The 2009 HITECH Act mandated that the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) conduct periodic audits of covered entities and business associates for compliance with HIPAA privacy and security requirements. In 2012, OCR conducted a pilot audit program involving 115 covered entities. In February 2014, the agency issued a notice in the Federal Register announcing its plan to survey up to 1,200 covered entities and business associates to select organizations for the next round of HIPAA audits.
Speaking at the September 9 Privacy and Security Forum hosted by the Healthcare Information and Management Systems Society (HIMSS), OCR Senior Advisor Linda Sanches discussed the upcoming HIPAA audits. Although Sanches declined to provide a specific timeline for the audits, she noted that the start of the audits will be delayed until OCR completes development of the portal technology that it will use for obtaining documents from audited entities. Additionally, while OCR had initially intended to conduct 400 remote “desk audits,” that number will be reduced to fewer than 200. Notably, the agency now expects to conduct more comprehensive “on-site” audits than originally anticipated, due to an increased budget for such reviews.
Sanches also stated that pre-screening surveys would be sent to potential audit candidates in the “near future,” with surveys going first to covered entities and then to business associates. Covered entities will be randomly selected from a national database, while business associates will be chosen based on their inclusion in vendor lists provided by the surveyed covered entities.
Security risk assessments and breach notification will be key areas of focus for the audits. “If you don’t do a periodic risk analysis,” Sanches explained, “you won’t know where you” stand. Sanches also stated that although such an analysis can involve significant resources, it’s better to have one in hand than to have to scramble to prepare one at the time of an audit. Recent HIPAA enforcement actions—which have resulted in multi-million dollar settlements with OCR—underscore the importance of conducting a thorough risk assessment and developing an effective HIPAA compliance program.
Sanches’s remarks on the OCR audit program precede an important upcoming HIPAA deadline. Specifically, September 22, 2014, will be the last day for covered entities and business associates to amend “grandfathered” business associate agreements (BAAs)—meaning those BAAs that had been in place as of January 25, 2013, and have not been amended since that time—to comply with the HIPAA “Omnibus” Final Rule released in January 25, 2013. The Final Rule required that certain changes be made to BAAs, including requiring business associates to comply with applicable Security Rule requirements and to report breaches of unsecured PHI. HIPAA covered entities and business associates that have not amended their BAAs since January 25, 2013 to comply with the Final Rule should ensure that they have done so before the September 22 deadline.