The Department of Health and Human Services (HHS) announced that they have awarded a $9.2 million contract to the consulting firm KPMG. KPMG will develop the process and perform HIPAA audits. There will be an estimated 150 onsite audits by the end of 2012. The audits are a requirement under the HITECH act and have been long overdue. In addition, HHS just released a report to congress that states in the past 2 years almost 8 million patient data records have been breached. The numbers of breaches are likely to increase as more healthcare organizations implement electronic medical records (EMR). HHS will need to do something drastic to curb the large number of data breaches.
What we know:
Not incident driven
The audits will not be incident driven but will be more random. Now a covered entity is at risk of an audit if someone files a complaint with HHS. The 150 audits will be more random with HHS selecting who they will audit. Susan McAndrew the deputy director of The HHS Office of Civil Rights (OCR) recently gave an interview where she provided insight into the audits. She said,
“We will be looking for a variety of entity types to select for the testing of the protocols. And then we will be looking for meaningful ways of targeting the audit [candidate] selections … true to the typical audit protocols. … It will not be totally random … but this [audit program] will not be incident-driven, unlike the current investigations and compliance reviews that we do. This is an opportunity for us to select on a more random basis who we will be looking at.”
Focused initially on covered entities
Initially the audits will target covered entities which could include hospitals, clinics and medical practices. When asked if business associates of covered entities would be included, McAndrew said,
OCR has not yet determined whether it will audit business associates as well as covered entities, such as hospitals, clinics and health insurance plans. Nevertheless, KPMG will develop protocols to support business associate audits.
McAndrew said that each audit will include onsite visits and interviews
“Site visits conducted as part of every audit would include interviews with leadership (e.g., CIO, privacy officer, legal counsel, health information management/medical records director); examination of physical features and operations; consistency of process to policy; and observation of compliance with regulatory requirements.”
Scope of audits
The audits will address broad compliance issue with the HIPAA security and privacy rules. Are the proper policies and procedures in place? How is patient data being protected? For a list of items that HHS has requested in past click here. McAndrew gave this insight,
Audits initially likely will offer comprehensive assessments of compliance with the HIPAA security and privacy rules, rather than focusing on specific narrower issues.
What is not clear:
Which covered entities?
Although HHS has said that covered entities will be the focus of the audits, they did not give any indications to whether they will target large hospitals or small medical practices. No one would be surprised if they audit both large entities such as hospitals as well as target smaller medical practices. That would put all covered entities under notice.
Susan McAndrew said that initially covered entities would be targeted for the audits. But she went on to say that KPMG will build the protocols to be able to audit business associates as well. This could have a major impact on covered entities. If HHS starts auditing business associates then covered entities will need to worry about ensuring that each of their business associates are also in compliance.
How results will be release
It is not clear as to what HHS will do with the results of the audits. They could compile the results and release it as a summary report or they can publish the results of individual audits. Individual results could have increase ramifications to covered entities as it could potential reveal security shortfalls. McAndrew said,
A decision on exactly how to inform others about the results of the audits has not yet been made. “There can be great learning by others from these audit reviews. I’m hoping, certainly, that it will lead to the ability to publicize best practices and effective corrective action … and that we can expand the impact on compliance … by making this information public,” McAndrew says. But OCR has not yet determined whether it will publish individual audit reports or summary reports on trends identified in all the audits.
Risk of being audited:
There are a very large number of covered entities and even larger number of business associates. With over 200,000 medical practices and over 1,000,000 business associates the real risk of being audited is very small. Then again the risk of being audited by the Internal Revenue Service (IRS) is very small but the fear of being audited motivates individuals to file their taxes.
There are several steps that organizations can take now to prepare themselves for an audit. This would include having policies and procedures in place, preforming an updated risk assessment on how patient data is protected, ensuring that employees have received HIPAA training and ensuring that they have a breach incident response plan in place. McAndrew give this advice,
Prepare for the audits by taking several steps, including reviewing their privacy and security policies and procedures; ensuring that they’ve documented patient information safeguards; completing an updated risk assessment; and developing a breach incident response plan.
Now is the time to start thinking about and preparing for the HIPAA audits. Take a 5 minute quiz to see how your organization is doing with HIPAA compliance.