Benefits Compliance

HIPAA Privacy & Security Audit Program: What Plan Sponsors Should Know

How likely is it that your group health plan will be selected for a HIPAA compliance audit? If it is, what can you expect?  What should you—the plan sponsor—be doing now to ensure your group health plan is HIPAA compliant?  Read on, for the answers to these and other questions.

The HITECH Act requires HHS to periodically audit covered entities and business associates to ensure they are complying with the HIPAA Privacy and Security Rules and Breach Notification standards.  To implement this mandate, the HHS Office for Civil Rights (OCR) began a pilot program in November 2011 to perform up to 150 audits of covered entities to assess privacy and security compliance.   The pilot audit program will conclude by December 2012
Why is OCR Conducting this Pilot Audit Program?

Prior to this pilot audit program, OCR’s privacy and security compliance program consisted of complaint investigations and compliance reviews. These audits, on the other hand, are primarily a “compliance improvement activity,” according to OCR.  They are intended to help OCR assess how various types of covered entities are complying with HIPAA, learn what mechanisms covered entities use to comply, and identify “best practices” that all covered entities can implement. 

Additionally, OCR hopes the audits will allow it to “discover risks and vulnerabilities” that may not have come to light through OCR’s ongoing complaint investigations and compliance reviews.   The OCR website notes that the audit program “may uncover reasons many health information breaches are occurring and help OCR create tools for covered entities to better protect individually identifiable health information.”  After the conclusion of this pilot audit program, OCR will share what it learned from these audits – by posting (on its web site and other outreach portals) what it considers best practices and other guidance targeted to the specific compliance challenges observed in the audits.

Who Will Be Audited?

This initial audit program targets covered entities. Business Associates will be included in future audits.  OCR will audit a wide range of types and sizes of covered entities, including individual and organizational providers of health services (such as doctors, clinics, nursing homes, pharmacies), health plans of all sizes and functions, and health care clearinghouses.  Although the OCR website does not say what factors will be considered in selecting entities to audit, some HIPAA experts have suggested that OCR might target covered entities with specific risk factors, such as those who control a lot of data or who have highly sensitive records, such as health records of celebrities. 
Note:Based on the above information, it seems likely that OCR’s audit of health plans will target insurance companies and large group health plans, rather than small or medium-size group health plans.  But you never know!

How Will the Audit Program Work and What are the Timeframes?

OCR will contact entities selected for an audit between 30 and 90 days prior to the date of the site visit. This initial letter will explain the audit process and expectations and will ask the audited entity to provide documentation of its privacy and security compliance efforts.  (See below for the specific documentation OCR is likely to request.)  OCR expects entities notified of audits to provide requested information within 10 business days of the request for information.

In this pilot phase, every audit will include a site visit and result in an audit report.  OCR has contracted with the auditing firm KPMG to conduct these site visits and audits. During site visits, which will take 3-10 business days, auditors will interview key personnel and observe processes and operations to help determine the entity’s compliance. Within 20-30 days after the site visit, auditors will write a draft final report and share it with the covered entity.  An audit report generally describes how the audit was conducted, what the findings were and what actions the covered entity will take in response to those findings.
Before the report is finalized, the covered entity will have 10 business days to review it and to provide a written response to the auditor stating its concerns and describing corrective actions it has implemented to address the concerns identified in the audit. Within 30 business days after the covered entity’s response, the auditor will complete a final report and submit it to OCR.  This final report will include not only the auditor’s findings, but also the steps the covered entity has taken to resolve any compliance issues, and any best practices of the entity. 

What Documentation of Privacy and Security Compliance will OCR Request?

If you receive an initial audit letter asking you to provide documentation of your group health plan’s privacy and security compliance efforts, the letter probably will request copies of the following documents:

  • HIPAA security risk analysis
  • HIPAA privacy and security policies and procedures
  • HIPAA training materials and lists of who was trained and when
  • Copies of business associate agreements (BAAs)
  • Copies of the plan’s Notices of Privacy Practices and when these were sent
  • Copies of HIPAA Authorization forms and other HIPAA forms the plan uses
  • HITECH breach notification policies and procedures
  • If a breach has occurred, copies of breach notices sent, lists of individuals to whom the notice was sent, and mitigation actions the plan or plan sponsor took

What Happens After an Audit?

During the pilot audit program OCR usually will not impose penalties or take enforcement actions, even if it finds the entity is not entirely compliant with HIPAA requirements. As noted above, the purpose of this pilot program is to assess compliance levels, learn how entities are complying, identify best practices, and discover potential risks and vulnerabilities that OCR has not previously identified. The OCR website generally uses the term “noncompliance” rather than “violations” when referring to noncompliant actions it might uncover.  

Despite the emphasis on compliance assistance, however, the OCR website does note that if an audited entity is found to be significantly out of compliance (and presumably does not take corrective action), OCR may initiate a compliance review after the pilot audit, and this review could result in penalties or enforcement action by OCR.

At the end of the pilot audit program, OCR will review all the audit reports to help OCR develop appropriate technical assistance and determine the types of corrective actions that are most needed.

Additionally, the OCR website says that it will not post a list of the audited entities, nor will it identify a particular entity and its audit results.  That is, even if OCR identifies the top areas of noncompliance, or even provides information about a specific noncompliant procedure or incident, it will not identify the entity in which such noncompliance occurred. 

Action Items for Group Health Plan Sponsors

  • Identify who will be your audit point person, if you do get a HIPAA audit letter from OCR.
  • Review your HIPAA compliance documents and procedures and make sure they are current (e.g., policies and procedures, training materials, business associate agreements, Security risk analysis if your plan is self-insured).  See the list of documentation items above that OCR is likely to request.
  • Train key people so they know correct HIPAA procedures, in case of an on-site visit.
  • Make sure you have business associate agreements (BAAs) with all your business associates.
  • Make sure your BAAs and your HIPAA policies and procedures include HIPAA HITECH breach notification procedures. 
  • If you had a security breach in the past, be sure you have copies of the breach notice, can show that you notified affected parties as required, what steps you took to  mitigate any potential harm to participants, and what actions and changes you made to prevent future breaches.