The HIPAA Audit Program, Part 1

The HIPAA Audit Program, Part 1

As many CIOs or Compliance Officers can attest, it’s impossible to attend a healthcare privacy or security conference these days without running into Leon Rodriguez. Rodriguez, the Director of OCR/HHS, gives the same presentation at these events time and again, and, without fail, draws the highest attendance of any particular event session. While Rodriguez holds himself well at the podium, attendees are not exactly lining up in the standing room only section of the banquet hall to see public speaking virtuosity. No, they are there for the terrifying subject matter: the HIPAA Audit Program.

HITECH enacted HIPAA Audit Program

hitech hipaa audit program for health care
The HIPAA Audit Program, enacted through the HITECH Act in 2009, was put in place to correct what was widely seen as a lax HIPAA compliance culture in healthcare. Simply put, HIPAA non-compliance was only an issue if you got caught. Perhaps rightfully so, many healthcare CIOs or compliance professionals have long been concerned only with keeping patient PHI safe. As for following all the “other” HIPAA requirements – performing risk assessments, creating data use and access policies, etc. – most healthcare leaders only actually adhered to the rules insofar as they helped the facility keep patient data safe. In the unfortunate event that a health care facility suffered a data breach and subjected itself to a rigorous OCR/HHS investigation, items such as missing risk assessments and inadequate security incident management processes would be identified and held against the entity. However, manage your data breach risk effectively, the thinking went, and the odds that the federal regulators identified a series of poor documentation practices were small enough to live with.

More Thorough and Aggressive HIPAA Audit Program

Through an aggressive audit pilot program, OCR/HHS has let it be known that this relaxed practice is no longer acceptable. The process starts with a letter from the federal agency letting the facility know that it has anywhere from seven to ten days to hand over all of its documented policies and procedures. From there, a site visit is scheduled with OCR/HHS’s auditing firm, KPMG, where a team of their auditors investigates all of the facility’s practices relating to patient PHI privacy and security. From there, a written report is prepared for the facility and, if warranted, sanction and fines are handed down.

HIPAA Audit Program Step in the Right Direction

Federal agencies are taking data protection practices seriously, and OCR/HHS is leading the charge with the HIPAA Audit Program. In Part 2 of this series, we will go into the HIPAA Audit Pilot findings and show how these will both affect providers and shape the program in the years to come.