OCR Announces November 2011 start of Privacy and Security Compliance Audits
Overview: OCR has announced that it is initiating Compliance Audits beginning November, 2011, as it is authorized to do so by the HITECH Act. The HITECH Act requires the Department of Health and Human Services (HHS) to provide for periodic audits to ensure that covered entities and business associates are complying with the HIPAA Privacy and Security Rules and Breach Notification Standards. These audits will strengthen enforcement and accountability for compliance with existing and forthcoming (by the end of 2011) Rule modifications. HHS has delegated this auditing function to OCR. To implement this mandate, OCR is piloting a program to perform 150 compliance audits of covered entities to assess privacy and security compliance.
Who will be audited? Every covered entity and business associate is eligible for an audit. OCR is responsible for selecting the covered entities that will be audited. OCR has indicated that selections will be designed to provide a broad assessment of a complex and diverse healthcare industry. This means that OCR will randomly select covered entities that are large, that are medium size and that are small (such as a 1 doctor healthcare provider). No covered entity will be exempt from the chance of being selected for a compliance audit by OCR.
What is the purpose of these audits? These audits precede the imminent release of the Final HIPAA/HITECH Act Privacy, Security, Breach Notification and Enforcement Rules (expected before the end of 2011) and will strengthen enforcement and accountability for compliance with existing and forthcoming Rule modifications.
How the Audit Program will Work. Covered entities selected for an audit will be informed by OCR of their selection and the covered entity will be asked to provide documentation (in writing) of their privacy and security compliance efforts. Covered entities will have 10 business days to provide the requested information. Every audit will include a site visit and result in an audit report. OCR expects to notify covered entities selected for an audit between 30 and 90 days prior to the onsite visit. During site visits, auditors will interview key personnel and observe processes and operations to help determine compliance. Onsite visits may take between 3 and 10 business days depending on the complexity of the organization and the auditor’s need to access materials and staff. OCR will then issue a report based upon the audit.
What happens After an Audit? Should an audit report indicate a serious compliance issue, OCR my initiate a compliance review to address the problem. Generally, OCR will use the audit reports to determine what types of technical assistance should be developed and what types of corrective actions are most effective.
Why the Push for Increased Audits? The increase of 6,230,963 (for a total of 18,190,451) impacted individuals of HITECH breaches represents a skyrocketing jump of growing number of individuals affected by privacy and security breaches heightens the need by OCR to strengthen enforcement and accountability through compliance audits to ensure compliance with these Rules.
What should a covered entity do to prepare for a potential OCR Audit and avoid the consequences (monetary penalties) for non-compliance? To avoid the consequences of potential penalties for non-compliance, covered entities and business associates must now pay immediate attention to 1) conducting a new or reviewing an existing Risk Assessment of threat and vulnerability to Protected Health Information (PHI); 2) mitigating identified risks through privacy and security safeguard Policies and Procedures; 3) Training their workforce member (which includes management) to safeguard privacy and security of PHI; and, 4) Documenting those actions in writing.