The Health Information Technology for Economic and Clinical Health Act (the HITECH Act) requires the U.S. Department of Health and Human Services (HHS) to provide for periodic audits to ensure that covered entities (health care providers, health plans and health care clearinghouses) and business associates are complying with the Health Insurance Portability and Accountability Act (HIPAA) privacy and security rules.1 As a result, HHS’s Office for Civil Rights (OCR) has recently commenced a pilot program to audit up to 150 covered entities to assess such entities’ compliance with the HIPAA privacy and security rules.2
Background on HIPAA Compliance and Group Health Plans
Since the implementation of the HIPAA administrative simplification provisions in 2003, most group health plans have been required to comply with HIPAA’s privacy standards for protected health information (PHI), which is defined as “individually identifiable health information” that is maintained
or transmitted by a covered entity.3 Generally, “individually identifiable health information” is health information that is created or received by a health care provider, health plan, employer or health care clearinghouse that relates to the past, present or future physical or mental health or condition of an
individual, the provision of health care to an individual, or the past, present or future payment for the provision of health care to an individual.4 In 2005, the HIPAA security standards became applicable to most group health plans, requiring group health plans to protect the availability, integrity, and confidentiality of PHI transmitted or maintained in electronic media.5 While most group health plans are subject to HIPAA’s privacy and security requirements as “covered entities,” self-administered, self-funded group health plans with fewer than 50 employees eligible to participate are not required to comply with HIPAA’s privacy and security requirements.6
Since the enactment of the HITECH Act, group health plan sponsors have been required to implement additional policies and procedures to identify breaches of unsecured PHI. Unsecured PHI has not been encrypted using a methodology approved by HHS.7 The HITECH Act also significantly expanded the HIPAA privacy and security requirements, particularly as they apply to business associates that perform a specific function on behalf of group health plans, such as claims administrators. In general,
prior to February 2010, business associates were held responsible for compliance with the HIPAA privacy and security rules only through business associate agreements with covered entities. The covered entities, such as group health plans, remained primarily responsible for compliance with the HIPAA privacy and security rules, even if the business associate created and stored the majority of PHI for the group health plan (a typical scenario for a group health plan where the claims administrator handles most claims of participants). Since February 2010, many HIPAA security provisions and some HIPAA privacy provisions now apply directly to business associates in the same manner as those provisions apply to covered entities.8
The HITECH Act Audit Requirements
Included in the HITECH Act is a requirement that HHS conduct HIPAA compliance audits of covered entities and business associates.9 Coupled with this requirement are increased monetary penalties associated with a HIPAA breach, the amount of which are based on the culpability of the violator.10 Under the HITECH Act, penalties per individual violation range from a minimum of $100 to a maximum of $50,000.11 The maximum penalties for multiple violations range from $25,000 to $1.5
million.11
Notably, the HITECH Act specifically provides that a portion of the monies collected from these penalties can be used by HHS to fund additional compliance activities.12 Therefore, while HHS has
always had the right to audit covered entities, until the HITECH Act, it generally did not have sufficient funds to undertake widespread audits of covered entities or business associates. HHS most often investigated covered entities based on complaints initiated by plan participants or publicized breaches of PHI. Now, HHS has the funds and the resources to begin systematic reviews of all types of covered entities and business associates, not just the covered entities and business associates afflicted by publicly-known compliance issues. As a result, it is critical that group health plans be vigilant in their protection of plan participants’ PHI (including electronic PHI) in accordance with the HIPAA privacy and security rules.
Objectives of the New HIPAA Audit Program
The majority of the information regarding the new HIPAA audit program is detailed on the HHS website regarding health information privacy.13 According to the OCR, the audit program will be used to assess HIPAA compliance efforts by a variety of covered entities, examine mechanisms for compliance,
identify best practices, and discover risks and vulnerabilities that may not have come to light through HHS’s ongoing complaint investigations and compliance reviews.14 The OCR anticipates that the audit program will uncover the reasons why health information breaches are occurring, and will assist the OCR in creating tools for covered entities to better protect the health information that they use and disclose.
At this time, it appears that the objective of the HIPAA audit program is to yield best practices with regard to HIPAA compliance, rather than to penalize covered entities for vulnerabilities that are uncovered during an audit. However, if a serious HIPAA compliance issue is discovered during an audit,
the OCR will assess whether to open a separate compliance review to address the problem.15
Timing of the Audit Program
According to the OCR, the pilot audit program is a three-step process. First, the OCR will develop the protocols for the audits. Next, the OCR will initiate a limited number of audits in an “initial wave” to test the audit protocols. These initial audits began in November 2011. The results from these initial audits will assist the OCR in determining how to conduct future audits. Lastly, the OCR will begin conducting the full range of audits using the revised protocols. All audits in the pilot phase of the audit program will be completed by the end of December 2012.16
Entities Eligible for an Audit
According to the OCR, all covered entities and business associates are eligible for a HIPAA audit. The OCR is responsible for the selection of the entities that will be audited, which will include a broad range of covered entities in the health care industry. In fact, according to the OCR, the range of covered entities that will be selected for an audit will be as wide as possible, including all types and sizes of health service providers, health plans, and health care clearinghouses. Business associates will be included in future audits, presumably in the third phase of the program.17
Mechanics of the Audit Process
HHS has engaged KPMG LLP, a professional public accounting firm, to conduct the HIPAA audits.18 According to the OCR, KPMG LLP will use “generally accepted government auditing standards” in conducting the audits.19 Covered entities that are selected for a HIPAA audit will be informed by OCR via an initial notification letter, a sample of which has been posted on the HHS website.20 These entities will be requested to provide documentation of their HIPAA privacy and security compliance efforts to the audit contractor identified in the letter. The requested documentation must be provided
within ten business days of the request for information. The notification letter will be provided to each covered entity that has been selected for a HIPAA audit between 30 to 90 days
prior to an onsite visit by the auditors. (Every audit in the pilot
phase of the program will include a site visit.) Site visits may
take between three and ten business days, and will include
interviews with key personnel and observations of the covered
entities’ processes and operations to determine whether the
entities are operating in compliance with HIPAA.21
At the conclusion of each site visit, the auditors will prepare
a draft audit report describing how the audit was conducted,
what the findings were, and what actions the covered entity
is taking in response to those findings. Before the audit report
is finalized, the covered entity will have ten business days to
review the report and provide written comments back to the
auditor regarding any concerns about the issues that were
identified during the audit, as well as potential corrective
measures that may be implemented to rectify such issues. A
final report will be submitted to the OCR and will incorporate
the steps the covered entity has taken to resolve any compliance
issues uncovered during the audit.22
Preparing for a Potential HIPAA Audit
Because of the short turnaround time for a request for
information in connection with a HIPAA audit, covered
entities should review their HIPAA policies and procedures
now, including their workforce training procedures, business
associate arrangements, notices of privacy practices, and
breach notification procedures, to ensure that they are
accurate and up-to-date. For example, covered entities should
ensure that they can provide evidence of compliance with the
new breach notification rules that were implemented under
the HITECH Act. HIPAA policies and procedures should include
specific references and practices with regards to privacy and
security breaches, and business associate agreements must be
updated to reflect these practices and to allocate responsibility
in the case of a breach. In addition, notices of privacy practices
should be updated to include breach information and to reflect
any changes in providers or procedures that have occurred
since the implementation of the HIPAA privacy and security
rules. Most importantly, covered entities should ensure
that they treat the privacy and security of protected health
information as a high priority. HIPAA compliance must not
be limited to the creation of a HIPAA privacy and security
policy that is contained in a binder on the shelf; it must be
an ongoing important objective of the covered entity. Group
health plan sponsors should take steps now to prioritize HIPAA
compliance so that they are ready for a possible HIPAA audit.
Endnotes
- American Recovery and Reinvestment Act of 2009, [Pub. L. No. 111-5, § 13411](http://bloomberglaw.com/document/1?citation=pub l 111-5&summary=yes#jcite), 123 Stat. 115, 276 (2009). ↩
- HIPAA Privacy & Security Audit Program, Department of Health and Human
Services, http://hhs.gov/ocr/privacy/hipaa/enforcement/audit/ (last
visited February 13, 2012). ↩ - [45 C.F.R. § 164.534](http://bloomberglaw.com/document/1?citation=45 cfr 164.534&summary=yes#jcite) (2011); [45 C.F.R. § 160.103](http://bloomberglaw.com/document/1?citation=45 cfr 160.103&summary=yes#jcite) (2011) (defining “protected
health information”). ↩ - 45 C.F.R. § 160.103 (2011) (defining “individually identifiable health
information”). ↩ - [45 C.F.R. § 164.318](http://bloomberglaw.com/document/1?citation=45 cfr 164.318&summary=yes#jcite) (2011). ↩
- [42 U.S.C. § 1320d(5)(A)](http://bloomberglaw.com/document/1?citation=42 usc 1320(d)(5)(A)&summary=yes#jcite) (2010); 45 C.F.R. § 160.103 (2011). ↩
- American Recovery and Reinvestment Act of 2009, Pub. L. No. 111-5, §
13402, 123 Stat. 115, 260-263 (2009). ↩ - Id. § 13404, 123 Stat. 115, 264. ↩
- Id. § 13411, 123 Stat. 115, 276. ↩
- [45 C.F.R. § 160.404](http://bloomberglaw.com/document/1?citation=45 cfr 160.404&summary=yes#jcite) (2011); see also HIPAA Administrative Simplifications:
Enforcement, 74 Fed. Reg. 56123, 56127 (Oct. 30, 2009). ↩ - Id. ↩
- Id. § 13410(d). ↩
- HIPAA Privacy & Security Audit Program, Department of Health and Human
Services, http://hhs.gov/ocr/privacy/hipaa/enforcement/audit/ (last
visited February 13, 2012). ↩ - Id. ↩
- Id. ↩
- Id. ↩
- Id. ↩
- Award Notice from Department of Health and Human Services to KPMG,
Solicitation Number OS57605, Contract Award Number GS23F8127H_
HHSP233.201.100252G (June 10, 2011), available at https://fbo.
gov/index?s=opportunity&mode=form&id=9e045aa4f7e6f8499c5b6f74d
5b211e9&tab=cor&_cview=0 (posted June 20, 2011). ↩ - See “Initial Notification Letter Sample,” HIPAA Privacy & Security Audit
Program, Department of Health and Human Services, http://hhs.gov/
ocr/privacy/hipaa/enforcement/audit/sample-ocr_notification_ltr.pdf (last
visited February 13, 2012). ↩ - HIPAA Privacy & Security Audit Program, Department of Health and Human
Services, http://hhs.gov/ocr/privacy/hipaa/enforcement/audit/ (last
visited February 13, 2012). ↩ - Id. ↩
- Id. ↩