October 18, 2011
Practice Group:
Health Care
Check Your Policies and Practices: HIPAA
Audits Are Coming
By Mary Beth F. Johnston and Amy L. Mackin
Over the summer, the Office for Civil Rights (“OCR”) took significant steps towards creation of an
audit program to monitor compliance with the Privacy and Security Rules under the Health Insurance
Portability and Accountability Act (“HIPAA”). This audit program is required by amendments to
HIPAA under the HITECH Act, which called for “periodic audits” of covered entities and their
business associates who are subject to HIPAA. 1
Specifically, on June 10, 2011, OCR awarded a $9 million contract to the audit firm KPMG to create
audit protocols and conduct initial HIPAA audits. The work will be divided into three steps: (1)
creation of audit protocols; (2) piloting of the protocols through twenty test audits; and (3) completion
of up to 150 on-site audits total by December 31, 2012, accompanied by further evaluation of the new
audit program. 2 According to Susan McAndrew, OCR Deputy Director, the audits could also result in
enforcement actions “if we uncover, in the course of the audit, major violations or potential
violations.” 3
Selection of Entities for Audit
OCR has also contracted with consulting firm Booz Allen Hamilton to identify potential audit
candidates. 4 In particular, the firm has been tasked with developing a database “to enable meaningful
and objective selection of covered entities to be audited by OCR based on a variety of potential
factors, including the types, sizes and geographic locations of covered entities.” 5 In other words,
selection will not be entirely random, but will also not be incident driven. 6 Specifically, the contract
states that Booz Allen Hamilton
“shall recommend to OCR additional relevant characteristics based upon available
information to categorize and distinguish among identified covered entities (e.g.,
number of breaches reported to OCR). The additional characteristics shall assist
OCR in identifying similar covered entities as well as which covered entities may be
good targets for an audit. Elements shall enable OCR to distinguish between, for
example, small and large hospitals; university health systems; reference hospital
1
American Recovery and Reinvestment Act of 2009, Pub. Law 111-5, § 13411 (Feb. 17, 2009) (codified at 42 U.S.C. §
17940). Title XIII of Public Law 111-5 is known as the “Health Information Technology for Economic and Clinical Health
Act,” or the “HITECH Act.”
2
Federal contract announcements are reported and can be searched at the Federal Business Opportunities website at
www.fbo.gov. Copies of the contracts have also been released pursuant to a Freedom of Information Act request.
3
Jeffrey Roman, HIPAA Compliance Audits Described: KPMG to Launch Program after Tests, available at
www.healthcareinfosecurity.com, Aug. 4, 2011.
4
See supra, note 2.
5
U.S. Dep’t of Hlth. and Human Serv., Ofc. for Civil Rights, Annual Report to Congress on HIPAA Privacy Rule and
Security Rule Compliance for Calendar Years 2009 and 2010.
6
Up until now, OCR has generally conducted compliance reviews only after an incident or complaint has been reported.
Check Your Policies and Practices: HIPAA Audits Are
Coming
based and physician office based labs; pharmacies; small and large provider
practices; and particular types of health plans.” 7
According to Ms. McAndrew, OCR has not yet determined whether business associates will be
audited under the pilot project, though KPMG has been tasked with creating protocols that would
support business associate audits. 8 She also stated that there would be advance notice to entities
selected for an audit (i.e., there will be no surprise audits). In addition, audited entities will be asked
to supply documentation for auditors to review in advance of the on-site visit.
Logistics of an On-Site Audit
According to the KPMG contract, the HIPAA audits will include site visits, which will consist of (1)
interviews with leadership; (2) examination of the organization’s physical features and operations; (3)
evaluation of whether processes match policies; and (4) general observations of compliance with
HIPAA requirements. Depending on the size of the organization being audited, each site visit will
involve between two and five surveyors and last for a period of two to five days. The audits will be
conducted at a rate of at least ten per month after the audit protocols are finalized.
After a site visit, the surveyors will submit an initial audit report describing the methodology of the
audit, noting best practices observed, and providing copies of raw data collection materials. The audit
report will also include recommendations for addressing identified compliance problems through a
corrective action plan. In addition to the above information, final reports will also include a
description of each incident of noncompliance observed during the audit process, analyzed in the
following way:
 Condition—a description and evidence of the defect or noncompliant status observed;
 Criteria—a clear demonstration that the negative finding is a potential violation of a Privacy or
Security Rule, with a citation to the relevant regulation;
 Cause—the reason that the condition exists, with supporting documentation; and
 Effect—the risk or noncompliant status that results from the finding.
The audited entity will be given an opportunity to review the draft final report, to propose a corrective
action plan, and/or to dispute and appeal the findings or conclusions in the report. In her recent
interview, Ms. McAndrew stated that OCR has not yet decided whether these audit reports will be
published individually or summarized in a more general report that will be made publicly available.
HIPAA Enforcement
OCR is actively engaged in enforcing the HIPAA Privacy and Security Rules. According to its
website, OCR investigated 4,229 HIPAA complaints in 2010, an increase of over 25% from the prior
year. 9 In addition, in the spring and summer of 2011, OCR conducted four regional HIPAA trainings
for state attorneys general and their staffs. These sessions included training on “investigative
7
See supra, note 2.
See Roman.
9
www.hhs.gov/ocr/privacy/hipaa/enforcement/highlights/indexnumbers.html.
8
2
Check Your Policies and Practices: HIPAA Audits Are
Coming
techniques for identifying and prosecuting potential violations” and education on the state attorney
general’s role in enforcing HIPAA. 10
A former senior-level employee at OCR has publicly identified the following compliance areas as
being of particular interest to OCR in assessing an entity’s HIPAA program: 11
 Being able to detect a breach and respond to it;
 Maintaining and regularly reviewing a log documenting attempts to access the organization’s
network;
 Ensuring the security of wireless networks;
 Creating policies and procedures regarding network user access and password management;
 Implementing security efforts to prevent theft or loss of mobile devices;
 Updating software; and
 Adjusting levels of network access based on the user’s role within the organization.
Therefore, covered entities may want to give particular attention to these issues in their compliance
programs.
Next Steps
The announcement of the HIPAA audit program represents an opportunity for covered entities and
business associates to review their HIPAA compliance programs. Although the odds of being selected
for an audit this year are unknown, such audits are likely to become more routine in the future.
Therefore, entities may want to consider the following steps:
 Review HIPAA policies and procedures to ensure they are up to date. For example, check to see if
your organization has created a breach incident response plan. 12
 Ensure that written policies are being implemented and enforced. Observe work stations, and talk
to staff to assess compliance.
 Be sure you have documentation of recent staff training about what HIPAA requires. Schedule a
“refresher” course if needed.
 Conduct an updated HIPAA risk assessment. 13 Document how the HIPAA standards are being
met and what safeguards are in place.
 Assess your organization’s physical security measures. Most reported breaches are based on loss,
theft or improper access to paper files or portable computer equipment. 14
 Assess your organization’s electronic security measures, particularly in regard to electronic health
records. If applicable, be sure your encryption software is up to date.
10
www.hhs.gov/ocr/privacy/hipaa/enforcement/sag/sagmoreinfo.html. Section 13410 of the HITECH Act provided for civil
enforcement of HIPAA by state attorneys general.
11
Dom Nicastro, OCR Identifies HIPAA Audit Goals, HealthLeaders Media, Aug. 15, 2011.
12
74 Fed. Reg. 42,740 (Aug. 24, 2009).
13
45 C.F.R. § 164.308.
14
For a list of reported breaches, see
www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html.
3
Check Your Policies and Practices: HIPAA Audits Are
Coming
 If your organization has determined that any HIPAA “addressable” standards are not required,
document how you reached this conclusion.
 If you find potential problems, take corrective action now. Apply sanctions if necessary.
Remember that the purpose of the audit program is to enforce the requirements of the Privacy and
Security Rules. Taking steps to prepare for a possible audit may help to show auditors that your
organization already takes HIPAA compliance seriously.
Authors:
Mary Beth F. Johnston
marybeth.johnston@klgates.com
+1.919.466.1181
Amy L. Mackin
amy.mackin@klgates.com
+1.919.466.1240
4