'Don't Panic' on HIPAA Audits

Adam Greene Offers Preparation Advice
'Don't Panic' on HIPAA Audits
When preparing for a potential HIPAA compliance audit, former HIPAA enforcer Adam Greene advises healthcare organizations: "Don't panic. I'm skeptical if it's possible for an organization to be 'audit-proof.' If you try to scramble and get everything in order, you may fail."

One important audit preparation step, Greene says, is to conduct a "walk through" to make sure privacy and security policies and procedures are practical and effective. "There are a lot of policies and procedures that look really good on paper, but in the reality of a complex and busy environment, they just don't work in practice," says Greene, who formerly worked on HIPAA enforcement issues for the Department of Health and Human Services' Office for Civil Rights.

"You have to go down to the staff, look around, and see what's working and what's not. If you don't do it, the auditors will. And so you want to have a fresh set of eyes looking at this before they come," he says in an interview with HealthcareInfoSecurity.com's Howard Anderson (transcript below).

The long overdue HIPAA privacy and security rule compliance audit program, mandated by the HITECH Act, will begin either late this year or early next year after audit protocols are tested with preliminary audits at about 20 organizations, an OCR official says (see: McAndrew Explains HIPAA Audits).

HIPAA Audit Prep Tips

In the interview, Greene, now a partner in the Washington law firm Davis Wright Tremaine, offers advice on audit preparation, including:
  • Make sure your organization has up-to-date privacy and security policies and procedures "rather than just a binder that's been sitting on a shelf for five years."
  • Check that staff training is up-to-date and comprehensive, especially as new issues develop.
  • Create a clear sanctions policy and apply it. A compliance program will be ineffective "if people don't feel there are consequences for violating it," Greene stresses.
  • Be prepared to provide extensive documentation, including a risk analysis and a risk management strategy. Auditors will want to see "clear documentation that you've looked at the risks specific to your organization and that you have managed those risks," he says.

A veteran health law attorney, Greene until recently was senior health information technology and privacy specialist at the HHS Office for Civil Rights, where he played a significant role in administering and enforcing HIPAA privacy and security rules as well as the breach notification rule. He was responsible for determining how HIPAA rules apply to new and emerging health information technologies and was instrumental in the development of the current enforcement process. In his new role as partner at Davis Wright Tremaine LLP in Washington, he specializes in HIPAA and HITECH Act issues.

In an earlier interview, Greene offered insights on the proposed Accounting of Disclosures rule (See: Author Describes Disclosures Rule). Potential Impact of Audits HOWARD ANDERSON: The HHS Office for Civil Rights has entered a $9.2 million contract with KPMG to launch a HIPAA compliance audit program, as mandated under the HITECH Act. Federal officials estimate that up to 150 audits could be conducted by the end of 2012, which means the odds of getting out of there are somewhat remote. How do you expect this auditing program might affect healthcare organizations' HIPAA compliance strategies?

ADAM GREENE: I think that's going to be up to the organizations themselves quite a bit. There are some organizations who will take the possibility of an HIPAA audit as a good opportunity to evaluate and update their HIPAA compliance programs. I think that some organizations may be willing to roll the dice and figure that with 150 out of such a large number of covered entities out there, it's unlikely that they will be selected. And as is the case when you roll the dice, I think there will be some winners and there will be some potential losers if they invoke that strategy. So 150 is a small number compared to the number of covered entities but it won't be small to the unlucky few 150 who actually are selected.

On-site Visits

ANDERSON: Auditors will make on-site visits to interview senior executives at healthcare organizations. What can hospitals, clinics, insurers and others expect during those on-site visits?

GREENE: It's hard to say at this point since the audit protocol is still under development, but I would expect that they're going to, first and foremost, respond to some of the documentation that they would have requested beforehand. If there are any issues that are raised by the documentation, I would expect that's an area that the auditors will want to talk about. They'll certainly want to talk about, in general, the policies and procedures, how the program is working, whether it seems to be effective or not, staff training ... and how the entity is ensuring that it has one that's sufficiently trained. There may be questions about incidents, either incidents that have been identified ahead of time and documentation or just a general question about what sort of incidents have occurred. I would expect that those are going to be some of the main areas that they're going to be looking at.

Preparing Documentation

ANDERSON: Auditors will ask for certain documentation in advance, as you just mentioned. What kind of documentation would you suggest that organizations have ready to help prove their compliance?

GREENE: First and foremost, with respect to the HIPAA security rule, they'll want to have both the underlying risk analysis and also a related risk management strategy. They'll want to have clear documentation that they have looked at the risks that are specific to their organization and that they have managed those risks. And that documentation, especially the risk management, should show how they thought about different security issues. For example, if they're choosing not to do something or if they believe that a risk is sufficiently low, this really should be documented. Also, there will be a need for policies and procedures on the security side, on the privacy side and also on the breach notification side. I would expect that they would be expecting comprehensive policies and procedures. And another area that they may look at is employee training, so making sure that there is training in place, that it's good training, it's comprehensive training and evidence that members of the workforce have been trained. If you have a training module but have no way of demonstrating that people have actually been trained in it, it would be helpful to collect that documentation.


ANDERSON: So for example, if an organization was not encrypting data stored on laptops, they'd want to have documentation as to why they came to that decision and what alternative measure they're using.

GREENE: Yes, and this would be a good opportunity to update that documentation. For example, if back in 2005 an organization looked at encryption of data at rest and then considered that it was addressable and made a determination that, based on the cost and other factors, it was not reasonable and appropriate, it's great if they have that documentation. However, a lot has changed since 2005. And if you haven't updated that documentation, it would be good to reassess that, because, in the case of encryption, for example, technology has changed and costs have come down significantly. So you want to make sure your documentation is up-to-date.

Steps to Prepare

ANDERSON: What are some of the other critical steps to take to prepare for a potential audit?

GREENE: Don't panic. I'm skeptical about if it's possible for an organization to be "audit-proof." If you try to scramble and get everything in order you may fail. Places to focus on would include policies and procedures, making sure that you have them and making sure they're up-to-date rather than just a binder that's been sitting on a shelf for five or eight years. Training: Make sure that training is up-to-date and that it's comprehensive, especially as new issues have developed. If you've had five incidents related to improper disposal of protected health information but your training does not in any way touch on how protected health information should be disposed, that's something I think could be a critical vulnerability and something that a covered entity should look at updating. Sanctions: Have a clear sanctions policy and apply it. Your compliance program won't be very effective if people don't feel that there are consequences for violating it. ... Make sure it's clear and that there are repercussions with respect to the work staff if they violate the policies and procedures. Those are some of the key areas that I would initially focus on.

The other thing is something as simple as just doing a walk-through. There are a lot of policies and procedures that look really good on paper, but in the reality of a complex and busy environment they just don't work in practice really well. And that's not something that you're going to be able to find sitting in the office of the privacy officer. It's something that you have to go down to the staff, look around and see what's working and what's not. That's going to be one of the most effective things because if you don't do it, the auditors will. So you want to have a fresh set of eyes looking at this before they come.

ANDERSON: Any other final insights on what to do when you're notified that you've been selected for an audit? What happens when you get that notice in the mail?

GREENE: Once again it's not an area to panic on but it's an area to take very seriously. We don't know at this point whether these audits are going to lead to enforcement actions. I know Susan McAndrew of OCR has indicated [in a recent interview] that there is certainly the possibility that if large violations are found then they may lead to enforcement action. It's a good opportunity to look for what potential large violations might be there and think about whether you're going to need outside help in dealing with this process, because you don't want to take this lightly.

About the Author

Jeffrey Roman

Jeffrey Roman

News Writer, ISMG

Roman is the former News Writer for Information Security Media Group. Having worked for multiple publications at The College of New Jersey, including the College's newspaper "The Signal" and alumni magazine, Roman has experience in journalism, copy editing and communications.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing inforisktoday.com, you agree to our use of cookies.