Despite the Summer Heat, the Feds Us Keep Busy With Compliance

Heat indexes are breaking records all over the country, but in Washington, D.C., compliance has not taken a summer holiday.  There has been activity in a number of areas worthy of note.

On June 10, 2011, the Department of Health and Human Services (HHS) awarded to KPMG a $9.2 million contract to create an audit protocol and then audit covered entities’ and business associates’ compliance with the privacy and security requirements of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The contract calls for as many as 150 audits of entities varying in size and scope before Dec. 31, 2012.  HHS also awarded a contract of $180,000 on June 9, 2011 to Booz Allen Hamilton for "audit candidate identification."

Given the volume of HIPAA covered entities and business associates that exist, the likelihood of being audited will be small, but a number of entities will become the unlucky few. So, it is a good time for covered entities and business associates alike to review (or develop) their HIPAA privacy and security programs, to assess the effectiveness of their privacy and security programs and see that their policy documentation and training are up to date. Especially important is to ensure that your workforce is acting in accordance with policy, and that senior staff members are ready to respond to the audit process, as the award synopsis states that "part of every audit would include interviews with leadership (e.g., CIO, Privacy Officer, legal counsel, health information management/medical records director); examination of physical features and operations; consistency of process to policy, [and] observation of compliance with regulatory requirements." After each site visit the contractor will submit an audit report to HHS.

Why Is this Happening?

Section 13411 of the Health Information Technology for Economic and Clinical Health (HITECH) Act, part of the American Recovery and Reinvestment Act of 2009, requires HHS to conduct periodic audits to ensure that HIPAA covered entities and business associates are complying with the Privacy and Security Rules. This is a fundamental change from the complaint-driven investigations of the past.

A Little Good News

One bit of good news is that the contract is a firm fixed price, which appears to mean that payment to KPMG will not be based on whether audits result in resolution agreement payments or civil money penalties.

Many Open Questions

Currently, we only have access to the synopsis of the KPMG contract. As the contract itself becomes available, some of these questions may be answered. Most questions, however, will only be answered once KPMG creates an audit protocol and begins conducting audits.

Preparation is the Key

So, with these few published hints from HHS, covered entities and business associates should begin to revitalize and assess their privacy and security programs, including breach detection and notification, to prepare for the possibility of an audit. Compliance should be woven through the fabric of the organization, and an internal marketing of compliance goals should become a priority. Among other things, covered entities and business associates may now wish to:

• Review and ensure that policies and procedures are up to date, accessible to all workforce members;
• Discuss HIPAA/HITECH issues at regular meetings, include training topics in staff emails and other communications, and make privacy and security part of the organizational conversation, rather than a once-a-year discussion topic;
• Document that the workforce has been appropriately trained, not merely passing a simple test, but actually acting in compliance with policies and practices;
• Conduct mock audits and audit interviews to see that policies have been implemented and understood among staff and that they are effective in protecting privacy and security, rather than failing in the face of unclear protocols, human error, limited staff or resources;
• Ensure that the HIPAA security risk analysis is up to date, reflecting changes in technology and costs since the HIPAA Security Rule went into effect in 2005.  For example, where a 2005 risk analysis may have stated that encryption of laptops or email was too expensive to implement, it may be wise to update your analysis based upon changes in available technology and costs.  And further, where the encryption specification is "addressable" rather than "required," the covered entity or business associate must still "address" encryption and risks, threats and vulnerabilities to electronic protected health information, documenting its alternate means of protecting such data if encryption is not a viable option.

While it may be impossible to achieve an absolutely audit-safe Privacy and Security Compliance Program, the time has never been better to focus on HIPAA and HITECH compliance than today. There is no better investment or protection for your organization's healthcare services or its bottom line.