Earlier this month, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) released further details on its plan to audit 150 covered entities under its pilot HIPAA audit program. Periodic audits of the HIPAA privacy, security and breach notification standards are required of the HHS Secretary under Section 13411 of the 2009 HITECH Act (2009). In June of 2011, OCR awarded a $9.2 million contract to the consulting firm KPMG to develop an audit methodology and pilot program, and to conduct the first 150 audits. (Ironically, KPMG was selected despite having been responsible for a breach that included the loss of an unencrypted flash drive and affected more than 4,500 patient records at a New Jersey medical facility in May 2010 – Oh well, no one’s perfect!)
Of further note, the pilot program will be limited to 150 HIPAA covered entities and will not include business associates (BAs) although OCR stated that BAs will be subject to audits at a later date. This despite the fact that 55% of all major breach incidents since September 2009 (those involving 500 or more individual’s records) occurred at BAs. In addition, less than 50% of healthcare organizations conduct any kind of pre- or post- contract compliance assessments of their BAs. But more on BAs later. First here’s the planned roll-out of the pilot program for covered entities:
The HIPAA auditors plan to notify covered entities that they are among the lucky 150 by mail. What we find most interesting is that they then have 10 days to provide the auditor with documented evidence of how they have complied with the HIPAA privacy and security standards, as well as breach notification rules, including a copy of their most recent HIPAA Risk Analysis. That’s right, their HIPAA Risk Analysis. As you may or may not recall, the HIPAA Security Risk Analysis requirement is not just a Core Measure of attesting to meaningful use, it’s been a requirement under the HIPAA Security Rule since 2005. If you’re at all concerned about making a good first impression on the auditor, we’d suggest you don’t send them a HIPAA Risk Analysis that is more than 2 years old.
OCR is also getting serious about enforcement. The KPMG contract itself requires their auditors to inform organizations in advance that “OCR may initiate further compliance enforcement action based on the content and findings of the audit.” Since taking office, the mantra of OCR’s new director, former prosecutor Leon Rodriguez, has been “enforcement promotes compliance.”
Now onto business associates. While OCR opted not to include auditing business associates themselves in their pilot HIPAA program, covered entities are not relieved of their obligation to monitor PHI safeguards at their BAs. In fact, a significant concern at hospitals should be business associate oversight, a complex and cumbersome, thus oft-neglected responsibility.
For business associates themselves, protecting the security and privacy of ePHI/PHI will shortly become both a fiduciary responsibility and potentially a competitive issue. The OCR has confirmed that direct liability for a breach will extend to BAs at the end of 2012 raising the likelihood of civil penalties. As hospitals begin to feel increased audit pressure, they may insist that BAs provide them with documented policies, procedures, and third-party network security assessments prior to signing or renewing business contracts. Publicly- disclosed violations or civil penalties assessed to BAs could be brand-damaging at the least and a company killer at their most severe.
Whether you’re a covered entity or a business associate, we recently published a list of 10 things we’d recommend to best prepare yourself for the inevitable day the HIPAA auditor arrives. You can download the full Audit Advisory here: http://www.redspin.com/resources/whitepapers-datasheets/request_HIPAA-security_audit_advisory.php