Based on the requirements of the HIPAA/HITECH laws and regulations, the Office for Civil Rights (OCR) initiated what was called a “pilot” audit program in 2012.1 2 This initial audit program was part of the OCR’s “health information privacy and security compliance program.”3 The idea was to “assess” the progress of covered entities in being compliant with the regulations. The expressed view was that such an auditing program would provide other compliance information not readily seen in investigations or other reviews.4 5 This initial program was implemented in three phases:
- Development of protocols
- A small number of audits to check the protocols with following revisions
- A larger number of audits using the modified protocols
All the audits were completed by the end of 2013, though none involved Business Associates (BAs) of Covered Entities (CEs).7 8
The OCR audit program was expected to be in full force by late 2015, but this did not occur.9 The OCR audit program has been delayed over the past year for reasons that have not been clarified by OCR.10 However, in response to a report from the HHS Office of Inspector General (OIG) in September 2015 recommending stronger OCR oversight of compliance, the OIG confirmed a “Phase 2” audit program in early 2016.11 While not all the audit protocols are clear, some things are known:
- Audits will include not only CEs, but also BAs of CEs12
- There will be audits of different types, e.g. “remote desk audits” as well as on site audits depending on OCR personnel and other factors not yet well defined13
Some past audit protocols are known, though some revisions are likely. The OIG report on OCR actions contained a number of recommendations including:
- The establishment of “a permanent audit program”
- Investigators should require OCR staff “… to check whether covered entities have been previously investigated.”14
The basic general intent seems to be the determination of compliance with the Omnibus Final Rule which has been the subject of past LAMMICO lecture series as well as associated privacy and security regulations such as the HITECH Act.15
The commencement of OCR audits is eminent. Failure to pass an audit could result in significant civil monetary penalties, e.g. up to $1,500,000 per year for "willful" violations.16 Observation were made in 2015 that a significant number of CEs and BAs of CEs would not be expected to pass such audits.17 Every effort should be made to avoid an OCR determination of “willful neglect” – meaning “… conscious, intentional failure or reckless indifference to the obligation to comply with the administrative simplification provision violated.”18 19
How to Avoid Audit Pitfalls
As stated in the National Law Review “…it is important that covered entities and business associates invest the time in identifying and closing any HIPAA compliance gaps before an OCR investigator does this for them.”20 The clear way to avoid the perception of “willful” violations, i.e. that one simply did not see any real value to the requirements and did not devote any time to compliance, is to document that while something might have been missed there are policies, procedures, and training plans in place. Every provider qualifying as a CE should conduct a review of their policies and procedures as well as a review of their Business Associates to assure up to date policies, contracts, and staff training.
To read the footnotes for this article, click here.