HIPAA Audits – What the Feds found in the first round

HIPAA Audits Reported On by OCR

With the relatively slow roll-out of regulations and enforcement, HIPAA audits always seemed as if they were something to be concerned with in the future, but not necessarily in the here-and-now.  Well, it’s time to wake up and take note of the fact that the future is now.

The Office of Civil Rights (OCR) of the Department of Health and Human Services (HHS) recently released the results of the first round of HIPAA Privacy and Security Audits it conducted under the provisions of the HITECH Act.

Publicizing the results of the pilot HIPAA audits

The OCR contractor, KPMG, conducted these audits as part of a pilot program to test its HIPAA audit protocol, and OCR wants to use the results to publicize the requirements of Covered Entities and Business Associates to conduct their own HIPAA audits.  OCR will also share the “best practices” it learns through the pilot audits.  Of course, when provider audits begin in earnest the results of deficiencies can have real consequences for CEs and BAs.  As OCR put it, “It is possible that an audit could indicate serious compliance issues that may trigger a separate enforcement investigation by OCR”.

Profile of those entities included in the audits

The 20 pilot HIPAA audits examined a range of Covered Entities, from large providers/health plans with extensive use of HIT and revenues of $1 billion or more, to small providers/health plans with little or no use of HIT and revenues of $50 million or less.  The providers included physician practices, hospitals, a lab, a pharmacy and other healthcare providers.  Two clearinghouses were also audited.

Pilot HIPAA audit results

The overall results of the HIPAA audits according to the OCR: “Privacy challenges are widely dispersed throughout the protocol – no clear trends by entity type orf size”.  Notwithstanding the OCR’s view, some findings do point at areas of concern.

  • Small providers have more privacy issues (deficiencies) than larger providers and other CEs.
  • There is a lack of policies and procedures of many kinds, including access to records and a review process for denial of access to records.
  • Business Associate contracts are not in place.
  • Larger entities are more at risk for security challenges, such as contingency planning and user activity monitoring.
  • Most Security Rule deficiencies involved Administrative and Technical safeguards.  Physical safeguards were less of an issue.
  • Conducting a Security Risk Assessment was also an issue.


So what is the takeaway from this round of HIPAA audits?

These HIPAA audits are very thorough; the requirements of the Privacy Rule, the Security Rule and the interim Breach Notification Rule are well known, and there is really no reason, at this late date, for Covered Entities to not have incorporated the respective provisions into their operations and policy documentation.  And Security Rule Assessments are a required Core Measure, part of the Meaningful Use criteria for providers seeking incentive payments for using certified EHR technology.

There are still several issues that OCR must address as the audit process moves forward, especially involving identifying and auditing Business Associates and their sub-contractors.  It may take awhile for the OCR to answer these questions and round out its audit program to include BAs, but eventually that part of the audit program will be in place, too.

What should healthcare providers and business associates do in the meantime?

Covered Entities and BAs can review the Security Audit Protocol and the Privacy and Breach Audit Protocol available on the OCR/HHS website.  The Security protocol covers 77 areas; the Privacy Protocol has 88 areas.  They are long and involved, but they are exactly what an OCR auditor would be asking for, and what OCR would look for during an enforcement investigation.

The HIPAA Privacy and Security Rules have been around for years, and many provider organizations have gotten by with minimal policies and procedures, and not undertaken the difficult task of auditing their own compliance.  The HITECH Act requirements for audits by the OCR makes those times “the good old days!”

When you need proven expertise and performance

Jim Hook, MPH

Mr. James D. Hook has over 30 years of healthcare executive management and consulting experience in medical groups, hospitals, IPA’s, MSO’s, and other healthcare organizations.