One of the lesser known requirements of the Health Information Technology for Economic and Clinical Health (HITECH) Act requires the U.S. Department of Health and Human Services (HHS) to conduct periodic audits to ensure that healthcare organizations and their business associates are complying with HIPAA laws.
Running from November 2011 to December 2012, the HHS Office for Civil Rights (OCR) launched a pilot program by selecting 115 organizations across the country to undergo the scrutiny of privacy, security and breach notification audits conducted by KPMG, one of the largest auditor organizations in the world.
The OCR does not plan to penalize targets for pilots unless they uncover “serious compliance issues.” The HITECH Act has civil penalties for HIPAA violations that can reach $50,000 per violation and up to $1.5 million for identical violations across multiple records in a single calendar year. As the OCR audit program moves from pilot to a fully enforced program in 2013, the number of surprise audits and fines are expected to skyrocket.
In June 2012, the OCR released a copy of the protocol it is using to audit organizations against HIPAA compliance in their pilot program. The protocol provides a breakdown of specific audit criteria they are currently using for the latest HIPAA audits. The protocol includes 169 specific performance criteria organized around compliance in three areas: the HIPAA Privacy Rule, Security Rule and Breach Notification Rule.
The initial audit is targeted toward covered entities (such as healthcare providers, health plans, and healthcare clearinghouses) during the 2012 pilot program. Business associates such as data center operators and cloud computing providers were not included in the pilot program, but are expected to be included in audits starting next year.
Data center operators and cloud providers that host Electronic Protected Health Information (ePHI) in their data centers are considered business associates under HIPAA law. As such, any company hosting ePHI can be subject to future audits and potential seven-figure fines by the OCR.
Multi-tenant data center and cloud operators must protect themselves and their healthcare clients from violating HIPAA laws. Most healthcare providers and health IT companies require HIPAA compliance from their hosting provider.
HIPAA compliance is no small investment. Data center operators must not only deliver the technology to meet the administrative, physical and technical safeguards required by the HIPAA security rule, they must also invest in policies, training, breach notification processes, legal support for business associates agreements, and HIPAA breach insurance. In addition, the organization must commit to consistently monitoring the safeguards and processes to ensure the security of ePHI.
One of the best assurances healthcare clients can get that the appropriate technology, processes and policies are in place is by reviewing the data center’s annual HIPAA audit report on compliance. The HIPAA audit should be conducted by a reputable third-party auditor and cover all 169 requirements of the HIPAA law.
Up through early 2012, there was no standard for third-party auditors to conduct a HIPAA audit. There have been a number of audit approaches used to help ensure compliance with the HIPAA laws. With the publication of the new OCR audit program protocol auditors are able to gain a more consistent direction on how the OCR will conduct HIPAA audits in the future. The new protocol should guide independent auditors to adjust their auditing standards against the federal governing body of HIPAA.
While no one enjoys the threat of a government-sponsored audit program, and even worse, the possibility of multi-million dollar fines, the U.S. government is demonstrating that they are taking HIPAA law enforcement seriously – and so should data center operators, as well as the healthcare organizations that use the services of data center operators.
Since healthcare clients are facing multi-million dollar fines for violations of HIPAA law by their business associates, these companies are requiring data centers and cloud providers to provide an annual third-party independent HIPAA report on compliance.
With audit guidance in place from the OCR, it won’t be long before the healthcare industry raises the bar on third-party audit requirements to include adherence to the new OCR HIPAA Audit Program Protocol.
View the complete OCR HIPAA Audit Protocol program, including all 169 criteria and respective audit procedures at HHS.gov.
This article was published in DataCenterKnowledge.com’s Industry Perspectives column on November 15, 2012.