Companies that qualify as a “Covered Entity”[1] or “Business Associate” [2] under the Health Insurance Portability and Accountability Act (“HIPAA”) should take note of the U.S. Department of Health and Human Services (“HHS”) pilot HIPAA audit program.
Background
Under Section 13411 of the HITECH ACT, HHS must conduct periodic audits to ensure that Covered Entities and Business Associates comply with HIPAA’s Privacy and Security Rules and Breach Notification Standards. To meet this requirement, HHS is conducting a pilot HIPAA audit program in which it will audit up to 150 Covered Entities from November 2011 through December 2012. Business Associates are not included in this initial audit, but they will be included in subsequent audits.
Audit Process
HHS will select a wide range of Covered Entities to audit, including individual and organizational providers of health services, health plans of all sizes and functions and health care clearinghouses. KPMG developed the audit protocols, and it will audit the 150 Covered Entities and generate reports for HHS. The audits are designed to generate information about HIPAA compliance and will assess both vulnerabilities and best practices. HHS will make its findings with respect to best practices public, but it will not publish lists of audited Covered Entities or specific findings that identify particular Covered Entities.
Impact on Covered Entities and Business Associates
Although only a small number of Covered Entities will be audited in 2011-2012, the audit will generate a list of best practices that Covered Entities should implement going forward. After the best practices list is published, Covered Entities should review their internal policies, training processes and Business Associate agreements and modify them, if necessary, to conform with best practices.
The best practices list will also likely contain suggestions that Business Associates should incorporate into their internal policies, training procedures and Business Associate agreements in preparation for the Business Associate audits which are likely to begin in 2013.
If you have any questions about whether your company must comply with HIPAA or how the HIPAA audit program may impact your company, please contact Helen Christakos at: hchristakos@carr-mcclellan.com or (650) 696-2545.
[1] “Covered Entity(ies)” are defined under 45 CFR 160.103 as: (1) health plans; (2) health care clearinghouses; or (3) certain health care providers who transmit any health information in electronic form in connection with certain transactions.
[2] “Business Associate(s)” are defined under 45 CFR 160.103 as entities that perform “certain functions or activities that involve the use or disclosure of protected health information on behalf of, or [provide] services to, a Covered Entity.” See: http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/businessassociates.html