HIPAA Regulatory Alert

HIPAA compliance audits begin with a pilot program

You should prepare now — Documents are due 10 days after notice

As promised by the Department of Health and Human Services' Office for Civil Rights (OCR) and mandated by the HITECH Act, HIPAA compliance audits have begun, and 20 organizations were visited during the pilot phase of the program.

"Hospitals selected for the audit have to provide a lot of documentation in a short timeframe," explains Adam Greene, partner at the Washington, DC, law firm of Davis Wright Tremaine and a former OCR official. In addition to the expected policies and procedures related to privacy and security, auditors want to see current risk analyses and documentation related to improvement of data protection, he adds. (See related story on documentation tips, p. 2.) "Be aware that the audit's scope extends past electronic health records and covers privacy and security of data in clinical, research, and billing departments, as well as employee use of email and text messaging."

From the time of notification of an audit, you have 10 calendar days to provide all of the documents requested, says Mac McMillan, chief executive officer of CynergisTek, an information technology security consulting company. McMillan advised a Texas hospital included in the initial audit.

Because initial documents requested also include non-HIPAA specific items such as demographic information about a hospital's market and patient population, and an organizational chart, prepare ahead of time by knowing where these documents are located, he suggests.

The audit is scheduled between 30 and 90 days from the date of the notice, but OCR does give five days' notice before auditors arrive, says McMillan. "Actually, my client got eight days' notice, which helped us make sure everyone who was likely to be interviewed by auditors, or involved in the audit, was onsite during those days." OCR estimates audits to take 3-10 days, depending on the organization being audited. McMillan says his hospital client's audit was one week long. (Learn what to expect during an audit, p. 3.)

Because you do not have a lot of time to educate people who may be involved in the onsite audit, set up your audit team now, suggests Chris Apgar, CISSP, president of Apgar & Associates, a Portland, OR-based consulting firm. "This will make preparation for the audit easier because everyone will understand their role." (See how to set up an audit team, p. 3.)

Results of the 20 audits conducted during the pilot program will be used to evaluate the audit tool as well as the audit process, and to make changes if needed before the remaining 130 audits scheduled for 2012 are conducted after the pilot program's completion in the spring, says Apgar. Although larger organizations such as health plans, claims clearinghouses, and larger hospitals expected to be audited earlier rather than later in the process, the pilot program included a dental office, a long-term care facility, and a pharmacy. "I am sure these smaller organizations were surprised at their inclusion, but it is important to smaller providers that the pilot included them," he says.

OCR auditors and staff members will be able to ensure that the audit tool is practical for smaller as well as larger organizations, which will help small hospitals, specialty hospitals, and freestanding surgery centers, he adds.

Prepare now

Although there is no way to know if your organization will be one of the 130 additional audits conducted in 2012 or in upcoming years, you can take steps now to prepare, suggests McMillan.

"Even if you don't know exactly what documents will be requested in your initial notice, there are a number of items that can be expected," he says. "Ten calendar days is not a lot of time to gather documents, so the first step is to know where everything is located."

Apgar says, "You don't have to centralize all policies and documentation related to HIPAA privacy and security issues, but you do need to have a way to quickly access them."

Assigning the responsibility to one or two people and creating an index of all documents that might be requested is a good start, he says. Identify the documents, their location, and contact information for the people who can access them easily.

Be sure you have a current risk analysis, says Apgar. "The rule does not specify how often a provider must conduct a risk analysis, but a good guideline is annually or whenever there is a change that might affect security risk levels," he points out. Adding a new business associate or introduction of a new system such as electronic health records are points at which a risk analysis should be done, he says.

Along with the documentation of the risk analysis, auditors will want to see corrective action plans and data to show progress in remediation of areas that were identified as non-compliant, says Greene. "This is very important if the hospital is aware of a potential weakness in compliance," he says. "Demonstrate to auditors that you are aware of the issue, have identified steps to correct it, and are making progress."

McMillan says, "Pay close attention to how you manage your business associate relationships, and document your efforts to carefully control information released to them. This requires more than showing a copy of an agreement. Document due diligence related to flow of information, procedure for termination, and process to jointly handle breaches." (For information about business associates and HIPAA, see "Data breaches attributed to business associates increase," HIPAA Regulatory Alert, February 2012, p. 1.)

Set up an audit team

"OCR has hinted that there will be no hesitance to levy fines on non-compliant organizations identified in the audits," says Apgar. These fines will be used to support the audit program, so although it was originally described as a non-punitive program, it is important to take the process seriously to avoid potential fines, he adds.

Because the HITECH Act has given OCR the ability to assess significant financial fines, this is not the time to play the odds, warns Greene. "Although your chance of being one of the 130 organizations audited this year is small, look at this as a way to get your house in order," he says. "Perform a thorough assessment, make sure your HIPAA training programs are effective, and even if you prepare for an audit that doesn't happen, your hospital and your patients benefit."


For more information about preparation for HIPAA compliance audits, contact:

• Chris Apgar, CISSP, President and CEO, Apgar & Associates, 11000 SW Barbur Blvd., Suite 201, Portland, OR 97219. Telephone: (502) 384-2538. Fax: (503) 384-2539. Email: capgar@apgarandassoc.com.

• Adam Greene, Partner, Davis Wright Tremaine, Suite 800, 1919 Pennsylvania Ave. NW, Washington, DC 20006-3401. Telephone: (202) 973-4213. Fax: (202) 973-4413. Email: adamgreene@dwt.com.

• Mac McMillan, Chief Executive Officer, CynergisTek, 8303 N. MoPac Expressway, Suite 128B, Austin, TX 78759. Phone: (512) 402-8555. Email: mac.mcmillan@cynergistek.com.