United States: Audits For Compliance With HIPAA Privacy And Security Requirements

With the government gearing up for its HIPAA compliance audits, it's a good time for covered entities and their business associates to do a HIPAA compliance checkup. The Health Information Technology for Economic and Clinical Health Act of 2009 ("HITECH Act") mandated the government to develop a plan to audit covered entities and their business associates for HIPAA compliance. The Office of Civil Rights, the governmental agency charged with HIPAA enforcement, is in its final stages of implementing this audit program and has hired KPMG to perform the audits. These audits are expected to commence in the next few months and KPMG is to complete audits of 150 organizations by December 31, 2012. The audits are initially expected to focus on covered entities. Each audit will include a site visit expected to span 2 to 5 days, depending on the complexity of the organization, which will consist of interviews with leadership and key personnel (e.g., Privacy Officer, CIO, medical records department director), an inspection of operations with respect to privacy and security, and an assessment of compliance with HIPAA privacy and security regulations and the organization's HIPAA policies. At the conclusion of the audit, the audited organization will receive a final report describing the audit findings, with an emphasis on deficiencies and noncompliance and will be provided an opportunity to implement corrective actions. It is important to note that the government may initiate enforcement actions based on the audit findings; however, corrective actions may reduce or eliminate potential civil monetary penalties.

With these HIPAA compliance audits on the horizon and the OCR's heightened efforts toward HIPAA enforcement, it is important that covered entities and business associates take proactive steps towards compliance. To prepare for these audits, we recommend taking the following steps to better position yourselves to demonstrate your HIPAA compliance to the government:

• Ensure you have HIPAA privacy and security policies in place and that these policies are up to date, effective and enforced.
• Perform a risk assessment of your organization's information security and set up reasonable safeguards as necessary.
• Provide periodic training to personnel on your HIPAA policies and procedures.
• Make sure that business associate agreements are in place with all business associates (e.g., IT vendors, coding consultants, billing companies, attorneys, auditors).
• Update your Notice of Privacy Practices.
• Perform ongoing monitoring of compliance with HIPAA privacy and security policies and take corrective actions if non-compliance or ineffective processes are detected.
• When the organization's HIPAA policies and procedures are violated or a data breach occurs, take appropriate and prompt corrective actions, and document the actions taken.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.