The digital health information “Chicken Littles,” who have been writing and saying for the past year that the Office of Civil Rights (“OCR”) of Health and Human Services will ramp up HIPAA Security enforcement with surprise (“spot”) audits have been proven at least partially correct. On December 1, OCR published its sample audit letter (“sample” letter), indicating that the entity will be the subject of an audit, conducted by KPMG LLP, within thirty to ninety days of receipt of the letter. A current HIPAA Security Risk Analysis is the best way to prepare for the audit, and to demonstrate, in the event of a data breach, that the organization’s protocols are defensible because it had taken reasonable steps toward compliance with the HIPAA Security Rule.

The audits had been announced in a Press Release from OCR on November 8, 2011 at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/index.html. The audit program, authorized by the HITECH Act, is as wide as it is deep, reaching HIPAA Business Associates such as law firms and HIT consultants as well as traditional Covered Entities such as health plans and providers.

The HIT Chicken Littles need not be proven one hundred present prescient, though, because now that Covered Entities and Business Associates have been forewarned, they can take steps to prevent the digital sky from falling. First, conduct and document (or update) your HIPAA Security Risk Analysis. A current documented Analysis is required by 45 C.F.R. § 164.308(1)(ii)(A), and will be one of the first items requested by the auditors. The time to begin the Analysis is not when you have received the Audit Letter.

The HIPAA Security Risk Analysis is an interdisciplinary initiative comprising IT Health Information Management, Risk Management, Legal and Clinical Departments (front-line HIT users). It is, in our experience, best facilitated by experienced outside counsel who will also sign the Analysis documentation. Please contact us to discuss preparation of the HIPAA Security Risk Analysis before you receive an Audit Letter. If you are the subject of an Audit we can provide counsel at every step of the way.

• Tweet