Representatives from the HHS Office for Civil Rights (OCR) said last week that OCR plans to begin conducting HIPAA compliance audits for security and privacy later this year, implementing a proactive audit program required under the provisions of the HITECH Act and marking a shift from the largely reactive approach to compliance and enforcement seen since the HIPAA Privacy and Security Rules went into effect in 2003 and 2005, respectively. Susan McAndrew, OCR's Deputy Director for Privacy, said in an interview that OCR is still working to determine the best model to use for compliance audits, but noted that when implemented, the audit program will likely be contracted out, rather than performed by OCR staff, and that audits will focus on how covered entities are meeting specific HIPAA requirements such as implementation of appropriate safeguards and seek evidence that risk analysis, contingency planning, and other key activities are in fact being carried out.
The HITECH Act included several provisions intended to strengthen HIPAA enforcement, including increasing civil and criminal penalties for HIPAA violations, giving state attorneys general the right to sue covered entities for violations on behalf of state residents, and obligating OCR to launch formal investigations in cases where willful neglect of HIPAA rules is involved. All of these measures still focus on HIPAA violations after they have been reported, typically through complaints filed with the government alleging violations. OCR has long been responsible for HIPAA Privacy Rule compliance activities, and was given responsibility for Security Rule enforcement last July (it was previously handled by CMS). The standard enforcement process OCR uses allows for compliance audits of covered entities, but practically speaking, investigative and enforcement actions depend overwhelmingly on the complaint process. In contrast, shifting to a more proactive stance and checking for compliance by covered entities absent any complaints is accurately perceived as a significant strengthening of HIPAA enforcement, particularly for security. This comes as welcome news for those in the healthcare privacy and security arena who believe that reactive enforcement alone is tantamount to no enforcement at all — a belief supported by the paucity of civil and, especially, criminal cases brought against violators, and by recent surveys that suggest that large percentages of healthcare organizations have not implemented core Security Rule requirements such as conducting a risk analysis.
While the additional responsibility for HIPAA security enforcement came with some additional OCR resources, regardless of the audit approach adopted by OCR, two obvious questions are what level of compliance auditing is even feasible given the Office's resources (contractor or in-house), and will that amount of auditing be able to provide any meaningful information about compliance levels more broadly? OCR has indicated that it wants to settle on a model first, and then determine the best approach to implement the model, but the importance of the model itself should not be underestimated. The envisioned audit process purports to examine the extent to which the safeguards put in place by covered entities are appropriate, but there is no measurable standard for the full set of administrative, operational, and technical security controls called for in the Security Rule, so OCR either needs to come up with one, or alternatively produce some consistent guidance by which subjective determination of security control effectiveness — and by extension, Security Rule compliance — can be made.