More healthcare privacy audits in the wings
Federal enforcers are preparing to audit healthcare organizations for how well they establish and follow privacy and security practices and data breach notification standards.
The Office of Civil Rights published the procedures to be assessed when examiners conduct performance audits to assure that health plans and payers and their business associates safeguard health information. The audits are called for under the HITECH Act.
[See also: Newsmaker Interview: Mac McMillan]
OCR enforces the Health Insurance Portability and Accountability Act (HIPAA) and oversees health information privacy in the Department of Health and Human Services.
The audit protocol released June 26 details activities, including conducting a risk assessment, acquiring IT systems and services if needed to protect health information and developing and deploying information system review processes, such as audit logs and security incident tracking reports.
The audit protocol covers how effectively organizations establish the policies and requirements for the HIPAA Privacy Rule for notice of privacy practices, rights to request privacy protection for protected health information, access by individuals to the information, administrative requirements, uses and disclosures of health information, accounting of disclosures and changes to health information.
The audit protocol also covers HIPAA Security Rule requirements for administrative, physical and technical safeguards for health information, and breach notification procedures.
[See also: 3 hot buttons that can trigger an OCR audit]
OCR has piloted a program to audit 115 plans and payers and some business associates to get a field assessment of how organizations are complying with privacy and security protections. Audits began in November 2011 with the first group of 20 organizations and will conclude in December.
Audits present an opportunity to examine methods for compliance, identify best practices and discover risks and vulnerabilities that may not have come to light through OCR’s complaint investigations and compliance reviews. OCR will share best practices it learns through the audits and provide guidance aimed at compliance challenges.
During the pilot audits to date among large and small hospitals and integrated systems and small providers and group health plans, OCR has found privacy challenges throughout all the entities and all sizes but many more vulnerabilities in the smaller organizations, according to Linda Sanches, OCR senior adviser on health information privacy, and lead on HIPAA compliance audits.