As part of its HIPAA enforcement efforts, the Department of Health and Human Services (HHS) has put in place an audit pilot program with the intent to verify and prevent security breaches.
- Target companies: HHS plans to audit 150 entities, healthcare providers and employers who sponsor group health plans. Companies with specific risk factors, such as the amount of data they control or those with highly sensitive records, such as health records of celebrities are most likely to be audited. Targeted entities must provide the requested information within 10 days of being contacted by the HHS.
- Information: the requested information will include, at minimum, documentation of their privacy and security compliance efforts (e.g. policies, forms, notices, training materials, etc.). Additionally, on-site visits will be included in every audit. Fieldwork may last up to 10 business days, during which time the auditor will be conducting interviews with key personnel and observing the covered entity’s operations for compliance.
- Corrective actions: entities who experience a HIPAA breach must provide notice to affected individuals and take steps to prevent further breaches, among other things. To correct HIPAA violations, HHS has, among other actions, required covered entities to improve technology security, enter into a business associate agreement, train staff, and counsel employees who violate HIPAA policies.
- Potential penalties: monetary penalties for HIPAA violations are based upon whether a covered entity knew of the HIPAA breach, whether the breach was due to willful neglect, and whether proper corrections were made. There are tiers of penalties per violation ranging from $100 to $50,000.
- Practical tips for a possible audit and everyday compliance: the pilot audit program objective is to ensure HIPAA compliance. For covered entities this is a good time to revisit their current HIPAA policies and procedures for compliance with privacy and security standards. If you receive an audit notification letter speak with your attorney immediately to ensure your documentation and operations are in compliance with the regulation. Give the auditor a copy of your HIPAA privacy and security policies and procedures in writing. This will be most likely the starting point for the HHS.
Additional information on this topic can be found at www.hhs.gov