Research Firms Should Prepare for New HIPAA Audits
Tuesday, March 18, 2014
HIPAA Audits Planned
“Business Associates” Should Review Procedures Now to Ensure Compliance
Alert from CASRO General Counsel
in the sphere of HIPAA data protection serves as a reminder that research
organizations acting as business associates in connection with pharma market
research are no longer flying under the enforcement radar with regard to data
protection, including compliance audits under HIPAA’s Privacy, Security and
Breach Notification Rules.The Office
of Civil Rights (“OCR”) of the Department of Health and Human Services is
gearing up to establish a permanent HIPAA compliance audit program in
2014. The OCR conducted a pilot audit
program in 2012, in which 115 entities were audited for HIPAA compliance by
KPMG, the OCR’s audit contractor.
initial step in the new round of audits, the OCR intends to survey a total of
approximately 800 covered entities and 400 business associates to determine the
group of entities that will be subject to the first round of audits under the
permanent audit program. Susan McAndrew, the OCR’s deputy director for health
information privacy, pointed out that the survey responses will determine which
respondents are suitable candidates for audits.
has indicated that the audits under the permanent program will focus on fewer
categories than the pilot program. Based
on the results of the pilot program, one focus of the new round of audits will
be a company’s timely and thorough risk assessment, which the pilot audit
program determined was a weak point in HIPAA compliance. Other problem areas in the pilot program that
might also be a focus of the new audits are outdated policies and procedures,
failure to implement policies and procedures, and lack of awareness of
new round of audits will commence is not clear. The OCR has published a notice
in the Federal Register requesting comments on its plan to survey potential
audit candidates and is accepting comments through April 25, 2014. Accordingly,
the process would have to commence well after that date. Late last year, OCR
Director Leon Hernandez stated that that the audits would begin in the “next calendar
year” while earlier OCR statements had indicated fiscal 2014, which begins for
the OCR on October 1, 2014.
The OCR has suggested that it will attempt to
bring the audit functions in-house for the new round of audits, rather than
relying on outside contractors.
Commentators believe that use of some outside audit contractors will
nonetheless be necessary.
process for the audit should begin with a notification letter from the OCR. For
the pilot program, the OCR also developed an “audit protocol” to assist audit
subjects in preparing for the audits. The auditor (whether that is the OCR or a
contractor) would then request documentation and information. Although on-site visits were part of the
audit process in the pilot program, whether that will be the case in all audits
under the new program is unclear given the larger pool of audit subjects and
the narrower scope of individual audits. After the audit is concluded, the
auditor would then issue a report to the OCR.
The OCR has clarified that an audit does not
constitute an investigation or an indication that any complaint has been filed.
The audits are intended to be random and to provide a basis on which to improve
compliance generally. However, if an
audit reveals serious compliance issues, the result could be the opening of a
separate compliance investigation.
research organizations doing pharma research who enter into business associate
agreements (or otherwise act as business associates) should review their
policies, procedures and data handling and security practices to insure that
they (and their vendors and subcontractors) are HIPAA compliant.