HIPAA Audit Protocol Published by Office for Civil Rights

The introduction of the Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009 updated HIPAA, and as such it required the Department of Health & Human Services’ Office for Civil Rights (OCR) to conduct a program of compliance audits to ensure the new rules had been applied.

Following a series of 20 preliminary pilot audits the OCR has devised an audit protocol which will be used to assess compliance at a total of 155 HIPAA-covered entities, with the audits concluding in December 2012.

Since any entity can be audited – not just large healthcare providers – it is important that all organizations check their procedures and revised them as appropriate to take the new Security Rule requirements into account.

The OCR has now published the long awaited details of the audit program on its website detailing the specific aspects of HIPAA, the Privacy Rule, Security Rule and Breach Notification Rules that will be assessed.

OCR Pilot Audit Protocol 2012

There are three main aspects of the legislation which are being specifically tested under the audit protocol; adoption of the Privacy Rule, Security Rule and compliance with the Breach Notification Rule.

Organizations will be audited on policies and procedures relating to the Privacy Rule notice of privacy practices for Protected Health Information, patient rights to request privacy protection for PHI, access rights of individuals to their own PHI, proper use and disclosure of PHI, amendments to PHI, accounting of disclosures and all HIPAA Privacy Rule administrative requirements.

Under the Security Rule, HIPAA-covered entities must employ the appropriate administrative, physical and technical safeguards to protect PHI and evidence of these safeguards having been implemented will also be scrutinized. Policies and procedures will also be checked to make sure they comply with the recent changes to the Breach Notification Rules.

The purpose of the audits is not to penalize organizations that have failed to implement the appropriate changes, but to get a general idea of compliance throughout the healthcare industry. The data collected in the audits can be used to analyze trends and determine areas where the legislation is proving difficult to implement. Stumbling blocks can be identified and steps taken to ensure the legislation is effective in practice.

Financial penalties are not expected to be applied for non-compliance issues identified in the audits, although action plans are likely to be issued to organizations found not to have made the required changes. Any serious security issues discovered could still result in a substantial fine.

Important Findings from the Preliminary Audits

It has become clear that while many healthcare organizations have implemented the legislative changes and updated their policies and procedures, a significant proportion have not taken sufficient steps to protect the ePHi of their patients and policy holders. The OCR has reported that the greatest issue affecting the industry is ensuring ePHi is kept safe and secure. 65% of organizations found to have violated HIPAA regulations did so because of inadequate systems to protect electronic health records.

The main Security Rule issue identified by the OCR was a failure to conduct a thorough risk analysis of their IT systems to identify security holes and vulnerabilities. Even when issues were found, many healthcare organizations were unsure how to properly manage the risks they identified.

Conducting risk assessments is now mandatory, not only under the Security Rule but also under the Meaningful Use program. As OCR Director, Leon Rodriguez pointed out at the OCR/NIST conference this month, “It is no longer acceptable to be non compliant,”

With the government having recently questioned OCR enforcement of HIPAA legislation, future audit programs are likely to see non-compliance strictly enforced and violations are likely to result in large financial penalties being applied.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.