OCR HIPAA Audit: Ignorance Won’t be Blissful
By Doug Pollack - Article on February 21, 2012
As many healthcare privacy, information security, legal and compliance officers are well aware, the HHS Office for Civil Rights (OCR) has begun a series of audits of healthcare organizations (HIPAA covered entities). For these audits, OCR has contracted with KPMG to assess whether organizations are compliant with the HIPAA Privacy and Security Rules, as well as the HITECH (Interim Final) Breach Notification Rule. This past week, Mark Johnson, National HIPAA Services Director at KPMG spoke to an audience at a Healthcare Compliance Association (HCCA) meeting about the audits. His presentation and comments were instructive, not to mention scary.
As the title of his presentation implies, 2012 HIPAA Privacy and Security Audit Readiness (click here KPMG_Security_Audit_Readiness.pdf for a copy of the presentation), the expectation is that healthcare organizations will be able to demonstrate readiness (compliance) with the HIPAA Privacy and Security Rules. This 2012 program will result in audits of 150 HIPAA covered entities, business associates are not in scope for this first series of audits. 20 of these have already been kicked off, and the remaining 130 organizations will be selected in late Q1 or early Q2, 2012. While you might think that it will only be large, highly visible organizations that will be audited, that isn't the case. They have broken the audit candidates into 4 categories: large provider/payers, large regional hospital systems, community hospitals/outpatient surgery/pharmacy/self-insured entities, and small providers/rural pharmacies. So the audits will address the complete spectrum of covered entity types.
While the presentation itself is very instructive, his comments were even more interesting. Mr. Johnson indicated that they will definitely want to see updated policies and procedures, and that in the first audits, very few organizations had updated these documents. He also noted that while they are not audited business associates, that covered entities should have methodologies for and be evaluating the risks that exist with their business associates, also something that they found lacking in the initial audit sample.
In fielding questions, Mr. Johnson had some advice for healthcare organizations. His first suggestion was that in order to be well prepared, all covered entities should carry out a rigorous risk assessment. Something that is not for the “faint of heart”. He also suggested that they not wait for the audit letter to show up, because there will be no extensions to the 10 day request for documentation period. And to highlight the “tone” of his message, when asked what people can do now, he siad “prepare for judgment day—for that day is coming”. Certainly an ominous message. And on a final note, as to the what to expect after the audit, he indicated that OCR is planning to share the audits with state officials (Attorneys General) and will provide them further training on what to look for relative to compliance issues.
So I think the message is clear. OCR is now focused on monitoring the level of compliance by healthcare organizations with privacy, security and data breach provisions in HIPAA and HITECH. And given some of the recent enforcement actions, their intent will be to take actions to penalize organizations that are found lacking, in order to motivate behavior and allocation of resources to protect patient privacy.