HIPAA Audit Program (Benefit Minute)
The privacy, security and breach notification provisions of the Health Insurance Portability & Accountability Act (HIPAA) set national standards to safeguard individuals’ protected health information (PHI) and require specific notifications regarding breaches of unsecured PHI. Covered entities under HIPAA include health providers, health plans and healthcare clearinghouses.
The Office of Civil Rights (OCR) enforces these provisions of HIPAA by investigating complaints, performing education and outreach, and conducting compliance reviews to determine if covered entities are in compliance. These programs enable OCR to identify best practices and proactively uncover and address risks and vulnerabilities to PHI. Criminal violations of HIPAA are referred to the Department of Justice.
HIPAA Audit Program Background
In 2011 and 2012, OCR implemented a pilot audit program to assess the controls and processes implemented by 115 covered entities to comply with HIPAA’s requirements. OCR then evaluated the effectiveness of the pilot program. Based on that experience and the results of the evaluation, OCR implemented phase two of the program, which includes audits of both covered entities and business associates. As part of this program, OCR developed enhanced protocols (sets of instructions) which have been used in phase two audits and is testing the efficacy of desk audits in evaluating the compliance efforts of HIPAA covered entities.
HIPAA Audits – Phase Two
In March 2016, OCR announced phase two of the HIPAA audit program. Approximately 165 covered entities were contacted in July 2016 and asked to provide documents related to either privacy and breach notification compliance or security controls. OCR is using the requested information to perform desk audits of the selected covered entities.
Documents requested for the privacy/breach notification audit included:
- Copy of Notice of Privacy Practices in effect in 2015;
- URL for entity website and URL for posting of Privacy Notice (if applicable);
- Policies and procedures for electronic distribution of Privacy Notice (if applicable);
- Policies and procedures for individuals to request access to PHI, including any standard form or template used to document requests;
- Documentation related to first five access requests that were granted in the previous calendar year and evidence of fulfillment;
- Documentation related to last five access requests in the previous calendar year for which the covered entity extended the time for response to the request;
- Documentation of five breach incidents from the previous calendar year affecting fewer than 500 individuals; and
- Documentation of five breach incidents affecting 500 or more individuals in the previous calendar year, including a copy of the notice sent to affected individuals and any standard form letter or template used for notification purposes.
Documents requested for the security control audit included:
- Policies and procedures regarding the covered entity’s risk analysis process and risk management process;
- Documentation demonstrating that policies and procedures related to risk analysis and risk management were in place six years prior to the audit notification date;
- Documentation from the previous calendar year demonstrating that records related to risk analysis and risk management are available, periodically reviewed and updated as necessary;
- Documentation of current and most recent prior risk analysis, including results;
- Documentation demonstrating efforts used to manage risks from previous calendar year;
- Documentation demonstrating security measures implemented to reduce risks as a result of current risk analysis; and
- Documentation demonstrating that current and ongoing risks are reviewed and updated.
If a covered entity could not provide the requested documents, an explanation for the deficiency was required. OCR also asked for information about business associates of covered entities.
Audit Process Is Ongoing
The desk audits of covered entities are ongoing. Using the information provided by covered entities, OCR will next identify certain business associates for the second round of desk audits. This will be followed by on-site audits of selected covered entities and business associates, focusing on a comprehensive set of HIPAA compliance controls (which have not yet been identified).
OCR has stated that the audits are primarily a compliance improvement activity which will be used to better understand compliance efforts and determine what technical assistance materials should be developed. However, OCR could decide to open separate compliance reviews in cases where a significant threat to the privacy or security of PHI is identified.