On June 26, HHS' Office for Civil Rights released the protocol it is using to audit compliance with various requirements under HIPAA. OCR is performing the audits as part of a pilot program designed to inform a larger, ongoing audit program mandated by the Health Information Technology for Economic and Clinical Health Act.
The protocol, which has been highly anticipated, offers a breakdown of the performance measures against which covered entities (i.e., health plans, health care clearinghouses or health care providers that transmit health information in electronic form in connection with certain transactions) are evaluated during an audit. Thus, it can help covered entities prepare for a HIPAA audit and/or simply self-evaluate their own HIPAA compliance efforts.
OCR is responsible for administering and enforcing the regulations promulgated under HIPAA: the Privacy, Security and Breach Notification rules. Generally, HHS has enforced the rules by investigating complaints and performing education and outreach to foster compliance. It has conducted only a limited number of "compliance reviews" to date, and some have criticized the agency for not pursuing more aggressive enforcement efforts. In 2011, for example, the HHS Office of the Inspector General released a report indicating that HHS' oversight and enforcement actions were not sufficient to ensure that covered entities effectively implemented the HIPAA Security Rule.
Section 13411 of the HITECH Act requires HHS to periodically audit the compliance of HIPAA-covered entities and their business associates with the Privacy, Security and Breach Notification rules. To implement this mandate, OCR is currently piloting a program in which it is performing 115 compliance audits of covered entities. The pilot program began in November 2011 and will conclude in December. KPMG, the consulting firm contracted by HHS to perform the audits under the program, has audited 20 covered entities to date.
Audit Program Overview
According to HHS, audits present an opportunity to "examine mechanisms for compliance, identify best practices and discover risks and vulnerabilities that may not have come to light through OCR's established complaint investigations and compliance reviews."
While covered entities' business associates will ultimately be eligible to be audited as well, HHS is auditing only covered entities during the pilot phase. HHS intends to audit as wide a range of types and sizes of covered entities as possible; covered individual and organizational providers of health services, health plans of all sizes and health care clearinghouses may all be subject to audit. Among the specific criteria used to select particular candidates are "whether the entity is public or private, the size of an entity, affiliation with other health care organizations, the type of entity and relationship to patient care, and past and present interaction with OCR concerning HIPAA enforcement and breach notification."
When a covered entity is selected for an audit, HHS notifies the covered entity in writing. The notification letter introduces KPMG as the auditor, explains the audit process and sets out KPMG's initial document and information requests. It also specifies how and when to return the requested information to KPMG. Every audit includes a site visit. Following the site visit, KPMG develops and shares with the covered entity a draft report, which describes how the audit was conducted and what the findings were. The covered entity has the opportunity to discuss concerns before KPMG finalizes the report. The final report describes the steps the covered entity has taken to resolve any compliance issues identified by the audit, as well as any best practices the covered entity may have demonstrated.
Audit Protocol Details
The protocol that KPMG is using to conduct the audits under the pilot program is organized around three modules:
- Evaluation of compliance with the HIPAA Privacy Rule;
- Evaluation of compliance with the Security Rule; and
- Evaluation of compliance with the Breach Notification Rule.
Each module includes a number of specific performance measures, which cite specific sections of the HIPAA rules, against which KPMG assesses the covered entity. The Privacy Rule module includes 78 performance measures; the Security Rule module includes 77 performance measures; and the Breach Notification module includes 10 performance measures, for a total of 165 performance measures.
Each performance measure includes a "key activity" and an "audit procedure" that describes the actions the KPMG auditors take in reviewing compliance with the measure. Sample performance measures and associated key activities and audit procedures from each module are provided below.
Sample Performance Measure: "§164.512(a)(1) -- A covered entity may use or disclose protected health information to the extent that such use or disclosure is required by law and the use or disclosure complies and is limited to the relevant requirements of such law. §164.512(a)(2) -- A covered entity must meet the requirements described in paragraph (c), (e), or (f) of this section for uses or disclosures required by law."
Key Activity: Uses and Disclosures Required by Law
Audit Procedure: Inquire of management as to whether the requirements to use or disclose PHI required by law are met. Obtain and review Notice of Privacy Practices and evaluate the content in relation to the specified criteria to determine if the entity identifies the disclosures required by law. Obtain and review policies and procedures and evaluate the content in relation to the specified criteria for uses and disclosures required by law.
Sample Performance Measure: "§164.308(a)(1) -- Security Management Process §164.308(a)(1)(ii)(a) -- Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of electronic protected health information held by the covered entity."
Key Activity: Develop and Deploy the Information System Activity Review Process
Audit Procedure: Inquire of management as to whether formal or informal policy and procedures exist to review information system activities, such as audit logs, access reports and security incident tracking reports. Obtain and review formal or informal policy and procedures and evaluate the content in relation to specified performance criteria to determine if an appropriate review process is in place of information system activities. Obtain evidence for a sample of instances showing implementation of covered entity review practices. Determine if the covered entity policy and procedures have been approved and updated on a periodic basis.
Breach Notification Module
Sample Performance Measure: "§164.404 -- Notice to Individuals §164.404 (a) -- A covered entity shall, following the discovery of a breach of unsecured protected health information, notify each individual whose unsecured protected health information has been, or is reasonably believed by the covered entity to have been, accessed, acquired, used or disclosed as a result of such breach."
Key Activity: Notification to Individuals
Audit Procedure: Inquire of management as to whether a process exists for notifying individuals within the required time period. Obtain and review key documents that outline the process for notifying individuals of breaches.
Stakeholder Reactions to the Audit Protocol
Reaction to the audit protocol has been mixed. Some have criticized the protocol as providing significant details related to certain requirements and not others. Others have criticized it as lacking specificity and simply parroting back the HIPAA rules with little additional information. For example, some have criticized the protocol for calling for determining if the covered entity risk assessment has been conducted on a "periodic basis" without defining what periodic basis means.
In response to these criticisms, OCR officials said that while they understand stakeholders' desire for specificity, the HIPAA rules were not designed as a set of one-size-fits-all requirements. OCR also has stressed that it is not attempting to set new standards through the protocol.
Others, however, suggest that the protocol can help serve as a useful rubric for assessing the status of a covered entities' HIPAA compliance efforts. For example, John Halamka -- co-chair of the Health IT Standards Committee, an advisory group to the Office of the National Coordinator for Health IT, and CIO at Beth Israel Deaconess Medical Center -- has recommended supplementing the audit protocol with the HIPAA implementation guides developed by the National Institutes for Standards and Technology, which are designed to aid covered entities in understanding the security concepts included in the HIPAA Security Rule.
Implications of the Audit Program and Next Steps
OCR does not generally plan to penalize covered entities found in violation of HIPAA's requirements under the pilot program, but OCR officials have indicated that the office will do so if it uncovers "serious compliance issues." As amended by the HITECH Act, civil monetary penalties under HIPAA range from $100 to $50,000 per violation and up to $1,500,000 for identical violations in a calendar year.
The pilot phase of the HIPAA audit program is expected to end in December. HHS intends to implement a more formal, ongoing audit program next year after it completes its analysis of the 115 audits conducted under this year's pilot program. According to preliminary results from KPMG's first 20 audits, more covered entities demonstrated lack of compliance with the Security Rule's requirements than with the Privacy Rule's requirements.
HHS will use the results of the pilot program audits to help shape the structure, focus and size of the ongoing audit program. OCR will likely work fast. The Government Accountability Office recently sent a report to Congress criticizing OCR for not yet having a sustainable plan for continuing its HIPAA audit program after the pilot phase is completed.