SUMMARY:  In June 2011, the  United States Department of Health & Human Services (HHS) Office of Civil Rights (OCR)contracted for new periodic audits of covered entities and business associates to ensure compliance with the Privacy and Security Standards found in the Health Insurance Portability and Accountability Act of 1996 (HIPAA) as amended by the Health Information Technology for Economic and Clinical Health Act (HITECH Act).  Announcement of these new audits followed closely on the heels of a May 2011 report from the HHS Office of Inspector General (OIG) criticizing oversight and enforcement of the HIPAA Security Rule requirements and recommending that the OCR conduct random audits. 

On May 16, 2011, the OIG issued a scathing report criticizing the effectiveness of existing oversight of the HIPAA Security Rule in the context of its review of the HIPAA Security Rule compliance efforts by seven hospitals.   The OIG audits of these seven hospitals identified 151 vulnerabilities in the systems and controls intended to protect electronic protected health information (ePHI), of which 124 were categorized as high impact.  The OIG decided not to release the names of the hospitals in question because it feared that these seven hospital IT systems could be attacked to exploit the vulnerabilities exposed in the report.  This OIG report also triggered an investigation by the OCR of all seven hospitals.

As OCR steps up enforcement, it is important for healthcare providers and their business associates to review their IT systems for compliance with the Security Rule. In addition, HIPAA Privacy and Security Officers, or those with responsibility for overseeing privacy and security of ePHI at entities subject to HIPAA, will want to familiarize themselves with the OIG’s report.  For a link to the full report, click here. 

The OIG report concluded that oversight and enforcement actions by the Centers for Medicare & Medicaid Services (CMS) were insufficient to ensure covered entities effectively implemented the HIPAA Security Rule, especially as CMS investigations were chiefly triggered by complaints or reports in the media of potential HIPAA violations.   The OIG recommended that OCR implement procedures for conducting random compliance reviews to ensure Security Rule controls are in place and operating as intended to protect ePHI at covered entities.

Just one month later, in June 2011, OCR entered into contracts for the provision of periodic audits of covered entities and business associates, as those entities are defined by HIPAA.  The purpose of the audits is to ensure compliance with the HIPAA Privacy and Security Standards as amended by the HITECH Act.

OCR previously conducted audits of entities only after receiving a complaint or suspicion of non-compliance.  These newly envisioned audits are not in response to a complaint but will be periodic audits required by Section 13411 of the HITECH Act.  On June 9, 2011, OCR engaged Booz Allen Hamilton to identify candidates for HIPAA “periodic audits.” Compensation for Booz Allen’s services under the contract will be $178,870.  No further information was provided as to the methods to be used to select entities for audit, such as whether the selection is completely random or based on specific criteria.

On June 20, 2011, OCR contracted with KPMG to first develop audit protocols and then perform the HIPAA periodic audits.  The initial audits, to be completed by December 31, 2012, will focus on 150 covered entities and business associates, varying in size and scope.  OCR will pay KPMG almost $9.2 million for these audits. Although it is not known whether KPMG will perform any of these audits through a subcontractor, which may be necessary were KPMG to have a conflict auditing an existing client, the contract synopsis does reference audits conducted by multiple “contracted firm(s).”

As part of its HIPAA periodic audit activities, the contract synopsis provides for KPMG to conduct site visits, examine physical features and operations, evaluate the consistency of process to policy, and observe compliance with regulatory requirements. KPMG also will interview organization leaders (e.g., Chief Information Officer, Privacy Officer, legal counsel, and health information management).

After each periodic HIPAA audit, KPMG must submit specific recommendations for corrective action that the audited entity can take to address identified compliance problems  (the “corrective action plan”). The report must include recommendations to OCR regarding the continued need for corrective action, if any, and a description of future oversight recommendations. It is unknown whether these audit findings will be used merely to educate the audited entity and the health care community or to impose sanctions upon the audited entity.  It would not be surprising, however, if monetary settlements were attempted to help recoup some of the almost $10 million spent under the contracts to audit a mere 150 entities.

For covered entities, the overall likelihood of being selected for an audit would seem low due to the small number of proposed audits (150) in comparison to the huge pool of covered entities.  The risk may be slightly greater for larger, more well-known business associates because, unlike the situation with covered entities, a complete list of business associates of covered entities is not available to the OCR.   The best practice for both covered entities and business associates is to audit their own privacy and security practices in anticipation of a HIPAA periodic audit.