The long-overdue HIPAA compliance audit program likely will launch late this year or early in 2012 after up to 20 test audits are completed, says Susan McAndrew, deputy director of the federal agency overseeing the program.
The Department of Health and Human Services recently awarded a $9.2 million contract to the consulting firm KPMG to launch the audit program as mandated by the HITECH Act. The HHS Office for Civil Rights will work with KPMG to roll out the program in three phases, says McAndrew, OCR's deputy director for health information privacy.
The first step will be creation of a comprehensive set of protocols for how audits will be conducted and what measures will be used to measure compliance, McAndrew says an in interview with HealthcareInfoSecurity.com.. "Then we will do a round of audits, maybe up to 20 or so, in order to field test ... the protocols that have been developed," she adds. After that, the formal program for as many as 150 on-site audits will continue through the end of 2012.
Selection of Audit Candidates
McAndrew declines to disclose all the details of how organizations will be selected for the audit tests as well as the formal auditing program. But she says OCR will strive to make sure a wide variety of organizations are selected, based on type, size and location.
"We will be looking for a variety of entity types to select for the testing of the protocols," McAndrew says. "And then we will be looking for meaningful ways of targeting the audit [candidate] selections ... true to the typical audit protocols. ... It will not be totally random ... but this [audit program] will not be incident-driven, unlike the current investigations and compliance reviews that we do. This is an opportunity for us to select on a more random basis who we will be looking at."
Asked whether the audits will be used primarily as a way to enforce HIPAA or as a way to educate organizations about compliance, McAndrew says, "I don't think that the audit program will be that black and white."
OCR views the HITECH Act-mandated audit program "as a way of expanding our capacity to ensure compliance," she says. McAndrew notes, however, that some audits could result in enforcement action. "Certainly, if we uncover in the course of the audit major violations or potential violations ... we will be dealing with those ... in the same manner we would through our formal enforcement process."
Other Audit Insights
In the interview, McAndrew also says:
OCR has not yet determined whether it will audit business associates as well as covered entities, such as hospitals, clinics and health insurance plans. Nevertheless, KPMG will develop protocols to support business associate audits.
Audits initially likely will offer comprehensive assessments of compliance with the HIPAA privacy and security rules, rather than focusing on specific narrower issues.
OCR will provide advance notice to entities selected for the audit process and advance requests for documentation. "The model that we're testing is your typical onsite audit," McAndrew says. Draft audit reports typically will be shared with the organization before they are completed, and responses will be incorporated in the final report.
A decision on exactly how to inform others about the results of the audits has not yet been made. "There can be great learning by others from these audit reviews. I'm hoping, certainly, that it will lead to the ability to publicize best practices and effective corrective action ... and that we can expand the impact on compliance ... by making this information public," McAndrew says. But OCR has not yet determined whether it will publish individual audit reports or summary reports on trends identified in all the audits.
The agency won't determine whether to continue the audits beyond 2012 until it evaluates the results of the initial program.
How to Prepare for Audits
McAndrew encourages healthcare organizations to prepare for the audits by taking several steps, including reviewing their privacy and security policies and procedures; ensuring that they've documented patient information safeguards; completing an updated risk assessment; and developing a breach incident response plan.
"This is just another opportunity for covered entities to take a moment from their busy, busy days and do a self-assessment," she says. "We think that this will help them down the road in terms of building their own capacity for a robust compliance program. ..."