By Adam H. Greene JD, MPH (Partner, Davis Wright Tremaine, LLP)
The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has begun to notify covered entities that they have been selected for the first Health Insurance Portability and Accountability Act of 1996 (HIPAA) privacy and security audits under the Health Information Technology for Economic and Clinical Health (HITECH) Act. The selected entities represent a cross sample of the health care industry composed of billion-dollar health care systems to small physician practices. The audit will entail a comprehensive review of privacy and security policies and procedures, documentation and operations.
There is an anticipated 150 entities to undergo an audit, starting mid-January. The first 20 entities have been selected and notified. HHS has indicated that it hopes to continue with proactive audits in the future and expects to become more aggressive in its enforcement of complaints. Accordingly, now is a good time to ensure that:
> Policies and procedures, and documentation comprehensively address all privacy and security requirements;
> Privacy and security training has been completed and documented:
> Actions taken as part of the HIPAA compliance program have been documented, such as complaints and any resulting investigations, findings, and mitigation; and
> Your security risk assessment and documentation of your risk management decision-making process are up to date.
The Unlucky Winners
HHS divided the covered entity population into four levels and various types of covered entities:
Level 1 – Large providers/payors with more than $1 billion in revenue and/or assets
Level 2 – Large regional hospital systems/Regional payor with between $300 million and $1 billion in revenue and/or assets
Level 3 – Community hospitals, ambulatory surgery centers, regional pharmacies (with between $50 million and $300 million in revenue and/or assets) and self-insured entities that do not adjudicate their claims
Level 4 – Small provider and community pharmacies with less than $50 million in revenue and/or assets
What Audited Entities Can Expect
It is anticipated that the selected covered entities will receive notification letter along with requests for documentation. These covered entities may have as little as ten business days to respond. The requested information may include policies and procedures, training materials and documentation, a security risk analysis and other documentation required by the HIPAA regulations.
The site visits, which likely will begin in January, will include a team of auditors spending between three and ten business days on site, interviewing leadership and inspecting the premises. The auditors may review administrative, physical, technical safeguards of written, oral and electronic protected health information.
How To Prepare
The audits represent a good opportunity to take stock of your privacy and security programs and make improvements. OCR has indicated that, after publication of final rules modifying the HIPAA regulation in accordance with the HITECH Act, they will more aggressively pursue complaints where there are indications of noncompliance due to willful neglect. Preparing for the current wave of HIPAA audits will help prepare your organization for the heightened enforcement.
A few steps that your organization can take to help prepare for the audits include:
1. Addressing the entire lifecycle of electronic and hard copy protected health information, identifying where such information is created throughout the organization, how it is maintained, and how it is disposed of;
2. Creating a compliance cycle that regularly modifies policies and training in response to recurring issues and emerging threats; and
3. Conducting a comprehensive review of policies, procedures, other documentation and training.