To combat new risks associated with rapidly evolving health information technology, HIPAA and HITECH provide standards for the privacy of protected health information (PHI), the security of electronic protected health information (ePHI) and breach notification to individuals. HITECH also requires the U.S. Department of Health and Human Services (HHS) to perform periodic audits of covered entity and business associate compliance with the HIPAA Privacy, Security, and Breach Notification Rules. In 2011, HHS Office of Civil Rights (OCR) established the HIPAA pilot audit program to assess the controls and processes implemented by covered entities to protect the privacy of PHI.

In a February 24, 2014, notice in the Federal Register (Notice), HHS OCR announced its plan to survey 1200 organizations—800 covered entities and 400 business associates—the first step in selecting organizations for the next round of HIPAA audits. As provided in the Notice, not all organizations surveyed will be audited. The survey “will gather information about respondents to enable OCR to assess the size, complexity and fitness of a respondent for an audit.” OCR intends to collect, among other things, “recent data about the number of patient visits or insured lives, use of electronic information, revenue and business locations.”

For the 2011 HIPAA pilot audit program, OCR developed an audit protocol to measure the efforts of 115 covered entities. OCR also instituted a formal evaluation of the effectiveness of the pilot audit program. In April 2013, OCR released its findings from the 2011-2012 HIPAA audit pilot program. The audit pilot program focused on health plans of all types, healthcare clearinghouses and individual and organizational providers. From the audit pilot program, OCR found that most of the evaluated entities did not conform to HIPAA standards for security, privacy and breach notification—the three audit areas. OCR also found that most entities failed to perform a comprehensive, accurate security risk assessment (two-thirds of those audited). The most common cause of noncompliance was that the entity was “unaware of the requirement.” Privacy requirements that covered entities were most “unaware” of pertained to notice of privacy practices, access of individuals, minimum necessary and authorizations. Security requirements that covered entities were most “unaware” of pertained to risk analysis, media movement and disposal and audit controls and monitoring. OCR also found that smaller healthcare providers, i.e., community pharmacies and practices with revenues of less than $50 million per year, generally were vulnerable and noncompliant in all three audit areas. Healthcare providers that fell into this category accounted for 65 percent of all policy violations.

The next round of HIPAA audits provides another opportunity for OCR to examine different mechanisms for compliance with HIPAA/HITECH, identify best practices and discover new risks and vulnerabilities. The audits are in addition to OCR’s ability to assess HIPAA/HITECH compliance through its routine complaint and investigation process. It is anticipated that the next round of HIPAA audits will focus on OCR hot buttons—timely and thorough security risk assessments, effective and ongoing risk mitigation plans, breach notification procedures, encryption, training and policies and procedures. For the next round of HIPAA audits, OCR currently is in the process of revising its audit protocol to reflect the changes included in the HIPAA Omnibus Rule that became effective on September 23, 2013.