HIPAA Audits More Preventive Than Punitive, HHS Official Says

Stay ahead of developments in federal and state health care law, regulation and transactions with timely, expert news and analysis.

As the federal government inches closer to beginning audits of entities covered by the Health Insurance Portability and Accountability Act, the top official overseeing those efforts told BNA Aug. 19 that she sees the audits more as preventive measures than as enforcement tools.

“We're looking for a role for audit that's not duplicative of our enforcement authority,” said Susan McAndrew, deputy director of health information privacy in the Department of Health and Human Services' Office for Civil Rights (OCR). McAndrew said the audits—which will be rolled out in a pilot program later this year—will be designed to identify vulnerabilities in covered entities' compliance with the HIPAA privacy and security rule “so those can be addressed and fixed before they result in a breach or wrong act that would then require an enforcement action.”

McAndrew said she foresees the audits resulting in corrective actions and prospective fixes rather than focusing on identifying violations. She cautioned, though, that “serious noncompliance” and violations found by auditors likely would be referred for investigation and enforcement by OCR.

In the Health Information Technology for Economic and Clinical Health (HITECH) Act, Congress required OCR to establish audits of health care and other entities that must comply with HIPAA privacy and security mandates.

McAndrew said OCR is working with three separate auditor contractors to roll out the HIPAA audit pilot program, which will run through the end of 2012.

Identifying Covered Entities

Right now, OCR is working with contractor Booz Allen Hamilton to identify a universe of covered entities to include in the audit pilot. McAndrew said the process is being undertaken to ensure OCR makes “objective, neutral-based selections” of covered entities.

“We don't want to have the audits driven by who we have had complaints against in the past,” McAndrew said. Likewise, the audits will not be limited to the biggest hospitals and other large providers. Rather, McAndrew explained, OCR is aiming to have a broad range of HIPAA-covered entities.

Among factors in the contractor's efforts to tier covered entities into buckets for making audit selections, McAndrew said, is the kind of data each covered entity type possesses and how much privacy information is at risk if that organization type is not complying with HIPAA privacy and security requirements.

Audit Protocols

OCR also has begun working with a second contractor, KPMG, to develop audit protocols that will be used to assess covered entities' compliance with privacy and security obligations, McAndrew said.

KPMG also will conduct the audits.

The protocols, she said, will be developed entirely based on existing HIPAA privacy and security regulations and will not cover new rules mandated in the HITECH Act that are expected to be finalized by OCR at the end of this year. The new rules are likely to have a six-month compliance period, or longer, McAndrew said, and KPMG will have already begun the audits during that time.

She said, however, that OCR may work with KPMG toward the end of 2012 to develop a small subset of audits to work in some of the new HITECH requirements.

McAndrew said that while OCR and KPMG are developing audit protocols that apply to all covered entities, she said they can be adapted for different types and sizes of organizations. For example, she said, “generic” protocols for health care providers will be scalable to single-practice environments as well as larger, complex hospital systems.

The first step in the actual auditing process will be to conduct field tests of the protocols on a small sampling—10 to 20—of covered entities before rolling out the audits to a larger population, McAndrew said.

Ultimately, OCR expects KPMG to audit 100 to 150 covered entities by the end of 2012.

Although the covered entities selected for audits will represent a wide range of organizations, McAndrew said, OCR will look closely at small providers to determine if the audit protocol actually works for them and to determine how best to reach those providers, because “typically they're harder to reach.”

Audit Evaluation

The audit pilot also will engage a third contractor—still to be named—that will evaluate “whether we are getting a good value” from the process, McAndrew said.

“The audit is manpower- and funding-intensive in the traditional mode. We want to make sure, through the evaluation, it actually does give us insight into compliance that would not otherwise be available to us,” she said.

McAndrew said OCR also hopes to glean from the audit pilot guidance the degree of compliance among covered entities and where the agency best can target its resources to help covered entities come into compliance on their own, such as identifying best practices for organizations.

Business Associates

McAndrew said the HITECH statute clearly envisions that business associates will be included in HIPAA audits, but said OCR is focusing first on covered entities.

She said Booz Allen Hamilton may begin work on the possibility of identifying business associates to be included in the audit pilot, but said business associates present “a more dynamic problem.”

McAndrew explained that identifying which organizations are business associates was difficult because selection, in the first place, depended on the types of organizations covered entities choose as their business associates.

She also said the timing of the final rules implementing the HITECH changes that make business associates accountable for HIPAA compliance are not “synching up to make them a high priority for this pilot.”

“We are really more concerned at this point that we have something workable for covered entities,” McAndrew said.

By Kendra Casey Plank


Request Health Care on Bloomberg Law