Audit , Governance & Risk Management , HIPAA/HITECH

HIPAA Audit Update: Here's What's Next

Business Associate Audits Coming Soon; Onsite Audits Next Year
HIPAA Audit Update: Here's What's Next
OCR's Deven McGraw spoke at last week's HIPAA summit.

Federal regulators will start remote HIPAA compliance "desk audits" for business associates in November. And more comprehensive onsite audits of covered entities and BAs are slated for the first quarter of next year.

See Also: Research Finds Only 45% Compliance with NIST CSF Controls

That was the message from officials at the Department of Health and Human Services' Office for Civil Rights at last week's HIPAA summit in Washington, which OCR co-hosted with the National Institute of Standards and Technology.

OCR is randomly selecting business associates for audits from a pool of 20,000 BAs compiled primarily from lists submitted to the agency by the 167 covered entities currently being audited, Deven McGraw, OCR deputy director of health information privacy, told conference attendees.

The covered entities being audited received notification in July of their selection by OCR for audits, and each had 10 days to submit the requested documentation (see Organizations Facing HIPAA Audits Notified).

The documentation requested by OCR is "voluminous," McGraw acknowledged. But she said most entities did a reasonable job in meeting the 10-day deadline to submit the documentation.

OCR is now analyzing that documentation. Meanwhile, audits of BAs are slated to begin next month, she noted. BAs will be given the same 10-day deadline to respond to requests for documentation on compliance with applicable policies, procedures and evidence of implementation - including a copy of their security risk assessment, she explained.

OCR frowns upon sending "superfluous" documentation, which McGraw said will be ignored by auditors.

Onsite Audits

In the current wave of audits, OCR expects to scrutinize a combined total of 200 to 250 covered entities and BAs, including "a smaller number" of more comprehensive onsite audits slated for the first quarter of next year, McGraw said.

Details of the onsite audits will be worked out by McGraw and her team in the coming months and posted on OCR's website, she added.

No covered entity or BAs under investigation by OCR for breaches or HIPAA complaints are part of the pool of eligible auditees, she said. But it's possible that some organizations chosen for desk audits could also find themselves the subject of additional onsite audits. "The chances of that happening are slim," she added.

'Roll-Up' Report

After the completion of the audits, OCR will issue a "comprehensive roll-up report" about its findings, McGraw said at last week's conference. Each auditee will also receive its own individual report, but no audited institution will be publicly identified by OCR, she pointed out.

The aim of the current round of audits is for OCR to examine mechanisms for compliance, identify industry best practices, discover risks and vulnerabilities that have not surfaced in other enforcement activities, and "enable us to get in front of problems before they result in breaches," McGraw said.

"It's not a game of 'gotcha' or a vehicle for punitive measures. But we can open an investigation if what we see in an audit" leads OCR in that direction, she said.

For instance, no organization should disregard an OCR audit request for specific documentation, she warned. "We don't like being ignored," she said. "I would be pleased if I had 200 to 250 auditees and tell them [all] they need to do a better job, rather than having to go further [by launching an investigation] because they are unresponsive."

Most of the audit-related work is being conducted by OCR staff, with some support from contractors, she says. "We're not using contractors as robustly as last time," she said, referring to OCR's pilot HIPAA audit program, which assessed 115 covered entities in 2011 and 2012.

Funding Audits

Helping to fund the audit program is the $20 million that OCR has collected so far in its 11 HIPAA-related financial settlements and one civil monetary case this year, noted Iliana Peters, OCR's senior adviser for HIPAA compliance and enforcement. "Much of that money is going to the audit program because we were not appropriated funds [by Congress]," she said.

Since 2008, OCR has issued 39 financial settlements containing corrective action plans in cases involving potential HIPAA violations. Not all of those cases stemmed from investigations into breaches; some were rooted in investigations into HIPAA complaints OCR received, Peters explained.

In addition, OCR has issued two civil monetary penalties in cases that went before a HHS administrative law judge. Those include a case involving Lincare Inc., a provider of respiratory care, medical equipment and other services to in-home patients, which was ordered in February to pay a $239,800 civil monetary penalty due to taking minimal action to correct its policies and strengthen safeguards to ensure HIPAA compliance.

The HIPAA enforcement agency issued its first civil monetary penalty in 2011 against Cignet Health for violations of the HIPAA Privacy Rule. Cignet was fined $4.3 million for the violations that involved failing to provide 41 patients with access to their medical records and then failing to cooperate with federal investigators. Cignet ended up filing for bankruptcy, so OCR was unable to collect the penalty, Peters noted.

Many of the 39 financial settlements that OCR has signed could have also turned into much larger civil monetary penalty cases involving higher dollar amounts than what was settled, Peters said. "We are prepared in each case for [an] administrative law judge and trial - and don't pursue [cases] unless we are sure we can win," she said. But OCR usually agrees to settlements instead "for the benefit of companies and patients," she added.

Guidance Coming

So far this year, OCR has issued new guidance on such topics as cloud computing and file transmission protocol and network access storage device risks, as well as guidance on HIPAA and the FTC Act released on Oct. 21.

OCR plans to release more guidance on social media, texting, and HIPAA and research-related questions, McGraw noted.

In addition, OCR will issue final guidance on how healthcare entities can share patient information with family members during emergencies, such as the Orlando nightclub shooting earlier this year, McGraw said.

"We will have a new boss in 2017," McGraw noted, referring to the presidential election and a likely change in OCR's top leadership. And that could influence OCR's priorities for next year.

While the director of OCR is a politically appointed position, McGraw notes that her own job is a career position within the federal government, and she expects to stay on in that role.

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.