The long-overdue HIPAA compliance audit program likely will launch late this year or early in 2012 after test audits are completed by the Office for Civil Rights (OCR).
The first step will be the creation of a comprehensive set of protocols for how audits will be conducted and what measures will be used to measure compliance, Then OCR will do a round of audits in order to field test the protocols that have been developed. After that, the formal program for on-site audits will continue through the end of 2012.
Selection of Audit Candidates
OCR declines to disclose all the details of how organizations will be selected for the audit tests as well as the formal auditing program. But they will strive to make sure a wide variety of organizations are selected, based on type, size and location. They will be looking for a variety of entity types to select for the testing of the protocols, and then we will be looking for meaningful ways of targeting the audit candidate selections. It will not be totally random will not be incident-driven, unlike the current investigations and compliance reviews that they do. This is an opportunity for them to select on a more random basis who they will be looking at.
Asked whether the audits will be used primarily as a way to enforce HIPAA or as a way to educate organizations about compliance, OCR doesn't think that the audit program will be that black and white.
OCR views the HITECH Act-mandated audit program as a way of expanding their capacity to ensure compliance, however, and that some audits could result in enforcement action. Certainly, if they uncover in the course of the audit major violations or potential violations, they will be dealing with those, in the same manner, they would through their formal enforcement process.
Other Audit Insights
OCR has not yet determined whether it will audit business associates as well as covered entities. Nevertheless, protocols will be developed to support business associate audits. Audits initially likely will offer comprehensive assessments of compliance with the HIPAA privacy and security rules, rather than focusing on specific narrower issues.
OCR will provide advance notice to entities selected for the audit process and advance requests for documentation. Draft audit reports typically will be shared with the organization before they are completed, and responses will be incorporated in the final report. A decision on exactly how to inform others about the results of the audits has not yet been made. OCR says there can be great learning by others from these audit reviews, that it will lead to the ability to publicize best practices and effective corrective action, and that they can expand the impact on compliance by making this information public. But OCR has not yet determined whether it will publish individual audit reports or summary reports on trends identified in all the audits. The agency won't determine whether to continue the audits beyond 2012 until it evaluates the results of the initial program.
How to Prepare for Audits
Your practice can prepare for the audits by taking several steps, including:
- reviewing your privacy and security policies and procedures;
- Ensuring that you've documented patient information safeguards;
- completing an updated Risk Assessment, and
- developing a breach incident response plan.
Information on all of the above is provided in our Healthcare Compliance Pros materials.