HHS Initiates Pilot Audit Program for HIPAA Compliance

22 November 2011 Publication

Legal News Alert: Health Care

The Office of Civil Rights (OCR) of the Department of Health and Human Services (HHS) has initiated a pilot audit program as part of its increased emphasis on compliance, as required by section 13411 of the HITECH Act. The Act requires HHS to provide for periodic audits to ensure covered entities and business associates are complying with the HIPAA Privacy, Security, and Breach Notification Rules. To implement this mandate, OCR has initiated a pilot program that will involve audits of up to 150-covered entities to assess their privacy and security compliance. Those audits will begin this month and are scheduled to be completed by the end of 2012.

OCR has initiated the pilot audit program pursuant to a three-step process. The first step entails hiring a consultant, KPMG LLP, to develop audit protocols and assist with the audits. KPMG was awarded a $9 million contract. Second, OCR will perform an initial wave of approximately 20 audits to test the protocols. The third step will involve performing the rest of the pilot audits using the protocols as revised.

Although both covered entities and business associates ultimately will be subject to the audits, OCR has indicated that only covered entities will be included in the initial round of audits. Covered entities selected in the initial round of audits will be designed to provide OCR with a broad assessment of compliance in the health care industry, including a wide range of covered entity types and sizes.

OCR has indicated that the audit process will include usual and customary audit procedures. Entities selected for audit will receive a letter informing them of their selection and asking them to provide documentation regarding their privacy and security compliance efforts. Following these letters, auditors will conduct site visits, during which they will interview key personnel and observe processes and operations to determine if the entity is in compliance. The visits are expected to last three to 10 days, depending on the complexity of the organization. Following the site visit, auditors will develop and share a draft report, including proposed findings, with the entity. Prior to finalizing the report, the entity will have an opportunity to discuss concerns and describe corrective actions implemented to address the identified concerns. The final report will not be posted on a public Web site or otherwise made publicly available in a manner that identifies the audited party.

OCR states on its Web site that the audits are primarily "a compliance improvement activity," rather than an enforcement mechanism. OCR hopes to use the audit process to better understand compliance efforts, to determine what types of technical assistance should be developed, and to determine the most effective types of corrective action. However, should an audit reveal a serious compliance issue, OCR may initiate a compliance review to address the problem, which could lead to an enforcement action.

The new audit program represents one more method by which OCR will ensure compliance with the Privacy, Security, and Breach Notification Rules. Covered entities and business associates will be well advised to ensure their policies and procedures are current and complete, and to conduct their own internal self audits to assure they are in compliance with HIPAA’s numerous and complex requirements. Although the audit program is being characterized by OCR in relatively benign terms, recent enforcement actions by the agency indicate that it will treat serious violations harshly.

Legal News is part of our ongoing commitment to providing up-to-the-minute information about pressing concerns or industry issues affecting our clients and our colleagues. If you have any questions about this update or would like to discuss this topic further, please contact your Foley attorney or the following:

M. Leeann Habte
Los Angeles, California

Peter F. McLaughlin
Boston, Massachusetts

Jacqueline M. Saue
Washington, D.C.

Michael Scarano
San Diego, California