As the use of electronic personal health information (PHI) continues to rise and public concern mounts over privacy and security at healthcare centers, the US Department of Health & Human Services’ Office for Civil Rights (OCR) is finally implementing a formal audit process that will ensure that the privacy, security, and breach notification standards that were set forth in the Health Insurance Portability and Accountability Act of 1996 (HIPAA) are upheld. All entities that are covered under HIPAA are now eligible for the audit process, including hospitals, health insurers, health care clearinghouses, and any health care providers that transmit PHI electronically. Additionally, phase two of the audit process, which will be completed at the end of 2016, includes auditing the entity’s business associates in order to ensure that all professional actions associated with the covered entity are HIPAA compliant. The implementation of such an audit process is long overdue, for the Health Information Technology for Economic and Clinical Health Act (HITECH) mandated in 2010 that audits must be completed at HIPAA-covered entities—however until now no formal process existed and the OCR would usually only investigate noncompliance cases following complaints, media attention, or a self-reported breach. Nonetheless the development of a standard audit protocol does indicate that the OCR is now taking the rise in non-compliance with HIPAA standards very seriously. Recent studies have found that about half of covered entities are noncompliant with at least one privacy standard, a shocking finding considering that a data breach of health information has the potential of putting millions of patients at risk.
The establishment of this audit process is of direct significance to all anesthesia management companies and anesthesia providers who are covered by HIPAA regulations, and it is thus critical to understand the specific process and the objectives of the audit in order to prepare for an inevitable review in the near future. While the HIPAA audit process may seem daunting, it is also a way for anesthesia management companies and providers to improve their security, identify any systemic flaws, and adopt a set of best practices that both honor and respect patients’ privacy.
During a given round of audits, OCR wishes to review a random sample of entities that is representative of the geographic, size, and structural diversity of all entities covered. When evaluating an entity, first a desk audit of the covered entity will occur, followed by a desk audit of the entity’s business associates, and finally there is the possibility of an onsite audit that will be even more rigorous and evaluate additional privacy requirements under HIPAA. A selected entity will be notified of the audit by email and will then have approximately two weeks to begin to deliver the appropriate documents to OCR through a secure online portal. Because the timeframe for submitting documents is so brief, one of the best ways to prepare for a potential audit is to gather all documented evidence of risk management plans, notices of privacy practices, and breach notification policies beforehand. All collected information will be analyzed, a draft of the findings will be presented to the audited entity, and the entity will have the ability to formally comment on any of the findings from the audit. Lastly the final report will be published, highlighting general issues and room for improvement in all audited entities, while not releasing individual entities’ names or specific violations. An individual entity will only be investigated further if a flagrant problem was found. Ultimately the OCR wishes to use this process not to financially punish those that are noncompliant but instead to identify systemic vulnerabilities and obstacles that entities face in order to equip them with better tools and practices to thus facilitate HIPAA compliance and reduce privacy breaches.