Office for Civil Rights Publishes HIPAA Audit Protocol

The passing of the Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009 updated HIPAA, and as such it obliged the Department of Health & Human Services’ Office for Civil Rights (OCR) to complete a program of compliance audits to make the new rules had been put into action.

After an initial phase of 20 preliminary pilot audits the OCR has come up with an audit protocol which will be used to review compliance at a total of 155 HIPAA-covered entities, with the audits due to finish in December 2012.

Since any group can be audited – not just large healthcare suppliers – it is vital that all organizations check their procedures and revised them as required to take the new Security Rule requirements into account.

The OCR has now released the long awaited results of the audit program on its website detailing the specific aspects of HIPAA, the Privacy Rule, Security Rule and Breach Notification Rules that will be assessed.

There are three main parts of the legislation which are being specifically looked at under the audit protocol; adoption of the Privacy Rule, Security Rule and compliance with the Breach Notification Rule.

Organizations will be audited on policies and procedures that are included under the Privacy Rule notice of privacy practices for Protected Health Information, patient rights to request privacy protection for PHI, access rights of persons to their own PHI, proper use and disclosure of PHI, amendments to PHI, accounting of disclosures and all HIPAA Privacy Rule administrative requirements.

According to the Security Rule, HIPAA-covered bodies must use the appropriate administrative, physical and technical safeguards to protect PHI and evidence of these safeguards having been put into place will also be scrutinized. Policies and procedures will also be reviewed to make sure they adhere with the recent changes to the Breach Notification Rules.

The purpose of the audits is not to punish groups that have failed to put into place the necessary changes, but to get a general idea of compliance throughout the healthcare sector. The data gathered in the audits can be used to analyze trends and determine areas where the legislation is proving difficult to put in place. Obstacles can be identified and steps taken to ensure the legislation has the desired result.

Financial penalties are not predicted to be applied for non-compliance issues discovered in the audits, although action plans are likely to be issued to organizations found not to have made the required amendments. Any serious security problems found could still result in a massive fine.

It has become obvious that while many healthcare organizations have adapted the legislative amendments and updated their policies and procedures, a significant amount have not taken sufficient steps to protect the ePHi of their patients and policy holders. The OCR says that the greatest issue affecting the sector is ensuring ePHi is kept safe and secure. 65% of organizations found to have breached HIPAA regulations did so because of inadequate processes to protect electronic health records.

The main Security Rule issue found by the OCR was a failure to complete a thorough risk analysis of their IT systems to identify security holes and weaknesses. Even when issues were identified, many healthcare organizations were unsure how to properly manage the risks they found.

Performing risk assessments is now mandatory, not only under the Security Rule but also under the Meaningful Use program. As OCR Director, Leon Rodriguez commented at the OCR/NIST conference this month, “It is no longer acceptable to be non compliant”.

With the government having recently questioned the success of OCR enforcement of HIPAA legislation, future audit programs are likely to see non-compliance vehemently enforced and breaches are likely to result in massive financial penalties being applied.