Permanent HIPAA Audit Program Coming Rodriguez Says Pilot Project Will Lead to Long-Term Effort
The director of the agency that enforces HIPAA "fully expects" the government to launch a permanent HIPAA compliance audit program once a pilot is completed in 2012.

The pilot version of the Health Insurance Portability and Accountability Act compliance audit program, launched this month and slated to continue with up to 150 audits by the end of next year, is paving the way for a permanent program, Leon Rodriguez, director of the Department of Health and Human Services' Office for Civil Rights, said during a Nov. 17 presentation. OCR hired the consulting firm KPMG to conduct the first phase of the audit program (see: HIPAA Audit Tests Start This Month).

Rodriguez, who became OCR director in September, reiterated that the audits are not primarily designed for enforcement purposes, but rather as a way to help those organizations that are audited, as well as others, to improve their compliance with the HIPAA privacy, security and breach notification rules. The audits also will help pinpoint "where our vulnerabilities are" to help improve information security, he said.

In an earlier interview, Rodriguez said: "Our first objective is not to go out there and start banging [organizations] with penalties; it's really to take a good look at them, find out where their opportunities for improvement are and help them improve. Having said that, I think we know that there are cases where we're going to find some significant vulnerabilities and weaknesses. And in those cases, we may be pursuing significant corrective action." (See: New HIPAA Enforcer Pinpoints Priorities)

During his presentation Nov. 17 at the annual meeting of the Office of the National Coordinator for Health IT, Rodriguez also said OCR is taking seriously Sen. Al Franken's call for the agency to "hurry up" its efforts to issue an overdue final version of HIPAA modifications. But he again stopped short of tipping his hand about when the final version of the regulations would be issued. "We indeed are hurrying up," he quipped.

At a Nov. 9 hearing before a Senate subcommittee, Rodriguez declined to tell Franken, D-Minn., when OCR would issue its long-promised omnibus package of final rules. That package will include the HIPAA modifications, the final HIPAA breach notification rule and privacy provisions of the Genetic Nondiscrimination Act (see: HIPAA Updates: What's the Hold Up?). The HITECH Act called for HIPAA modifications that include, among other things, new requirements that business associates comply with HIPAA.

HIPAA Compliance Advice

In his Nov. 17 presentation, Rodriguez advised healthcare organizations interested in improving compliance with the HIPAA privacy, security and breach notification rules to:

  • Check that risk assessments are up to date;
  • Make sure senior managers are supportive of risk mitigation strategies;
  • Review existing compliance programs as well as staff training;
  • Ensure vigilant implementation of privacy and security policies and procedures, as well as tough sanctions for violating them;
  • Conduct frequent internal compliance audits; and
  • Develop a plan for prompt response to breach incidents.

About the Author

Howard Anderson

Howard Anderson

News Editor, ISMG

Howard J. Anderson is news editor of Information Security Media Group and was founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 34 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.





Around the Network