HIPAA Audits: Coming to Provider Near You?

In November, 2011, the Office of Civil Rights began conducting Audits of Covered Entities for compliance with the HIPAA privacy and security rules.  These audits followed after Congress took the OCR to task for not effectively enforcing HIPAA.  Readers of this Blog may also recall a study performed by OIG which found significant lapses in HIPAA security at a handful of hospitals it audited. 

 The current audit targeted, initially, 150 covered entities which may include individuals and organizational providers of health services, health plans and health care clearinghouses. This has since been scaled back to 115 according to recent reports.   Business Associates will be targeted in the next round of audits.  The audits will be conducted by outside contractors.  Covered entities selected for audit will be given notice and provided with ten days to provide requested documents.  Onsite audits will follow which are anticipated to last three to seven days and will culminate in an audit report.   OCR will soon publish a protocol for the audits.

What this means is that covered entities must review their HIPAA privacy and security policies and be ready to explain any deficiencies.  Often, security policies are considered “one and done” events, and little true testing of the systems is performed.  Remember that covered entities have a duty to evaluate HIPAA privacy and security compliance.  Receipt of an audit notification will prove a painful way of performing a risk analysis. 

Perhaps even more vulnerable are Business Associates.  While they are not the target of the initial audits, experience may prove that there are considerable vulnerabilities, especially given the broad definition of business associate.  Those more removed from the provision of health care services may have difficulty with strict compliance of the HIPAA regulations.  Hopefully, this will be taken into account when business associates are audited.