The US Department of Health and Human Services (HHS) is actively considering reinstating a HIPAA compliance audit program as part of its efforts to bolster cybersecurity in the healthcare sector. On February 12, 2024, HHS announced in the Federal Register that its Office for Civil Rights (OCR) will soon launch a study to evaluate the effectiveness of the existing HIPAA compliance audit program. Notably, this program was last utilized in 2017.
The study will involve administering a comprehensive 39-question online survey to 207 covered entities and business associates who participated in the 2016–2017 OCR HIPAA audits. The survey aims to assess the impact of these audits on subsequent actions taken by organizations to comply with HIPAA rules.
In addition to evaluating overall effectiveness, the survey will allow entities to provide feedback on various aspects of the audit process. This includes assessing the usefulness of HHS’s guidance materials, the effectiveness of the online submission portal, and responses to audit findings and recommendations.
OCR intends to use the survey results to gain insights into the administrative burden faced by entities when collecting audit-related documents and responding to audit requests. Additionally, the assessment seeks to understand how the audits impact day-to-day operations within these organizations.
HHS was mandated to conduct HIPAA audits under the Health Information Technology for Economic and Clinical Health Act (HITECH). Despite initial delays, the initiative gained momentum with the support of external contractors who developed audit protocols.
Compliance Perspective
Issue
HIPAA established important national standards for the privacy and security of protected health information (PHI), and HITECH established breach notification requirements to provide greater transparency for individuals whose information may be at risk. HITECH requires OCR to conduct periodic audits of covered entity and business associate compliance with the HIPAA Privacy, Security, and Breach Notification rules. Covered entities and business associates should do everything in their power to safeguard patient data. According to OCR, it is insufficient for a regulated entity to merely establish and document the initial adoption of recognized security practices. For OCR to consider such practices when making determinations relating to penalties, audits, or other remedies, the entity must also demonstrate that the practices are fully implemented, meaning that the practices are actively and consistently in use by the covered entity or business associate over the relevant period of time.
Discussion Points
- Review policies and procedures related to HIPAA, PHI, and the Privacy, Security, and Breach Notification rules. Ensure that they address business associate agreements and risk analysis. Update as new information becomes available.
- Train appropriate staff on HIPAA, PHI, and the Privacy, Security, and Breach Notification rules. Provide additional training at least annually and when new threats and security information become known. Document that these trainings occurred, and file the signed training document in each employee’s education file.
- Periodically audit to ensure that the facility’s policies and procedures for HIPAA, PHI, and the Privacy, Security, and Breach Notification rules are being followed by all staff, and that each person demonstrates understanding and competency. Also periodically audit to ensure ongoing risk analysis is being conducted.
*This news alert has been prepared by Med-Net Concepts, LLC for informational purposes only and is not intended to provide legal advice.*
