To combat new risks associated with rapidly evolving health information technology, the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH) provides standards for the privacy of protected health information (PHI), the security of electronic protected health information (ePHI), and breach notification to individuals.   HITECH also requires HHS to perform periodic audits of covered entity and business associate compliance with the HIPAA Privacy, Security, and Breach Notification Rules.  In 2011, HHS OCR established the HIPAA pilot audit program to assess the controls and processes implemented by covered entities to protect the privacy of PHI.

In a February 24, 2014 notice in the Federal Register (Notice), HHS OCR announced its plan to survey 1200 organizations – 800 covered entities and 400 business associates – the first step in selecting organizations for the next round of HIPAA audits.  As provide in the Notice, not all organizations surveyed will be audited.  The survey “will gather information about respondents to enable OCR to assess the size, complexity and fitness of a respondent for an audit.” OCR intends to collect, among other things, “recent data about the number of patient visits or insured lives, use of electronic information, revenue and business locations.”

For the 2011 HIPAA pilot audit program, OCR developed an audit protocol to measure the efforts of 115 covered entities. OCR also instituted a formal evaluation of the effectiveness of the pilot audit program.  In April 2013, OCR released its findings from the 2011-2012 HIPAA audit pilot program.  The audit pilot program focused on health plans of all types, health care clearinghouses, and individual and organizational providers.  From the audit pilot program, OCR found that most of the evaluated entities did not conform to HIPAA standards for security, privacy, and breach notification – the three-audit areas.  A copy of the 2011-2012 HIPAA audit protocol can be found here.  OCR also found that most entities failed to perform a comprehensive, accurate security risk assessment (two thirds of those audited).  The most common cause of non-compliance was that the entity was “unaware of the requirement”.  Privacy requirements that covered entities were most “unaware” of pertained to notice of privacy practices, access of individuals, minimum necessary, and authorizations.  Security requirements that covered entities were most “unaware” of pertained to risk analysis, media movement and disposal, and audit controls and monitoring.  OCR also found that smaller healthcare providers, i.e., community pharmacies and practices with revenues of less than $50 million per year, were generally vulnerable and non-compliant in all three-audit areas. Healthcare providers that fell into this category accounted for 65% of all policy violations.

The next round of HIPAA audits provides another opportunity for OCR to examine different mechanisms for compliance with HIPAA/HITECH, identify best practices, and discover new risks and vulnerabilities.  The audits are in addition to OCR’s ability to assess HIPAA/HITECH compliance through its routine complaint and investigation process.  It is anticipated that the next round of HIPAA audits will focus on OCR hot buttons – timely and thorough security risk assessments, effective and ongoing risk mitigation plans, breach notification procedures, encryption, training, and policies and procedures.  For the next round of HIPAA audits, OCR is currently in the process of revising its audit protocol to reflect the changes included in the HIPAA Omnibus Rule that became effective on September 23, 2013.