In July, the Department of Health and Human Services' Office for Civil Rights made clear that it would start doing a better job at making sure entities covered by the Health Insurance Portability and Accountability Act were taking the necessary steps to protect patient data and comply with patient privacy and security laws.
What have health care organizations been doing since then to prepare for the tighter enforcement? Not much, according to the results of a survey of more than 400 HIPAA compliance officers and health information management directors.
In November, HCPro, a health care regulation and compliance consultancy firm in Danvers, Mass., conducted a survey to gauge how prepared health care organizations are for a HIPAA audit. In a Dec. 2 blog post on the survey's findings, HCPro said it found that only 17% of those surveyed were fully prepared, and 70% said they were only "somewhat prepared." A full report on the survey's findings is scheduled to be published in January 2012.
These findings come just four months after the HHS Office for Civil Rights, the department tasked with enforcing HIPAA compliance, awarded a $9 million contract to the McLean, Va.-based consulting firm KPMG to create an audit program. It will verify that health care organizations, payers and business associates are prepared to meet strengthened HIPAA requirements that were laid out in the 2009 Health Information Technology for Economic and Clinical Health Act. Part of KPMG's plan is to conduct random, on-site audits of 150 organizations by Dec. 31, 2012.
According to the contract, the site visits would include interviews with organization leaders such as chief information officers, privacy officers, legal counsel, health information management officers and medical records directors; an examination of the organization's physical features and operations, and its consistency in following policy; and observations of compliance with regulatory requirements.
Organization leaders told HCPro in its survey that they were not fully prepared for these audits for several reasons, including a lack of commitment to HIPAA compliance by senior management. One survey respondent, according to HCPro's blog posting, said most organizations say they don't have time to implement HIPAA regulations on a regular basis. "There needs to be an outside agency coming into the hospital and interviewing the employees on a regular basis," the respondent said.
Although the number of entities KPMG plans to audit is small compared with the number of HIPAA-covered entities in the U.S., any organization could be chosen, according to HHS. KPMG was instructed to audit a wide range of covered entities in terms of scope and size, and could include anyone from individual physicians to business associates.
Under the HIPAA Security Rules, organizations must complete a risk analysis and have policies in place detailing their approach to patient privacy and security and sanctions for those who do not comply. Experts say not only do organizations need to prepare those documents for the possibility of a random audit by KPMG, but the Office of Civil Rights also has the authority to conduct an audit based on complaints made by patients who feel their privacy was violated.