Initial HIPAA Audit Report Provides Some Guidance, Identifies Top Risks

In our November 2011 blog post, we told you about the launch of HIPAA privacy and security audits mandated by Section 13411 of the Health Information Technology for Economic and Clinical Health Act (HITECH Act). KMPG, Inc. was awarded the contract to develop the audit protocol and conduct these audits last fall and, on March 1, 2012, completed its initial group of 20 audits aimed at testing the audit protocol. The United States Department of Health & Human Services’ (HHS) Office of Civil Rights (OCR) recently issued a preliminary report of the results (click here to see OCR’s slide presentation of the 2012 HIPAA Privacy and Security Audits Report). 

Although 20 audited entities does not constitute a statistically significant sample, the results provide some preliminary observations that may enable Covered Entities and Business Associates to better understand government expectations under HIPAA. The audit report notes that smaller entities have more compliance issues in general, and finds the majority of issues (66%) stem from the smallest group of providers. This finding is not too surprising because smaller entities have fewer staff members and less resources to focus on compliance. 

The report also finds more compliance issues with providers than with health plans or with health care clearinghouses that standardize health information for billing purposes. Providers composed exactly half of the entities that KMPG audited but represented 81% of the compliance issues. 

The majority (65%) of compliance issues relate to the HIPAA Security Rule, rather than the Privacy Rule or breach rules. The top four security deficiencies are:

  • user activity monitoring;
  • contingency planning;
  • authentication/integrity; and
  • media re-use and destruction.

The top privacy issues relate to:

  • review of denial of access to protected health information (PHI);
  • right to access PHI;
  • policies and procedures;
  • business associate contracts;
  • release of information relating to deceased individuals; and
  • personal representatives.

OCR reports that KPMG is now “[r]olling out the full range of audits and evaluation process” for approximately 100 Covered Entities, and these audits are expected to be completed by December 2012. OCR will then contract with a vendor to review and evaluate the audit program in 2013. Business Associates will be targeted in a future wave of audits.  OCR believes these results will spur Covered Entities and Business Associates “to assess and calibrate their privacy and security protections.”

OCR has previously promised to publicize specific details of best practices or observed compliance challenges discovered through these audits, however, these general findings do not yet appear to rise to the expected level of detail. Hopefully, more information on best practices and compliance challenges will be provided at the conclusion of this next round of audits to assist those entities that are seeking information to frame their ongoing compliance efforts.

Leave a reply. Please note that although this blog may be helpful in informing clients and others who have an interest in information privacy and security, it is not intended to be legal advice. The information on this blog also should not be relied upon to form an attorney-client relationship.

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.