In November 2011, as required by the HITECH Act, the Office for Civil Rights (OCR) began auditing selected covered entities’ compliance with the privacy and security provisions of HIPAA and its implementing regulations. In the near future, business associates will be eligible for audit selection as well. This article describes the current enforcement climate and provides practical steps on preparing for and responding to a HIPAA compliance audit.

Is It Getting Hot in Here? HIPAA Heats Up
The commencement of these audits is one of a series of changes that are transforming the HIPAA compliance landscape. The last two years have seen the implementation of breach notification requirements, a 60-fold increase in OCR’s fining authority, increased enforcement activity with more serious repercussions for enforcement targets, and as noted, the start of OCR’s compliance audits. Omnibus regulations implementing the majority of the agency’s outstanding HITECH rules are anticipated shortly.

Breach notification has highlighted significant failures to secure health records, with the number of breaches reported increasing by 32% from 2010 to 2011 at an estimated cost to the health care industry of $6.5 billion. The severity of the problem has not gone unnoticed. On November 9, 2011, the Senate Judiciary Committee’s Subcommittee on Privacy, Technology, and the Law convened a hearing at which its members chastised OCR for its delay in issuing final rules to implement the HITECH Act and challenged the agency to step up HIPAA enforcement activities.

Despite what appears to the regulated community as substantial enhancement of HIPAA enforcement, the Subcommittee made clear that the agency’s efforts fell far short of its expectations, pointing out that, of tens of thousands of HIPAA complaints received by OCR since 2003, the agency has levied only one formal civil monetary penalty and has settled only six other cases for monetary amounts. (Of course, several of these actions reached penalties in the millions, a fact that did not assuage the Subcommittee.)

The Director of OCR, Leon Rodriguez, responded to the criticism by confirming that the agency is no longer required to provide enforcement targets with an opportunity to achieve voluntary compliance, as had been the case prior to the HITECH Act. Rodriguez stated that the agency intends to put its fining authority to good use, stating “the real frontier is in our leveraging these new, stiff penalties that we have under the HITECH statute and expanding our utilization of those penalties” to promote compliance.

The Audit Process
It is in this climate that OCR commences its first compliance audits to assess target organizations’ compliance with the HIPAA Privacy, Breach Notice, and Security Rules. Of the 150 targets to be assessed in 2012, the first 20 have been notified of their selection. The audits will be conducted by OCR’s contractor, KPMG LLP, which has assisted the agency in developing an audit protocol to streamline the process. In this pilot phase, the audit program functions as follows:

Preparing for and Responding to an Audit
Preparing for an audit is critical to success given the short time frame, particularly the 10-day period in which to respond to the document request. The following considerations should be evaluated immediately:

Whether or not your organization is ever selected for an audit, the preparatory steps described above will enhance your organization’s compliance posture. In a time when fines surpass the million-dollar mark and a security breach lurks around every corner, undertaking that work will pay dividends even if your organization avoids an audit. Of course, if you do find yourself among the lucky first 150 audit targets, you’ll certainly be glad you took the time to prepare in advance.

Elizabeth Johnson, an attorney no longer with Poyner Spruill, was the original author of this article.

◀︎ Back to Thought Leadership