HIPAA Compliance Audits: The Newest Risk for Providers?
By Elizabeth Lamkin, MHA
Providers now have yet another form of oversight to worry about: the HIPAA Compliance Audit Program. In 2011, the Office of Civil Rights (OCR) extracted a few massive settlements and fines for HIPAA violations: Cignet Health paid a $4.3 million civil fine,1 Massachusetts General Hospital paid a $1 million settlement,2 and UCLA Health System paid an $865,000 settlement.3 Now, in 2012, we can expect many more to come.
In June 2011, the U.S. Department of Health and Human Services (HHS) awarded KPMG a $9.2 million contract to conduct and develop protocols for Health Insurance Portability and Accountability Act (HIPAA) audits. These audits are being performed in accordance with Section 13411 of the Health Information Technology for Economic and Clinical Health Act (HITECH Act), which requires HHS to conduct periodic HIPAA audits to ensure that covered entities and business associates are in compliance with the privacy and security rules that are part of the American Recovery and Reinvestment Act of 2009. The HITECH Act increased potential civil penalties for HIPAA violations to up to $1.5 million per calendar year for the wrongful disclosure of protected health information. For individuals, penalties for HIPAA violations now can result in up to $250,000 in fines and 10 years of jail time.
Because HHS anticipates just 150 audits to be completed within the year, the chances of an individual provider being selected for an audit are low, but because of these potentially dire repercussions providers are strongly encouraged to review their HIPAA compliance and seek outside help (if needed) to assess readiness.
The program will be overseen by the HHS Office of Civil Rights (OCR). Although the contract was awarded and announced in June 2011, audits are expected to occur throughout this year until Dec. 31, 2012, when HITECH Act funds expire. However, these audits could continue past that date should the OCR have the resources to continue.
In 2011, HHS contracted twice with Booz Allen Hamilton: first in March to study audit methodologies in order to complete the audit project, and later in June to assist in the identification of covered entities and business associates for audit. However, coming up with a truly comprehensive list - especially one that includes business associates - likely will prove difficult.
As with any type of accounting, auditing and assurance process, the HIPAA audits will include a site visit and an audit report. Site visits will include interviews with stakeholders such as chief information officers, legal counsel, health information management directors and medical records directors. Additionally, KPMG will examine physical features of health information systems and check physical safeguards, daily operations, adherence to policies and compliance with HIPAA requirements. Just think, as you walk through your facility: if a lab report is inadvertently printed and left on a desk, this could be seen as a HIPAA violation.
After the site visit and interviews, KPMG will create a final audit report, which will include:
- Name and description of the audited entity;
- Audit timeline and methodology;
- Information on best practices observed; and
- Raw data collected, such as interview notes and completed checklists.
- For each finding, the following will be listed:
- Condition: The defect or noncompliant status observed (including evidence).
- Criteria: A clear demonstration that each negative finding is a potential violation of the privacy or security rules (with citation).
- Cause: The reason that the condition exists, along with identification of supporting documentation use.
- Effect: The risk or noncompliant status resulting from the finding.
- Recommendations for addressing each finding.
- Entity corrective actions taken (if any).
- Conclusion and statement of audit completion.4
The final audit report also will include recommendations for actions the audited entity can take, through a corrective action plan, to address compliance problems. The report also will include recommendations to HHS about the potential need for continued corrective action and recommendations for future oversight."4
How can providers address this? The key is preparation. Knowing what HIPAA regulations exist and ensuring through self-auditing and policy review that your organization is complaint is the best approach to avoid an audit with negative findings. Several new tools are available to assist with this process, including one free online resource offered by The National Institute of Standards and Technology (NIST) called the "HIPAA Security Rule Toolkit." The toolkit is a self-assessment tool that assists with identifying where current safeguards are missing, or requiring improvement (visit http://scap.nist.gov/hipaa/ to download). If there are indications that your current system is not up to HIPAA standards and you require assistance, consulting and legal firms specializing in the field are available to assist with proactive audits, readiness assessment and appropriate corrective actions.
- Next >>