HIPAA Audits: Phases 1 and 2

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has conducted Phase 1 (also known as the pilot audit program) of its HIPAA Audits that were completed during 2010-2013. The Audit Program is funded by the Health Information Technology for Economic Clinical Health (HITECH) Act and requires HHS to conduct periodic audits to ensure compliance of HIPAA Privacy and Security Rules and Breach Notification standards. The purpose of the audits is to protect patient privacy by assisting covered entities and business associates in improving their efforts to keep health records safe and secure. Phase 1 was a multi-step process that assessed HIPAA compliance of covered entities by examining the entities’ mechanisms for compliance, identifying the entities’ best practices, and discovering the entities’ risks and vulnerabilities. The covered entities audited during Phase 1 included small provider practices, medical centers, insurance companies, local pharmacies, and national health care chains.

During Phase 1, the OCR audited sixty-one providers, forty-seven health plans, and seven clearinghouses totaling 115 pilot audits of covered entities across the country. Each audit generally lasted three to four weeks. The Phase 1 findings concluded that 89% of the entities were subject to findings and observations due to compliance deficiencies. Security Rule violations totaled 60% of the Phase 1 findings, with two-thirds of those audited failing to provide a complete and accurate risk assessment. Common Privacy Rule violations included the failure to meet the requirements for access to protected health information, inadequate notice of privacy practices, and the timing and content of breach notices. Lastly, Breach Notifications’ violations only represented 10% of the findings. The OCR noted that the most common cause for compliance deficiencies was a lack of awareness concerning the regulatory requirements. Other causes for violations included a lack of resources, incomplete implementation, and, occasionally, complete disregard for requirements. With the completion of the Phase 1 audits, the OCR is now preparing for Phase 2.

Anticipation of the execution of Phase 2 of the HIPAA Audit Program has been building, but continued delays due to further developments have plagued the program. The delays have given potential HIPAA-covered entities and business associates, both targeted in Phase 2, opportunities to perform HIPAA compliance check-ups to ensure that they are ready if selected for an audit. Phase 2 will also implement a web portal through which covered entities and business associates may submit audit data. Additionally, the OCR will continue investigating complaints alleging violations of the HIPAA Privacy and Security Rules and may also investigate reports of high profile breaches.

The audits will focus on areas of heightened risk, specifically compliance with the Security Rule’s requirement to conduct security risk assessments as a result of the OCR’s findings from Phase 1. Other topics of review are notice of privacy practices for HIPAA Protected Health Information (PHI), individuals’ rights to request privacy protection for PHI, individuals’ access to their own PHI, administrative requirements, uses and disclosures of PHI, amendment of PHI, and accounting of disclosures.

Although check-ups may be tedious and time consuming for covered entities and business associates, it will be well worth the time spent in order to avoid any potential violations. Compliance reviews may result in civil monetary penalties of up to $50,000 per violation, and corrective action plans, which could remain in effect for several years, even after an entity has achieved full compliance.

Cristina Mares is pursuing her law degree at DePaul University College of Law in Chicago. Cristina completed her undergraduate degree at the University of San Diego in Communication Studies and Spanish. She is an active member of the Health Law Institute, and just recently became a staff writer for the DePaul Journal of Health Care Law. She would like to focus on the regulatory and compliance side of healthcare law after graduating in May of 2017.