Bloomberg BNA's Health IT Law & Industry Report brings you concise, comprehensive, and timely news and analysis of the regulatory, legal, and compliance issues surrounding our nation’s...
As the federal government inches closer to beginning audits of entities covered by the Health Insurance Portability and Accountability Act, the top official overseeing those efforts told BNA Aug. 19 that she sees the audits more as preventive measures than as enforcement tools.
“We're looking for a role for audit that's not duplicative of our enforcement authority,” said Susan McAndrew, deputy director of health information privacy in the Department of Health and Human Services' Office for Civil Rights (OCR). McAndrew said the audits—which will be rolled out in a pilot program later this year—will be designed to identify vulnerabilities in covered entities' compliance with the HIPAA privacy and security rule “so those can be addressed and fixed before they result in a breach or wrong act that would then require an enforcement action.”
McAndrew said she foresees the audits resulting in corrective actions and prospective fixes rather than focusing on identifying violations. She cautioned, though, that “serious noncompliance” and violations found by auditors likely would be referred for investigation and enforcement by OCR.
In the Health Information Technology for Economic and Clinical Health (HITECH) Act, Congress required OCR to establish audits of health care and other entities that must comply with HIPAA privacy and security mandates.
McAndrew said OCR is working with three separate auditor contractors to roll out the HIPAA audit pilot program, which will run through the end of 2012.
Right now, OCR is working with contractor Booz Allen Hamilton to identify a universe of covered entities to include in the audit pilot. McAndrew said the process is being undertaken to ensure OCR makes “objective, neutral-based selections” of covered entities.
“We don't want to have the audits driven by who we have had complaints against in the past,” McAndrew said. Likewise, the audits will not be limited to the biggest hospitals and other large providers. Rather, McAndrew explained, OCR is aiming to have a broad range of HIPAA-covered entities.
Among factors in the contractor's efforts to tier covered entities into buckets for making audit selections, McAndrew said, is the kind of data each covered entity type possesses and how much privacy information is at risk if that organization type is not complying with HIPAA privacy and security requirements.
OCR also has begun working with a second contractor, KPMG, to develop audit protocols that will be used to assess covered entities' compliance with privacy and security obligations, McAndrew said.
KPMG also will conduct the audits.
The protocols, she said, will be developed entirely based on existing HIPAA privacy and security regulations and will not cover new rules mandated in the HITECH Act that are expected to be finalized by OCR at the end of this year. The new rules are likely to have a six-month compliance period, or longer, McAndrew said, and KPMG will have already begun the audits during that time.
She said, however, that OCR may work with KPMG toward the end of 2012 to develop a small subset of audits to work in some of the new HITECH requirements.
McAndrew said that while OCR and KPMG are developing audit protocols that apply to all covered entities, she said they can be adapted for different types and sizes of organizations. For example, she said, “generic” protocols for health care providers will be scalable to single-practice environments as well as larger, complex hospital systems.
The first step in the actual auditing process will be to conduct field tests of the protocols on a small sampling—10 to 20—of covered entities before rolling out the audits to a larger population, McAndrew said.
Ultimately, OCR expects KPMG to audit 100 to 150 covered entities by the end of 2012.
Although the covered entities selected for audits will represent a wide range of organizations, McAndrew said, OCR will look closely at small providers to determine if the audit protocol actually works for them and to determine how best to reach those providers, because “typically they're harder to reach.”
The audit pilot also will engage a third contractor—still to be named—that will evaluate “whether we are getting a good value” from the process, McAndrew said.
“The audit is manpower- and funding-intensive in the traditional mode. We want to make sure, through the evaluation, it actually does give us insight into compliance that would not otherwise be available to us,” she said.
McAndrew said OCR also hopes to glean from the audit pilot guidance the degree of compliance among covered entities and where the agency best can target its resources to help covered entities come into compliance on their own, such as identifying best practices for organizations.
McAndrew said the HITECH statute clearly envisions that business associates will be included in HIPAA audits, but said OCR is focusing first on covered entities.
She said Booz Allen Hamilton may begin work on the possibility of identifying business associates to be included in the audit pilot, but said business associates present “a more dynamic problem.”
McAndrew explained that identifying which organizations are business associates was difficult because selection, in the first place, depended on the types of organizations covered entities choose as their business associates.
She also said the timing of the final rules implementing the HITECH changes that make business associates accountable for HIPAA compliance are not “synching up to make them a high priority for this pilot.”
“We are really more concerned at this point that we have something workable for covered entities,” McAndrew said.
By Kendra Casey Plank
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to email@example.com.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to firstname.lastname@example.org.
Put me on standing order
Notify me when new releases are available (no standing order will be created)