Privacy & Information Security Law Blog

On July 28, 2011, the International Association of Privacy Professionals (“IAPP”) hosted a webinar that addressed the upcoming audit program of the Department of Health and Human Services Office of Civil Rights (“OCR”).  Susan McAndrew, the Deputy Director for Health Information Privacy at OCR, provided an overview of the audit program, noting that it stemmed from Section 13411 of the Health Information Technology for Economic and Clinical Health (“HITECH”) Act.  That section of the HITECH Act authorized the Secretary of the Health and Human Services to “provide for periodic audits to ensure that covered entities and business associates” comply with the requirements of the HIPAA Privacy and Security Rules.

Deputy Director McAndrew noted that the audits are intended to produce a more systematic approach to assessing HIPAA compliance as compared to OCR’s current investigation and complaint process.  She also mentioned that the audits will be preventative rather than reactive, identifying weaknesses in HIPAA compliance programs before they cause damage.  Just as the breach reports posted on the HHS website provide covered entities with information about security vulnerabilities affecting protected health information, the audits will help covered entities and business associates identify gaps in their internal HIPAA compliance programs.

The audits will be composed of preliminary reviews, surveys and on-site inspections.  Deputy Director McAndrew noted that, although OCR does not view the upcoming audit program as a potential enforcement mechanism, serious noncompliance issues will be referred to OCR’s investigative unit.  The audit program is currently in the developmental phase and is expected to be fully deployed in 2012.  Deputy Director McAndrew stated that it is unclear whether the audit program will continue beyond 2012.

Other webinar presenters noted that even though there are many unanswered questions about OCR’s HIPAA audit program, covered entities should ensure that their HIPAA privacy policies have been updated and fully implemented and that they have conducted a risk analysis that documents any addressable safeguards they have chosen not to implement.  Key areas for covered entities to focus on improving in anticipation of the upcoming OCR audit program may include HIPAA training, the security of transportable media and laptops, and breach detection systems and reporting mechanisms.