OCR joins the team of federal auditors


In June, the Office for Civil Rights (OCR) released results from the initial twenty audits of the HIPAA Audit Program. In the next few months, OCR will implement the final phase of the pilot audit program, auditing a total of 115 covered entities by the end of December 2012.

Historically, enforcement of HIPAA has been reactive—that is, OCR initiated an investigation only after it received a complaint or a covered entity reported a breach. In 2009, Congress expressed its desire for the enforcement efforts to be more proactive. Section 13411 of the HITECH Act, therefore, requires the Department of Health and Human Services to periodically audit covered entities and business associates to ensure that they are in compliance with the HIPAA Privacy and Security Rules and the standards for breach notification. Accordingly, in November of 2011, OCR initiated a pilot audit program to identify compliance issues.

OCR contracted with KPMG, Inc., a private corporation, to develop and conduct the audits. The pilot audit program was divided into two phases: the initial phase, during which KPMG audited the first twenty entities and developed audit protocols, and the final phase, in which KPMG will audit the remaining 95 entities. In June, OCR released data gathered from the first twenty audits. According to this data, small entities tended to have more compliance deficiencies than larger entities, and most of the deficiencies for both large and small entities came from failure to comply with the Security Rule.

In June, OCR also released the audit protocols developed by KPMG during the initial phase of the program. Consisting of 169 protocols, the audit program will continue to develop, add, and delete protocols during the final phase. At this time, 78 of the protocols focus on the HIPAA Security Rule, 81 protocols concern the Privacy Rule, and 10 protocols focus on the breach notification standards.

Because the audit protocols were designed by a private entity, and not by OCR, some of the protocols represent KPMG’s interpretation of the law rather than actual legal requirements. For example, 45 C.F.R. § 164.308(a)(3)(ii)(C) requires covered entities to “implement procedures for terminating access to electronic protected health information when the employment of a workforce member ends.” The audit protocol for this regulation requires that covered entities have “separate procedures for terminating access to ePHI when employment of a workforce member ends, i.e., voluntary termination . . . vs. involuntary termination.” Obviously, KPMG’s protocol goes over and beyond the requirements stated in the regulation. Nevertheless, the protocols will guide the audit process and influence the final report submitted to OCR.

By the end of December, KPMG will audit the 95 remaining entities. These entities will be randomly selected and will include health plans, health care providers, and clearinghouses of all sizes. When KPMG selects an entity for an audit, KPMG will send notice and a request for documents to the entity. The document request will require the entity to produce a variety of documents, including policies and procedures, demographic information, and forms. After receipt of the notice letter, the entity will have only fifteen days to produce the requested documents. KPMG will treat any documents not produced as non-existent. This may result in a finding of non-compliance, even if the entity has the necessary document.

Between thirty and ninety days after KPMG sends the notice letter, KPMG will perform an on-site audit, which will take from three to ten days. During the on-site audit, three to five auditors will interview personnel, walk through and observe the entity’s operations, and request more information. These auditors will use the audit protocols as a guide to assess the entity’s compliance with HIPAA. After the on-site audit, KPMG will prepare a draft report of the findings and send the report to the entity. Once the entity receives the draft report, the entity will have ten days to prepare a written response. Both KPMG’s report and the entity’s written response will be provided to OCR. In the event OCR believes more action is required, OCR may initiate an investigation that could lead to an enforcement action.

The HIPAA Audit Program has received fiscal appropriations for 2013 and 2014; therefore, the audits are likely to continue and to grow. To implement a compliance program that will withstand an audit, entities should refer to the audit protocol, available at hipaa/enforcement/audit/index.html, and ensure that they have the necessary policies and procedures in place. When a provider adopts policies and procedures, the provider should not only put the policy in writing, but also ensure that the policy is implemented and practiced at the entity. Thus, providers should orient, train, and evaluate personnel on the policies and procedures. Furthermore, the policies and procedures should be organized in a readily retrievable form, because an entity selected for an audit will only have fifteen days to produce these documents. Finally, providers should recognize that many of the audit protocols represent best practices rather than legal requirements. Therefore, in the event that a provider is selected for an audit, the provider should engage legal counsel to assist in the response to the audit. KPMG’s final report may lead to an enforcement action by OCR; therefore, entities should ensure that the report focuses on the legal requirements and should challenge the accuracy of any such report.