HIPAA Privacy Audits – findings and future plans

If you haven’t spent much time monitoring national Health and Human Services (HHS) department initiatives (and with ICD-10 and MCO mandates looming we’re betting you haven’t) you may not be aware there has been a pilot program to carry out audits of the HIPAA privacy rules for some time now.  The Office for Civil Rights (OCR) has been tasked with performing the audits, and has also done some surveying of providers as well.

The program is mainly complaint based, but 2010 legislation required the agency to engage in a program of proactive audits as well. A new report from the HHS Office of Inspector General (OIG) criticizes OCR for not moving fast enough in deploying its program to uncover HIPAA violations.  While there is much more to learn about the political arguing and inter workings of the many HHS department at play (See Ken Terry’s great article from MedScape here) I wanted to focus today on what the report states are the most common issues found in the compliance audits and surveys done to date.

According to the OIG data, twenty-seven percent of providers surveyed failed to comply all five of the policy standards that they surveyed.  These included:

  • Establish a sanctions policy for staff (24% failed to comply)

  • Provide some or all staff with training on the privacy rules (20%)

  • Maintain a notice of privacy practices (16%)

  • Designate a privacy official (11%)

  • Provide a complaint process for individuals (9%).

OIG had a multitude of recommendations for OCR, most centered around full implementation of the permanent audit program and shoring up their ability to track and analyze audit data.  A phase 2 of the audit program is set to launch in early 2016.  This phase also promises to include Business Associates in the audit process.

One thing is very clear from this and other information readily available online at DHHS – HIPAA Compliance is serious business.  Gone are the days when compliance can be something that you “hope to get to”. Thus far behavioral healthcare and human services have not seen the “HIPAA Police” walk through the door unannounced, but that day is certainly coming.