HHS launching pilot HIPAA audit program

July 24, 2012

The Office for Civil Rights (OCR) in the U.S. Department of Health & Human Services (HHS) has announced details of a new audit program designed to check health care entities for compliance with federal rules on the privacy of patient information, the security of health information technology systems, and the notification of patients and regulators when the privacy of patient information is breached.

The OCR’s Health Insurance Portability and Accountability (HIPAA) Privacy, Security and Breach Notification Audit Program was officially launched in November 2011 when the agency began developing protocols for a pilot auditing program. Officials announced the protocols in a June 26 post on their HIPAA Privacy and Security Audit Program webpage (http://tinyurl.com/735uqov).

The pilot program will involve audits of 115 health care entities. It is scheduled to run through December 2012.

The OCR plans to launch a full-scale HIPAA auditing program in 2013.

The program was authorized under the HITECH provisions of the American Recovery and Reinvestment Act of 2009, which requires the HHS to conduct periodic audits to monitor and ensure compliance with HIPAA.

The pilot auditing program will cover:

  • HIPPA Privacy Rule requirements for:
  1. Patient notice of privacy practices for protected health information (PHI),
  2. Patient rights to request privacy protection for PHI,
  3. Access of individuals to PHI,
  4. Administrative requirements,
  5. Uses and disclosures of PHI,
  6. Amendment of PHI, and
  7. Accounting of disclosures of PHI,
  • HIPAA Security Rule requirements for:
  1. Administrative safeguards,
  2. Physical safeguards, and
  3. Technical safeguards, as well as
  • HIPAA Breach Notification Rule.

The 115 audits in this year’s pilot program will cover only health care entities – such as health plans, health care practices, and insurance claim clearinghouses – that are specifically covered under HIPAA. However, business associates that may use or disclose PHI on behalf of HIPAA-covered entities will be included in future audits.

The pilot audit program will cover “as wide a range of types and sizes of covered entities as possible,” according to the OCR audit webpage. The HIPAA requirements addressed in the audits may vary based on the type of entity selected for review, according to the OCR.

The OCR audit protocol lists a total of 77 specific HIPAA privacy, security, and breach notification provisions. Auditors will be required to address 40 of those provisions with the option to address 26 others. (Eleven provisions are listed as “not applicable” on the website.)

The audits are intended to generate general information about HIPAA compliance, according to the OCR. The pilot program audits will assess not only compliance risks and vulnerabilities, but also best practices that OCR plans to share with the public.

The OCR will not publish lists of audited entities or audit findings that clearly identify the audited entities. However, if an audited entity’s audit report indicates a serious compliance issue, the OCR may initiate a compliance review of the audited entity to address the problem.

KPMG LLP developed the audit protocols and will act as the auditor.

During the pilot phase, auditors will conduct a site visit for each audited entity and provide the OCR with a report for each. The audited entity will have the opportunity to comment on a draft report. The final report will include the audit’s methodology and findings, recommendations regarding the need for corrective action, corrective actions being performed by the audited entity, and best practices identified.

Additional information can be found on the OCR HIPAA Privacy & Security Audit Program webpage or at www.aoa.org/HIPAA.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: