A wave of HIPAA privacy audits far more comprehensive than anything attempted to date was officially launched Nov. 8 by the U.S. Department of Health and Human Services (HHS). While their official purpose is not enforcement, these audits are likely to cast a broader net than HHS scrutiny has to date — including possibly group health plans.
This audit program, mandated by the HITECH Act, will involve “up to 150 audits of covered entities to assess privacy and security compliance,” HHS’ Office for Civil Rights (OCR) announced. This “pilot phase” is to conclude by the end of 2012.
“It is not intended as an enforcement tool per se,” OCR’s Christina Heide told a recent conference. “That’s not to say if there’s not a finding of significant noncompliance we wouldn’t open a compliance review,” she said, but “this is more to identify where there may be a gap in compliance — rather than currently, when the incident happens and then we move in.”
OCR also hopes to glean some best practices that it can share in guidance. “The intent is to perform the audits on as many different types of covered entities as possible,” Heide said.
Benefits attorney Mark Stember, with the law firm Kilpatrick Townsend & Stockton in Washington, D.C., asked Heide if OCR would take into account the flexibility built into many HIPAA standards for covered entities to take compliance measures appropriate to their size, resources, position in the health system and degree of exposure to protected health information (PHI).
Many group health plans push most of their PHI out to a third-party administrator or insurer, and therefore “have protections but they’re not as great” as an insurer would have, he noted. OCR has said it will keep that in mind when it audits such plans.
“That will be taken into account,” Heide responded. “I don’t think there’s going to be a one-size-fits-all.” Heide, who was expressing only her personal views, and Stember spoke Nov. 1 at the National Institute on Health and Welfare Benefit Plans presented by the American Bar Association’s Joint Committee on Employee Benefits.
The audit program comprises three major steps, OCR has indicated: (1) developing the audit protocols; (2) testing these out on “an initial wave” of 20 auditees; and (3) conducting the remaining audits using revised protocols. Details on the program, including a sample notification letter, are now available on the agency’s website.
The latest developments on privacy audits and other HITECH enforcement initiatives are covered in the Employer’s Guide to HIPAA Privacy Requirements.