Written by Dianne J. Bourque and Stephanie D. Willis
The HHS Office of Civil Rights (OCR) begins its pilot HIPAA compliance audit program this month. Section 13411 of the Health Information Technology for Economic and Clinical Health Act, or (HITECH) Act, requires HHS to perform these periodic audits of covered entities and business associates to evaluate compliance with the HIPAA Privacy and Security Rules and Breach Notification standards. The main purpose of the audits is to help OCR get ideas about helpful technical assistance and effective corrective action mechanisms. But if OCR uncovers a more egregious compliance issue, it may perform a more invasive compliance review.
According to OCR’s website:
- OCR will perform up to 150 audits between November 2011 and December 2012.
- OCR will attempt to include a wide range of covered entities – from covered individual and organizational providers of health services, to health plans of all sizes, and health care clearinghouses.
- OCR will provide written notice to covered entities selected for an audit between 30 and 90 days before a planned onsite visit. Depending upon the complexity of the organization and the auditor’s need to access materials and staff, these onsite visits may last between 3 and 10 business days.
- After the onsite visit, the covered entity will have the opportunity to review and provide written comments within 10 days after the OCR auditor provides it with a draft final report.
- Within 30 days after receiving the covered entity’s response, the OCR auditor will submit a final audit report to OCR. The entities to be audited as well as the results of the audits will not be listed publicly.
The pilot audit program is just another brick in the wall of HIPAA enforcement that OCR has been building in recent years. A past post on our sister blog, Privacy and Security Matters, mentioned OCR’s numerous activities, which now include the HIPAA Enforcement Training sessions held nationwide for state attorneys general and three formal Resolution Agreements signed between February and July of this year alone. And more settlements are likely coming down the pike, given the recent TRICARE breach and the fact that there are 301 Security Rule complaints and compliance reviews open as of September 30, 2011.
With the new audit efforts beginning, it has become even more imperative for covered entities to monitor the activities of their business associates, for business associates to monitor their own activities, and for both to update their own internal privacy and security processes.