The Department of Health and Human Services (HHS) is expected to launch its long-awaited HIPAA audit program sometime in 2014. The audit program will be run by HHS’ Office of Civil Rights (OCR), which is likely eager to get the program going after being criticized in a report from HHS’ Office of Inspector General (OIG) last year for not conducting sufficient audits as mandated by the HITECH Act. This public reprimand gives OCR an added incentive to make sure its HIPAA audit program is active and effective.
In terms of how the permanent audit program will operate, OCR has indicated that it will differ from the pilot program that ran from 2011 to 2012. During the pilot, 115 covered entities were audited, and each of them endured lengthy and detailed investigations into the entity’s compliance with nearly all aspects of the HIPAA rules. The director of OCR, Leon Rodriguez, has said that the plan moving forward is to audit many more entities, including business associates, but to make each audit narrower and more targeted. A note of caution, however, is that OCR has previously stated that audits that uncover significant noncompliance with HIPAA could prompt an investigation by OCR.
So what are the big areas of interest for OCR? This will become clearer as the audits get underway, but we do know at least two of the topics that have OCR’s attention: security risk analysis and business associate compliance. Director Rodriguez has said that risk analysis was an area of consistent weakness among entities audited during the pilot program and that “one focus in the audits will be on risk analysis.” Every covered entity and business associate must conduct a thorough review of the security of PHI in its organization and examine all facilities and operations to see where PHI flows in and where it flows out. Everything from computer encryption to office traffic patterns to off-hours use of mobile devices has to be analyzed and plans must be put in place to address any holes in security.
For more information about the audit program: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/protocol.html