Complaint Driven Vs. Audit Driven
In October 2008 OIG (Office of Inspector General) conducted an audit of CMS (Centers for Medicare & Medicaid Services) regarding their oversight of HIPAA. Read the link for more information it is well worthwhile, though for many the impact may be subdued in auditees (auditor speak or lingo).
My summary of the report:
OIG was not very happy with the state of HIPAA oversight. They stated that the compliant driven process (which was the means of raising HIPAA issues from the start), is NOT an EFFECTIVE mechanism.
Their recommendation was that CMS investigate and re-address the compliance review process for covered entities, common auditor speak for implement an audit process of investigation. The OIG even went as far as to point out that the current HIPAA regulation gives CMS and OCR (Office of Civil Rights) the authorization to conduct HIPAA Security Rule compliance reviews/audits of covered entities. Thus, they should have been doing this already.
Loading ...So what does this mean for covered entities? Well it means the kids gloves are off, and why do I say that.
COMPLAINT DRIVEN PROCESS:
Somebody had to be aware of what HIPAA required, see a violations (actual or perceived), then report the violation to CMS and/or OCR. Which would be reviewed and the possibly investigated. The failure was part 1 “be aware of what HIPAA required”. Having conducted numerous HIPAA awareness presentations to covered entities and I’m always amazed at the lack of understanding even 13 years later (2009 – 1996 = 13 years). My favorite questionnaire answer: Q: When was HIPAA written into law? 80% respond with A: 2003. Oh what happened to the first 7 years of HIPAA?
AUDIT DRIVEN PROCESS:
Now CMS and/or OCR can call for a “semi-”scheduled review of a covered entity, much along the same lines as the “scary” Piedmont Audit. There are many links on the either do a Google searchthe one I liked the most was ‘ 42 questions. It is amazing that still 2 years later there has been no official release of the Piedmont audit findings.
This is very alarming, as an auditor I question: Was the findings THAT BAD, that they could not be released? Was the audit process not structured enough that it would be argued that it was not objective and/or comprehensive? Why the secrecy? Surely HHS would want to prepare fellow covered entities with a documented and proven method of conducting a compliance audit, if for no other reason that they would be prepared.
SO HOW DO COVERED ENTITIES PREPARE?
One thing would be to start conducting their own in-house or internal driven audit investigations. Almost a what-if analysis should HHS schedule an audit this week where would the CE (covered entity) measure according to the regulation requirements. Purely as a means to measure the difference between perceived compliance and actual compliance. Just like many areas of business, awareness and preparedness are critical to success. Just think of BCP (Business Continuity Planning), we prepare and plan for the unforeseen negative events that *MAY* effect the organization. However, we still annually prepare for it. (HINT: just in case you are unaware, yes HIPAA does call for annual BCP and DRP reviews ! ! ! )
A common mis-conception is that HIPAA is an IT / technical problem. Not the case. When you look at the Security Rule for HIPAA 3/6 : Administrative , 1/6 : Technical , 2/6 : Physical. HIPAA is not an IT issue, however, IT can help make or break the compliance stance of the covered entity, yes.
So prepare for a HIPAA audit, don’t think you will pass, know that you will.
my 2c from small town America
