In August, we posted an entry regarding the newly announced Health Information Portability and Accountability Act of 1996 ("HIPAA") audits that would be underway, pursuant to Section 13411 of the Health Information Technology for Economic and Clinical Health Act ("HITECH"). Section 13411 provides, in its entirety:
SEC. 13411. AUDITS.
The Secretary shall provide for periodic audits to ensure that covered entities and business associates that are subject to the requirements of this subtitle and subparts C and E of part 164 of title 45, Code of Federal Regulations, as such provisions are in effect as of the date of enactment of this Act, comply with such requirements.
In implementing this provision, the Office of Civil Rights ("OCR") is conducting a pilot program ("Pilot") in which it will "perform up to 150 audits of covered entities to assess privacy and security compliance. Audits conducted during the Pilot will begin November 2011 and conclude by December 2012." Business associates will not be audited at this time.
The OCR has promulgated a 3-step process for the Pilot:
(1) Developing audit protocols,
(2) Conducting a limited number of audits (20) to test the protocols, which includes the following four steps:
a. Auditee selection
b. Auditee notification
c. Test of protocol
d. Period of review and adjustment of protocols
(3) Conducting a full range of audits using revised protocol materials
The OCR aims at auditing a wide range of types and sizes of covered entities, including covered individual and organizational providers, health plans and healthcare clearing houses.
Covered entities being audited by the OCR can generally expect the following:
- Written notification by OCR that the covered entity has been selected for an audit and a request to provide documentation of the covered entity's privacy and security compliance efforts (OCR provides this sample Initial Notification Letter on its website)
- The covered entity will have 10 business days to supply the requested information
- Within 30-90 days from the date of the initial written notification, the OCR will conduct a site visit (lasting between 3 and 10 business days) involving interviews of key personnel and observations of processes and operations to determine compliance
- The auditors will develop a draft audit report and share it with the covered entity
- The covered entity will have 10 business days to discuss the identified concerns and describe corrective actions it has implemented to address the identified concerns
- Within 30 business days after receipt of the covered entity's response, the OCR will submit a final audit report, which will incorporate the steps the covered entity has already taken to resolve compliance issues
According to the OCR, "[a]udits are primarily a compliance improvement activity....Generally, OCR will use the audit reports to determine what types of technical assistance should be developed, and what types of corrective action are most effective. Should an audit report indicate a serious compliance issue, OCR may initiate a compliance review to address the problem."