A Long Road to HIPAA Compliance: Privacy and Security Audits

Since the Health Information Portability and Accountability Act of 1996 (HIPAA) was implemented in 2003, the Office of Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS) has not conducted a formalized plan for auditing health care providers, insurance plans and other covered entities … until now.

OCR recently announced its pilot program to audit covered entities for privacy and security compliance and says in 2012 it will conduct up to 150 audits in their effort to ensure that covered entities and their business associates are complying with the HIPAA Privacy and Security Rules and the Breach Notification Standards. The OCR website provides useful information about this program and its objectives.

Previously, there was no mandated auditing process as a part of HIPAA, but rather reviews of covered entities typically would occur as complaints were raised by patients or consumers. With the American Recovery and Reinvestment Act of 2009, Section 13411 of the Health Information Technology for Economic and Clinical Health Act (HITECH) amended portions of HIPAA and requires HHS to develop procedures for auditing covered entities to verify compliance with the Privacy Rules and breach notification.

Covered entities need to ensure that their policies and procedures are updated for privacy and security compliance efforts. The entity must be prepared to provide documentation of its procedures, including with regard to breach notification, and documentation that its key personnel have been trained. Training does not include simply having a notebook containing policies and procedures that no one knows how to use.

According to the OCR website, the timeline is fairly quick, so individuals within the covered entity should be prepared to know what to do upon receiving a written notification that an audit is coming. If a “serious compliance issue” is found, OCR may initiate a compliance review to address the problem.

Of course, OCR will continue to accept complaints from individuals and covered entities through their privacy officers must continue to accept complaints from individuals. The goal of the pilot audit program appears to be to identify best practices and discover risks and vulnerabilities that otherwise have not come to light through the complaint process.

Covered entities that are prepared will shine, while those that are not prepared will have some explaining to do.