News & Press: Legal Updates

Research Firms Should Prepare for New HIPAA Audits

Tuesday, March 18, 2014  
Share |

                                                         HIPAA Audits Planned for 2014
               “Business Associates” Should Review Procedures Now to Ensure Compliance

                                          Alert from CASRO General Counsel

A development in the sphere of HIPAA data protection serves as a reminder that research organizations acting as business associates in connection with pharma market research are no longer flying under the enforcement radar with regard to data protection, including compliance audits under HIPAA’s Privacy, Security and Breach Notification Rules.
The Office of Civil Rights (“OCR”) of the Department of Health and Human Services is gearing up to establish a permanent HIPAA compliance audit program in 2014.  The OCR conducted a pilot audit program in 2012, in which 115 entities were audited for HIPAA compliance by KPMG, the OCR’s audit contractor.

As an initial step in the new round of audits, the OCR intends to survey a total of approximately 800 covered entities and 400 business associates to determine the group of entities that will be subject to the first round of audits under the permanent audit program. Susan McAndrew, the OCR’s deputy director for health information privacy, pointed out that the survey responses will determine which respondents are suitable candidates for audits.

The OCR has indicated that the audits under the permanent program will focus on fewer categories than the pilot program.  Based on the results of the pilot program, one focus of the new round of audits will be a company’s timely and thorough risk assessment, which the pilot audit program determined was a weak point in HIPAA compliance.  Other problem areas in the pilot program that might also be a focus of the new audits are outdated policies and procedures, failure to implement policies and procedures, and lack of awareness of compliance requirements.

When the new round of audits will commence is not clear. The OCR has published a notice in the Federal Register requesting comments on its plan to survey potential audit candidates and is accepting comments through April 25, 2014. Accordingly, the process would have to commence well after that date. Late last year, OCR Director Leon Hernandez stated that that the audits would begin in the “next calendar year” while earlier OCR statements had indicated fiscal 2014, which begins for the OCR on October 1, 2014.

The OCR has suggested that it will attempt to bring the audit functions in-house for the new round of audits, rather than relying on outside contractors.  Commentators believe that use of some outside audit contractors will nonetheless be necessary.

The process for the audit should begin with a notification letter from the OCR. For the pilot program, the OCR also developed an “audit protocol” to assist audit subjects in preparing for the audits. The auditor (whether that is the OCR or a contractor) would then request documentation and information.  Although on-site visits were part of the audit process in the pilot program, whether that will be the case in all audits under the new program is unclear given the larger pool of audit subjects and the narrower scope of individual audits. After the audit is concluded, the auditor would then issue a report to the OCR.

The OCR has clarified that an audit does not constitute an investigation or an indication that any complaint has been filed. The audits are intended to be random and to provide a basis on which to improve compliance generally.  However, if an audit reveals serious compliance issues, the result could be the opening of a separate compliance investigation.

Accordingly, research organizations doing pharma research who enter into business associate agreements (or otherwise act as business associates) should review their policies, procedures and data handling and security practices to insure that they (and their vendors and subcontractors) are HIPAA compliant.

Community Search
Member Log In

Forgot your password?

Not A CASRO Member?

Latest News
Website Underwriters