Health Update

U.S. Department of Health and Human Services Announces Details of New HIPAA Audit Program

Authors: Robert D. Belfort | Helen R. Pfister | Susan R. Ingargiola

On November 8, 2011, the U.S. Department of Health and Human Services (“HHS”) officially posted on its website details about its new Health Insurance Portability and Accountability Act (“HIPAA”) Audit Program.  HHS has engaged the accounting firm KPMG LLP to conduct the audits, which are slated to begin this month.  Through the audits, HHS will be playing a more proactive role in enforcing HIPAA than it has in the past.

I.  Background
The Office for Civil Rights (“OCR”) within HHS is responsible for administering and enforcing the HIPAA Privacy and Security Rules.  Generally, HHS has enforced the Privacy and Security Rules by investigating complaints and performing education and outreach to foster compliance with the Rules’ requirements.  It has conducted only a limited number of “compliance reviews” to date, and some have criticized the agency for not pursuing more aggressive enforcement efforts.  This past May, for example, the HHS Office of the Inspector General released a report indicating that HHS’s oversight and enforcement actions were not sufficient to ensure that covered entities effectively implemented the Security Rule.

Section 13411 of the Health Information Technology for Economic and Clinical Health (“HITECH”) Act required HHS to periodically audit the compliance of HIPAA covered entities (i.e., health plans, health care clearinghouses, or health care providers that transmit any health information in electronic form) and their business associates with the Privacy and Security Rules.  HHS contracted with the consulting firm Booz Allen Hamilton to identify potential covered entities and business associates to audit.  HHS also awarded a $9 million contract to KPMG to assist it in performing audits under the program.  A synopsis of the contract available on the federal government’s www.fedbizopps.gov website, which publicizes federal government contracting opportunities, provided stakeholders with a preliminary sense for what audits under the new program might entail.  However, HHS had not officially released any materials detailing the program until now.

II.  Audit Program Details
According to HHS, audits present an opportunity to “examine mechanisms for compliance, identify best practices and discover risks and vulnerabilities that may not have come to light through OCR’s established complaint investigations and compliance reviews.”  HHS intends to perform up to 150 audits of covered entities between November 2011 and December 2012, which HHS is calling the program’s “pilot phase.”  

While covered entities and business associates are both eligible to be audited, HHS will audit only covered entities during the pilot phase.  HHS intends to audit as wide a range of types and sizes of covered entities as possible; covered individual and organizational providers of health services, health plans of all sizes and health care clearinghouses may all be subject to audit.  Business associates will be included in future audits. 

When a covered entity is selected for an audit, HHS will notify the covered entity in writing. The notification letter will introduce KPMG as the auditor, explain the audit process and set out the auditor’s initial document and information requests.  It will also specify how and when to return the requested information to the auditor.  HHS expects covered entities to provide requested information within 10 business days of the request.  Covered entities can view a sample notification letter by clicking here.

Every audit will include a site visit.  Following the site visit, the auditor will develop and share with the covered entity a draft report, which will likely describe how the audit was conducted, what the findings were and what actions the covered entity is taking in response to those findings.  The covered entity will have the opportunity to discuss concerns before the auditor finalizes the report.  The final report will describe the steps the covered entity has taken to resolve any compliance issues identified by the audit as well as any best practices the covered entity may have demonstrated. 

HHS will review the final reports and will consider their findings when developing future technical assistance programs and corrective action plans to ensure covered entity compliance.  If an audit report yields a “a serious compliance issue,” HHS may initiate a formal compliance review to address it.  HHS will not make public a listing of audited entities nor identifiable audit findings.

III.  Next Steps and Implications
HHS intends to test its audit protocols in an “initial wave” of approximately 20 audits.  The results of these initial audits will inform how the rest of the audits will be conducted.  As suggested above, HHS intends to share the best practices it gleans through the audit process.  It will also develop guidance to address the specific compliance challenges the audits identify.

Because HHS only plans to perform 150 audits, the odds of any particular organization being selected for one of the audits are slim.  However, covered entities and business associates should still take this opportunity to review their HIPAA compliance programs and make improvements as necessary.  Compliance issues identified through the audit process could lead to formal enforcement action by HHS.  As amended by the HITECH Act, civil monetary penalties under HIPAA range from $100 - $50,000 per violation and up to $1,500,000 for identical violations in a calendar year.