Given the ongoing worldwide economic concerns and discussion of another recession, it is hard to believe that major provisions of the 2009 Stimulus Act impacting employers have yet to be fully implemented. However, health care providers, insurance plans, and other covered entities under HIPAA need be aware that the Office of Civil Rights (OCR) of the United States Department of Health and Human Services (DHHS) recently announced its pilot program to audit covered entities for privacy and security compliance. Over the next 13 months, OCR will conduct up to 150 audits to ensure that covered entities and business associates are complying with HIPAA Privacy and Security Rules and Breach Notification Standards. OCR has created a new website to convey the progress of this effort and details of its implementation plan.

HIPAA Privacy and Security Audit Program

As part of the American Recovery and Reinvestment Act of 2009, Section 13411 of the Health Information Technology for Economic and Clinical Health Act (HITECH) amended portions of the Health Information Portability and Accountability Act of 1996 (HIPAA). Section 13411 of HITECH requires DHHS to develop procedures for auditing covered entities to verify compliance with the privacy provisions of HIPAA and its standards for notifying individuals of breaches of confidentiality.

Both covered entities and business associates, as those terms are defined by HIPAA, are subject to the audits, but OCR has indicated that covered entities will be the focus of the initial round of audits. Covered entities are defined to include (1) health care providers such as doctors, clinics, nursing homes, pharmacies, etc. that transmit any information in electronic form in connection with transactions for which DHHS has adopted a standard; (2) health plans such as health insurance companies, HMOs, and company health care plans; and (3) health care clearinghouses. 45 C.F.R. § 160.103. A “business associate” is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity. Id. It is unclear which factors will guide OCR’s selection of entities to be audited, but OCR has stated it will audit a wide range of types and sizes of covered entities during the pilot program.

Covered entities must have updated policies and procedures for privacy and security compliance efforts. OCR has explained that the new audit process will require the entity to provide documentation of its procedures, which must include the new mandates under HITECH, including breach notification. The audit procedures will require key personnel to be trained and familiar with procedures related to HIPAA compliance. The initial audits will involve both a site visit and an audit report. During the site visit, field auditors will interview key personnel and observe the business processes and procedures.

Following the site visit, the field auditor will assemble a draft report to explain the site visit findings and what actions the entity is taking to address the concerns. The audited entity will have a chance to review the draft report, discuss concerns, and provide input about corrective measures being implemented. The final report will incorporate the covered entity’s comments. Clearly, this audit process goes beyond the field auditor simply reviewing the covered entity’s files to verify that proper policies and procedures are in place. It is important for attorneys working with health care clients and other covered entities to verify that businesses are fully aware of the steps the business has implemented to address HIPAA.

OCR has indicated that the audit will be initiated by written notice to the covered entity informing it of the audit contractor information and requesting initial documentation within 10 business days. Accordingly, the appropriate individuals within a covered entity should be prepared to know what to do upon receiving this type of quick-turnaround request. OCR indicates that the on-site visit will occur approximately 30 to 90 days after the initial letter. On-site visits should take between 3 and 10 business days. The field auditor will then prepare the initial draft of the audit report, and the covered entity will have 10 days to provide comments. The auditor will complete the final report within 30 days of the covered entity’s response and submit it to OCR.

Although the audit process is detailed and will involve DHHS opening the books of covered entities, the intended use of this round of HIPAA audits appears to be an educational process for OCR to prepare its enforcement mechanisms. OCR will review the audit findings and the covered entity’s corrective measures, and “OCR will use the audit reports to determine what types of technical assistance should be developed and what types of corrective action are most effective.” However, DHHS clearly states that if an audit report indicates a “serious compliance issue,” then OCR may initiate a complete compliance review to address the problem. Because it is unclear what a “serious compliance issue” will be, covered entities should give the HIPAA audits a high priority.

How to Be Prepared When the Auditor Comes to the Door

HIPAA provides complex rules and regulations for securing protected health information, and HITECH amended HIPAA to create specific requirements for notifying patients and others of breaches of confidential information. In light of OCR rolling out new audit processes, it is crucial that attorneys advising health care providers and other covered entities ensure that the HITECH provisions are included in clients’ policies. Because OCR will implement an on-site phase to the audit, it is equally important that those persons charged with carrying out the procedures know what to do and how to do it. Knowing how well the procedures work will enable covered entities to participate in the audit process in a meaningful way. If a covered entity has a policy but no practical experience with the policy, it could give rise to the type of “serious compliance issue” that OCR has referenced in its audit announcement. You do not want the field auditor to be the first person to walk around the office and verify that the individuals with breach notification responsibilities know how to respond when a breach occurs.

The covered entity’s documentation must be updated and complete. In addition to required policies, the covered entity should have several other items in order, including business associate agreements, incident response plans, descriptions of technology used to secure patient information, and training materials used to inform employees of the procedures. Additionally, covered entities should understand how business associates protect information they receive. Covered entities should be able to explain past security breaches, how the entity responded, and what the entity changed about the procedure moving forward.

Although Congress continues to pass legislation requiring employers to develop new procedures, with adequate preparations, the latest enforcement effort related to HIPAA can be an opportunity for prepared organizations to shine and for other entities to develop necessary measures for compliance.