HIPAA compliance auditors contracted by the Office for Civil Rights (OCR) will review whether covered entities have corrective action plans in place and if they diligently work to remediate any problems, according to an expert who worked with OCR’s privacy chief on a recent audio conference.
Cliff Baker, managing partner with Meditology Services in Atlanta, teamed on an audio conference July 28 with Susan McAndrew, deputy director of health information privacy for OCR, and Adam Greene, former senior health information technology and privacy advisor at OCR and now a partner at the law firm Davis Wright Tremaine in Washington, D.C.
Baker summarized the key points from the presentation in a follow-up e-mail, including some of the major issues on OCR’s radar for the industry:
- Incident detection and response (OCR’s top issue)
- Access log review
- Secure wireless network
- User access and passwords management
- Theft or loss of mobile devices
- Up-to-date software
- Role-based access — lack of information access management
Background on the HITECH-required audits
OCR in June awarded KPMG, LLP a $9.2 million contract to administer the HIPAA privacy and security compliance audits required by Congress via HITECH. The first phase of the audits – in which OCR plans to visit 150 covered entities – is expected to start this coming fall and end by December 31, 2012.
OCR is taking a systematic approach to determine which organizations to audit based on risk, Baker says. Audits will no longer be driven by responses to complaints or breaches, but they will be directed at organizations that OCR selects based on an overall risk profile.
“The audits are seen as an opportunity to gather information about exposures in the industry and proactively identify certain issues ahead of time before they result in breaches across the industry,” Baker says. “The results of the audit will be a learning opportunity for the entire industry.”
Conducting the audits
OCR is working on a model for objectively selecting organizations for audit based on risk factors (e.g., size, type of entity).
“The audits will not simply focus on organizations that had an incident,” Baker says. “The initial focus will largely be on covered entities, as this is a group that’s identifiable today.”
McAndrews told HealthLeaders Media August 5 that OCR is unsure whether to audit business associates in the first round.
Entities will receive advanced notice before any audits. And though OCR is budgeted for 150 audits, Baker said it’s “unlikely” the auditors will get through that many by the end of 2012. OCR plans to release aggregate findings across all audits as a “learning process for the industry,” Baker says.
“OCR expects that organizations are performing risk assessments,” Baker adds. “Risk assessments are not expected to be ‘clean,’ but it’s important that organizations have corrective action plans in place and are diligently working to remediate issues.”