Employers are getting a bit weary of the federal government’s seemingly insatiable appetite for compliance audits. (Hmmm, maybe this is the wave of shovel-ready jobs that the Administration promised us via the stimulus programs.) In recent years, the federal payroll has soared as agencies add headcount in order to police the private sector. The Department of Labor, for example, has stepped up audits to ensure compliance with proper employee classification and other wage/hour issues. Likewise, the Department of Homeland Security’s I-9 audits have become nearly ubiquitous.
Entities subject to the 1996 Health Insurance Portability and Accountability Act can now take heart; they finally have been invited to the big dance. The 2009 Health Information Technology for Economic and Clinical Health Act aka HITECH -- gotta love those government acronyms -- requires the Department of Health and Human Services to conduct audits to ensure compliance with HIPAA’s data security and privacy requirements. In the pre-HITECH days,
HHS’s role in policing HIPAA compliance was essentially limited to investigating complaints. Now, it must pro-actively conduct periodic audits of covered entities and business associates.
“Covered entities” include health care providers, health plans, some insurance companies and HMOs, and clearinghouses that provide services such as physician billing. “Business associates” provide products and services on behalf of covered entities in matters that involve disclosure of protected health information. Medical data contractors and law firms that represent health care providers fall into this category.
After nearly two years of preparation,
HHS has awarded contracts to launch its audit blitz. The first contract went to Booz Allen Hamilton, who will identify for HHS the businesses to be audited. The second contract went to accounting giant KPMG, which will create an audit protocol and conduct up to 150 audits of covered entities. Audits will include on-site visits, interviews with various corporate officials, and examination of a host of operations, policies, and methodologies. Where deficiencies are noted, the offending entity will be put on a corrective action plan that includes specific actions to address identified compliance problems. [Note: While HHS expects that most, if not all, of the initial audits will be of covered entities, rather than business associates, they do not completely rule out the possibility of a business associate being audited, particularly if such an entity is suspected of non-compliance based on the results of an audit of a covered entity.]
Audits will likely begin by early 2012, if not sooner. Covered entities should immediately begin working with their internal compliance personnel and outside counsel to ensure that their policies and procedures are up-to-date and compliant. In addition to self-audits, they should confirm that any day-to-day privacy or operational issues that arise are adequately addressed by their policies and procedures. Finally, affected businesses should pay particular attention to the adequacy and timeliness of their HIPAA training programs, particularly for new employees.