer and former OCR senior policy adviser, said. "These document requests require an extensive amount of documentation in a short period of time."
All those audited will apparently be required to show how they are complying with the HIPAA breach notification rule.
Business associates to be audited, too
Also, all must provide a list of all their business associates that handle protected health information. From these lists, OCR will select business associates to be audited under the HIPAA audit program in an upcoming round of reviews -- the first time business associates will have been audited for HIPAA compliance.
Holtzman said the relatively restricted number of audit subjects -- given that there are 2 million to 3 million HIPAA-covered entities -- is likely due to the limited funding for this HIPAA audit program: $800,000.
The reviews will be desk audits, meaning no physical visits from OCR's subcontractor audit firms; though, OCR is expected to make on-site visits should the desk audits find violations that warrant further investigation, rather than corrective action only.
Fine revenues expected to fund permanent program
However, revenues from fines OCR has levied for HIPAA violations, such as a recent $2.7 million settlement with Oregon Health and Science University, are expected to finance a permanent audit program, possibly starting in 2017.
Meanwhile, health privacy lawyer and blogger David Harlow noted that the HIPAA audit program notices do not hew completely to the more exhaustive audit protocol OCR published earlier this year. In effect, it is a streamlined process now, he said.
But the requirements listed in the notices also contain something of a surprise, Harlow noted. They include directions to provide OCR with evidence that healthcare organizations are obeying the HIPAA provision that requires them to furnish patients' health data in electronic form within 30 days of request.
"It's not just about keeping things secure, it's about providing access when access should be provided," Harlow said.
Audit no problem if already in compliance
Harlow said organizations selected for audits ought to have little problem responding adequately, "if you've been doing what [you were] supposed to be doing all along."
These measures include:
- Performing regular and thorough security risk assessments;
- Developing a risk management program;
- Following breach notification rules by informing patients, the media and the government of significant health data breaches; and
- Maintaining an up-to-date notice of privacy practices.
"But if you're one of those who really hasn't been doing anything and were hoping you weren't going to be on the list, then you may be in some trouble," said another health data privacy and security expert, Rob Rhodes, vice president of application software at health IT consulting firm Iatric Systems Inc., in Boxford, Mass.
"You need to be doing what you need to comply," Rhodes added. "Ignoring it hasn't been the answer."
HIPAA critics voice complaints
Common HIPAA transgressions
Lacking a HIPAA business associate agreement causes problems