Healthcare organizations who may have been hibernating this winter received a gentle wakeup call quickly followed by a not-so-gentle one this past Monday. After a quick re-tooling following a pilot program, it appears that the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) is preparing to kick off its official HIPAA compliance audit program very soon. Susan McAndrew, OCR deputy director for health information privacy, hinted during the 2014 HIMSS Conference that “in coming months you’ll see actual activity that will start up on the audit process.” Within 24 hours, the OCR posted a notice in the Federal Register announcing that it was surveying “up to 1,200 HIPAA covered entities, including health plans, healthcare clearinghouses and certain healthcare providers, and business associates, to determine suitability for the OCR HIPAA audit program.” What does all this mean? HIPAA audits are coming and compliance can no longer be reactionary.
Although the survey’s initial audience is an “oversupply,” as not all 1,200 will be audited, healthcare organizations should pay attention as this second iteration of audits will differ from the first go-around in many vital aspects. In 2012, the OCR conducted a pilot program, auditing 115 covered entities, using the consulting firm KPMG. This year’s audits will generally be focused on a smaller scope allowing for more organizations to be audited. Additionally, auditing efforts will be in-sourced and not handled by a third party consultant. The OCR has revised the protocol to reflect changes brought about by the new HIPAA Omnibus Rule, including the extension of audits to business associates as well as covered entities. Among the areas of focus for this year’s audits is if organizations have conducted an in-depth HIPAA security risk assessment, as this was a widespread weakness found during the pilot.
In order to be effectively prepared for both 2014 and on an ongoing basis, it is important to ingrain compliance into the culture of the organization. Compliance cannot be an extra burden that is only emphasized during potential audit periods and then forgotten about. One of the most important things that an entity can do is to conduct a comprehensive examination of the effectiveness of its current HIPAA compliance program, with this in mind. Four key components must be established:
1) People – Are there people who have been specifically tasked within the organization to manage compliance? Do they have the complete support of management?
2) Policies & Procedures – Is the organization equipped with the right policies and procedures? (e.g. for training, monitoring and reporting)
3) Technology – Is the entity incorporating up-to-date technology into key business processes? (e.g. electronic file transfers and data encryption)
4) IT Security Systems & Processes – Are the appropriate security measures in place from a physical and technical aspect?
And the job doesn’t end once the proper pieces are in place. Organizations must be dedicated to constant self-evaluation and implementing changes as needed. At last year’s HIMSS Privacy and Security Forum, Leon Rodriguez, Director of the OCR, stated that his organization will be leveraging its civil monetary penalties even more than it has already. The OCR now has authority to carry civil monetary revenue across fiscal years, which allows it to better plan how to utilize those revenues for auditing activities. Under the permanent program, audits will focus on vulnerabilities that may change year to year as new issues come into focus.
In summary, organizations need to be prepared and try to stay 2 steps ahead of the game. Clearly, resources will need to be devoted to this effort, whether internal, or sourced from outside. The Federal Register notice indicates that HHS is accepting comments on its survey plans until April 25. Likely, the first surveys will go out shortly thereafter, so there isn’t much time to lose. Is your organization ready?