The Department of Health and Human Services’ Office for Civil Rights actively preparing for the next round of HIPAA compliance audits are encountering mixed reviews. The OCR is planning a limited number of “desk audits” that include 350 covered entities and 50 business associates, with complete on-site audits being conducted only “as resources allow,” according to an OCR spokeswoman. While some security and privacy experts believe that the OCR’s new methodology to offsite, highly focused audits may help agencies become more efficient in reviewing the compliance of covered entities and business associates, there are a few that think the new approach may fall short of driving compliance.
Audit Focus
Unlike the previous rounds of pilot audits conducted in 2012 by KPMG, the next phase of desk audits are to be carried out by OCR’s staff. According to a recent presentation at the Health Care Compliance Association Conference by Linda Sanches, OCR senior adviser for health information privacy, OCR’s audits of covered entities will focus on specific areas of HIPAA compliance. While covered entity audits are likely to include 100 audits focused on the HIPAA privacy rule, 100 audits on compliance with the HIPAA Omnibus breach notification rule; and 150 focused on the security rule, particularly risk analysis, the business associates audits on the other hand, are likely to concentrate with the risk analysis and breach notification requirements.
The Onsite Vs Offsite Debate
Privacy and security experts like Rebecca Herold, partner at consulting firm Compliance Helper and CEO of The Privacy Professor, and Brian Evans, principal consultant at Tom Walsh Consulting respectively, share a similar view believing that OCR’s new focus on desk audits is a good idea. Her old believes that it is a very good move to improve efficiency and widen the numbers of CEs, and BAs, that are being audited. Similarly Brian Evans, is all for the OCR’s new audit approach keeping in mind their limited staffing and financial resources. Evans goes on to add that “Offsite ‘desk audits’ can still be a cost-effective way of gathering compliance data and cover more of the population than onsite audit.”
However, on the contrary, Jennings Aske, CISO at speech recognition software vendor Nuance, which is a business associate under HIPAA, is not completely taken with the idea of OCR concentrating on mostly desk audits, instead of onsite assessments, believing that HIPAA audit programs need to propel the healthcare vertical forward to complying with privacy and security issues. Expecting a robust audit program and heavy fines on organizations, he further contends that the lack of a more aggressive audit program could hurt efforts to boost compliance. Considering that document-based audits could lead to “erroneous findings and gaps”, it may also be necessary for OCR to consider ways of mitigating the risks that come from miscommunication or misinterpretation, says Aske.
Sharing likewise views, there are some who are disappointed with the desk audit approach planned for the next phase of the program. Like Kate Borten, president and founder of the security consulting firm The Marblehead Group, thinks these audits are limited and fall short of Congress’ intent. Believing that these documentation audits barely scratch the surface, she thinks that they each will deal with only narrow aspects of HIPAA.
Despite the limited audits, the OCR has made it clear that results could lead to non-compliance enforcement actions by the agency. Evans deems that while managing information risk is crucial in every organization, managing compliance risk with the chance of being fined or penalized is a fairly new endeavor in healthcare. The audit plan could workas an additional motivator for CEs and BAs to protect patient information more effectively.
Believing that compliance is a legal obligation and not a choice, Herold says that the program alone will drive compliance actions by a small percentage of covered entities and BAs initially. Herold also expects organizations will not be stirred to action “until they start hearing of the penalties received by those who are audited during the earlier weeks and months of the audit activities.”
The Audit Candidates
The OCR intends to survey 550 to 800 covered entities chosen from a list of CEs that was prepared from a number of databases, according to Sanches’ presentation. The survey will help OCR confirm information, like e-mail addresses, and it is from that list the OCR will select about 350 entities to audit. Business associates are to be selected for audits based on the lists of vendors that surveyed covered entities provide, as per the presentation. Herold also suggests that OCR provide a website to enable patients to answer a short survey if they want to nominate a specific organization to be considered for an audit, just to ensure that those entities with the least compliance not go unnoticed simply because they happened to be outside the survey pool. She further adds that OCR needs to remind organizations that a HIPAA compliance review can be prompted by a result of complaints or breaches, besides others. Therefore, the organizations need to have a clear indication that all CEs and BAs are subject to audit, and not merely those who received a survey.
Healthcare entities should thus take a proactive approach to information security, and invest in a comprehensive information security solution such as Aegify Security Posture Management and Aegify SecureGRC. Adopting such a solution can help safeguard health information throughout its lifecycle, and detect potential threats and vulnerabilities at an early stage thereby ensuring that they are ready for an audit.