Reprinted from REPORT ON PATIENT PRIVACY, the industry’s #1 source of timely news and business strategies for safeguarding patient privacy and data security.
In his first public comments since his consulting firm officially “exited the field” after wrapping up site visits for the initial 20 compliance audits, the top HIPAA official at KPMG says covered entities (CEs) are failing to complete basic tasks, such as conducting a risk analysis and giving out a notice of private practices.
Michael Ebert, national HIPAA services leader for KPMG, which is performing the audits for OCR, also said a review revealed a pharmacy chain that had failed to provide enough physical space to conduct medical consultations.
“We have walked into entities that are not fully compliant, of course, but what I think is great about this program is it’s really about understanding what the entities are doing and what additional guidance they need, at all levels,” Ebert said.
The unprecedented audit program, undertaken by the Office for Civil Rights as required by the 2009 HITECH Act, is expected to include an additional 95 audits of CEs before it concludes at the end of this year. OCR does not plan to release any findings until that time, and then only details that do not implicate CEs by name. Instead, a report will provide what Ebert termed not “best practices,” but “both better practices and weaknesses the industry has” in meeting the privacy and security rule requirements, which include breach notification mandated under HITECH.
However, OCR has also made clear that egregious findings could prompt an “enforcement investigation,” which sometimes conclude with settlement agreements that identify the errant CE and require a financial payment to close a case (see story, p. 1).
The scope of work under the $9.2 million contract included the creation and the testing of the protocol in 20 audits, which was accomplished by March 1. “Draft reports are out for the first 10,” Ebert said at the recent National HIPAA Summit in Washington, D.C. From those audits “we’ve got some information” but findings are “going to evolve as we get through a greater population,” he said.
During his address, Ebert said the development of the audit program included the “arduous” creation of criteria for HIPAA compliance and then the development of the “protocol” for measuring that, while stressing, “We’re standing up a program that hasn’t existed before.” OCR has pledged to release the audit protocol publicly but had not done so by press time; Ebert’s comments provide the most information about the audits and protocol to date.
OCR based the HIPAA audits on Generally Accepted Government Accounting Standards, known fondly by financial geeks as GAGAS, and which are published in the so-called “Yellow Book.” GAGAS calls for “performance audits,” which can be executed by any governmental agency. Ebert said KPMG employs a former deputy director for the Government Accountability Office “who actually was one of the architects” of performance audits.
“KPMG actually has done now three of the top four largest performance audits that the government has contracted out for to date,” he said. “So we have a tremendous amount of knowledge and experience in this area.”
However, it was still necessary to “create performance criteria” to apply to the OCR audits, “and that’s the toughest thing,” he said. This was accomplished with the “KPMG team sitting in a room with the OCR team,” which included Sue McAndrew, deputy director for health information privacy, and David Holtzman, health information privacy specialist, and “having great discussions about how you measure and quantify compliance with the law.”
The protocol “can go at many different levels. And that’s the interesting aspect, because the protocol will always change. It depends on how far and how deep you go…how specific you want to get in the process,” he said. “The protocol is an evolutionary process, where the criteria are just the criteria. It will always be the measurement base that you are working against.”
Ebert noted that the protocol covers all of the privacy and security requirements, with the exception of the accounting of disclosures “because it’s still in draft.” A final rule for the accounting of disclosures, which includes controversial access reports, will not be included in the “omnibus” final rule that is expected to be released early this summer (RPP 4/12, p. 1).
CEs may find comfort in Ebert’s statement that OCR had “a tremendous amount of concern in not creating too much burden [for auditees] in how things got applied and how we did our work.” He called the audit approach “very balanced.”
Security Compliance Is Difficult to Measure
In addressing privacy, Ebert said, “there were serious questions we had, particularly when you get to areas of uses and disclosures, and minimum necessary.” Minimum necessary is a concept that has bedeviled many a CE and is the topic of guidance that OCR expects to issue when the final regulations are released(RPP 5/12, p. 1).
However, overall, “What we’ve always kind of known…is privacy is, again, very well defined. It’s not tough to understand. It may be tough to implement in some aspects but if you’ve got a good training program, if you’ve got a good awareness program, if you’ve got good governance and policies, the basic instruments” — those are the elements necessary for compliance, he said.
Creating the protocol varied for security versus privacy, he said. In the security rule, the specified standards “are directly definable but there wasn’t a lot of criteria within the law, where with privacy there was,” Ebert said. So the dialogue about the security portions of the protocol “was more balanced of a discussion about industry practices, standards that are out there and application of the standards.”
Ebert said developing performance criteria for the security rule and “to measure that and understand the application of that was a big struggle.”
Without providing specifics regarding noncompliance with the security rule, Ebert said KPMG has “seen a lot of issues at complex entities.”
Regarding who was audited, OCR used another consulting firm, Booz Allen Hamilton, to “identify audit candidates” and “provide background and recommendations” for the audit program, Ebert noted. As RPPreported in December based on a speech by an OCR official, the first 20 auditees were grouped by level of information technology sophistication and by type of entity, with four “levels” or tiers among them. Of the 20, 10 were providers, eight were health plans and two were clearinghouses (RPP 1/12, p. 1).
All Size CEs Were Audited
- Tier 1 organizations are the largest, with “revenues or assets greater than $1 billion,” and consisted of five entities: two health plans, two provider organizations and one clearinghouse. These had “extensive use of health information technology, complicated HIT-enabled clinical and business work streams.”
- Tier 2 was composed of six entities: three health plans, two providers and one clearinghouse. These included hospital systems with three-to-10 hospitals or regions, and regional insurance companies. Assets among the entities in this group are valued at between $300 million and $1 billion.
- Tier 3 had one health plan and two providers, which could include community hospitals, outpatient surgery centers, pharmacies and “self-insured entities that don’t adjudicate their claims.” With revenues between $50 million and $300 million each, these organizations had “some but not extensive use of HIT [and] mostly paper-based workflows.”
- Tier 4 consisted of six entities: two health plans and four providers, which were described in OCR presentations as a provider practice with 10-to-15 providers, and a community or rural pharmacy. These would have “little to no use of HIT — almost exclusively paper-based workflows” and “less than $50 million” in revenues.
The audited entities ranged in complexity from “single physician practices to complex acute care medical centers,” Ebert said. “And in the first 20 we’ve hit the complete landscape.”
It would seem, based on Ebert’s comments, that the program has hewed pretty closely to how it was described by the OCR official and as presented on OCR’s website — with a possible exception being audits of at least one single-physician practice, which it did not appear would be part of the program. “As you can imagine, we freaked out single physicians when we showed up,” Ebert quipped.
While the information OCR posted said the audits would include three-to-10-day visits for “onsite fieldwork,” Ebert said these “run up to seven days in the field,” compared to three-to-four days for a single physician.
Auditors will arrive “within 30, 60 or 90 days” after an entity has been notified and has complied with a request to submit specified policies and procedures. This request, Ebert hastened to add, “is not a complex advance request list. It’s not the audit.”
One aspect of the audits that Ebert described as “really cool” might cause CEs to shudder. Apparently, a covered entity can do its best to ensure broad compliance across all aspects of its operations, while the audit team might zero in on one department.
“We can go in an acute care academic medical center and just look at a very small component like pharmacy or oncology,” Ebert said. OCR is directing the teams to focus on just those areas that have been given a “unique identifier” within the entity, he said.
The audit itself, he contended, “is pretty simple. It’s validating what you have in place and what you don’t have in place.”
Site Visits Result in ‘Findings’
At the end of site visits, “we have findings. We sit down, and we talk about those findings.” An entity may provide further information to mitigate a finding, or clarify something it thinks the team has “misrepresented,” Ebert said. However, once that discussion period ends, time’s up for trying to prove compliance, Ebert added.
“We’ve had entities contact us 30 days out of the field, ‘Hey, I’ve remediated the whole process, you can take the finding off.’” But KPMG responded with, “Well, no, we were in the field, the finding existed, it’s great that you were that proactive and remediate[d] it, but it’s a finding,” Ebert said.
Before findings are submitted to OCR, KPMG sends draft reports to the entities and permits them to respond; their comments will be included. Once a formal report has gone to OCR, the agency will review the findings to determine whether to exercise its option to “do an enforcement-type of investigation.”
As required, KPMG reviewed the protocol after the audits were completed, and found it worked well and did not need to be changed much, Ebert said. A few tweaks, for example, were done to clarify for KPMG personnel that in HIPAA-land, an audit log is an accounting of access, not a financial term.
‘Do a Risk Assessment!’
In addressing what covered entities should be doing in light of the audit program, Ebert said: “Do a risk analysis, risk assessment.”
“I’ll tell you now, on everything we do, that’s the biggest weakness we see,” he said.
Ebert added that “People need to understand that safeguarding PHI goes beyond electronic. It goes to paper and oral. So how you set up your ERs, how you set up your consultation area” matter, he said.
“We did a review at a large national pharmacy chain and they didn’t have consultation areas that were private enough in a good 20% of their stores,” he said. “It was just the nature of the design. They had not updated their design in some of their stores. And they are doing that now. That was an interesting finding. They were like ‘Oh, we missed that.’”
He also related a personal anecdote about being a patient in an emergency room and never receiving a notice of privacy practices (NPP), despite asking for it. He later learned the hospital’s information system issues an NPP only upon admittance as an inpatient — a definite no-no. Once a patient is about to receive treatment, a NPP should be provided on the spot. Failing to give out an NPP as required “is not uncommon,” KPMG has found.
“These are the common aspects [of noncompliance] that you start to see and we all get to see it,” Ebert said. Withholding an NPP is among the “little things that fall through the cracks on the privacy side.”
© 2012 by Atlantic Information Services, Inc. All Rights Reserved.
Start your own subscription to Report on Patient Privacy and save! For a limited time, receive a $75 discount off any new newsletter subscription at the AIS Marketplace – just enter coupon code “NEWS75” at checkout.