The Department of Health and Human Services’ Office for Civil Rights (OCR) is one step closer to fulfilling one of its mandates under the HITECH Act. The agency recently chose a firm to conduct HIPAA compliance audits at covered entities and business associates to ensure HIPAA compliance. KPMG, the firm chosen to carry out the work, is expected to conduct 150 audits by the end of 2012. The firm Booz Allen Hamilton will determine which covered entities and business associates should be audited.

We wondered, could this be a vision of the future of privacy? Could the HIPAA compliance audit program model be adopted by other, non-healthcare industries? If the program is successful, what should we expect, if anything, across the industry spectrum?

The Daily Dashboard asked leading privacy attorneys and consultants for their opinions. Here’s what they said.

Adam Greene
Partner, Davis Wright Tremaine LLP

“The HITECH Act calls for auditing covered entities (CEs) and business associates (BAs), so there is definitely the potential for audits of non-healthcare BAs (e.g., entities that are not healthcare companies but that host some personal health information for CEs). One of the biggest factors will be the success of Booz Allen in identifying the universe of BAs. I'm skeptical that it can be done reasonably well, and so I'm interested to see their approach.

As for the other questions, the future of these audits is very hard to predict once the HITECH funds run out. In the current budget climate, I don't envision a significant annual budget for such audits after 2012. However, HITECH provides that OCR gets to keep enforcement recoveries, so if the audit program is deemed a success, this may be where enforcement recoveries are allocated.”

***

Christine R. Ravago, CIPP, CISA
Manager, Advisory Services, Ernst & Young

“I would say the HIPAA compliance audit model has already bled into non-healthcare operations. We increasingly see companies that operate in complex environments—where only one facet of their operations is related to healthcare—take a conservative approach because of the potential risk to brand and reputation that a failure may cause. As a result, they are auditing their operations, both healthcare and non-healthcare components, to the standard demanded by HIPAA.”

***

Kirk J. Nahra, CIPP
Partner, Wiley Rein LLP

“The HIPAA compliance audit program is specifically mandated by statute, and addresses the very idiosyncratic requirements of the HIPAA Security Rule. I do not believe that an audit program—tied to a specific set of anticipated "answers" under the Security Rule—matches the overall approach of the rule very well. Therefore, I do not see this as being a particularly effective program in connection with the HIPAA Security Rule, nor do I see any realistic likelihood of a broad-based carryover to other areas. I expect that we will continue to see more and more detail to security compliance obligations, and ongoing enforcement in the event of breaches, but I do not see a likelihood of substantial ongoing proactive audit activities by any relevant regulatory agency.”   

***

Elizabeth Johnson
Partner, Poyner Spruill LLP

“Many regulators would have an important threshold to cross before they could effectively adopt the new OCR audit model; namely, the adoption of detailed privacy and information security requirements against which to audit private actors. In this country, detailed privacy and security requirements tend to be the exception rather than the rule. The situations where detailed privacy and security requirements are in place are industry-based or state-based. For example, HIPAA in the healthcare industry; the Massachusetts data security regulations that apply only when certain information about a Massachusetts resident is at issue; the insurance industry for which many states have adopted specific privacy and security requirements either by statute or regulation, and, of course, the financial industry, where the applicable regulators have adopted requirements (and developed audit standards) pursuant to Gramm-Leach-Bliley. These regulators could engage in detailed audits to assess compliance with the standards they enforce (and in the case of financial regulators, have done so for some time).

For most private businesses, however, the default regulators are (at the federal level) the FTC, which generally governs consumer matters, and the DOC, which governs commerce and, at the state level, state attorneys general. Those regulators have been relatively active in privacy and security enforcement, but do not usually have a detailed set of standards they can enforce against in the manner HHS is able to do for HIPAA. Instead, they apply general requirements, like prohibiting “unfair or deceptive trade practices” or (in many states laws) requiring “reasonable and appropriate security.” I think it would be impracticable and widely disputed by private industry if any of these regulators with more general authority tried to enforce a detailed set of standards, such as NIST or ISO, because those standards are not clearly mandated by the laws they enforce. In the absence of a detailed set of standards to audit against (like HIPAA), these regulators would not have a clear path to adopting the OCR audit model.

A number of factors are brewing that will or could dramatically change that. Most notably, there are a number of federal proposals in play that would potentially provide (or authorize the FTC to develop) stricter privacy and security requirements against which the FTC could audit in this fashion. States seem poised to include more detailed privacy and security requirements in their laws (Texas H.B. 300 being a recent example) and/or increasingly incorporate more specific standards into their laws by reference (such as Nevada incorporating PCI DSS and certain NIST specifications). As the requirements become more granular, the potential for audits of the type OCR is embarking on is greatly increased.

Once the standards are established, the OCR model will certainly carry appeal for federal agencies. It frees up their staff to engage in other endeavors; the consultants they are engaging arguably have greater audit experience and certainly more staff to conduct them, and the regulated community is likely to increase efforts toward compliance with the threat of an audit looming. The penalties associated with HIPAA noncompliance are more than sufficient to fund the agency’s contract with the auditor, so budget constraints should not present any hindrances. Recent HIPAA enforcement actions (UCLA, Rite Aid, CVS, Mass. General) have brought “resolution amounts” near or in excess of $1 million.

That goes a long way toward paying the $9.2 million contract with KPMG, which has not even begun to identify new enforcement targets based on the results of its audits.

The dangers for the regulated community in this model are many. Consultants are not lawyers and sometimes misconstrue legal requirements in their assessments. Hopefully the agency would be open to the enforcement target’s feedback in such cases. Judging by the number of HIPAA audits planed in a relatively short timeframe, it seems likely the work will be performed by multiple different teams, and KPMG may have to hire more personnel or subcontract. In either case, there is a danger of inconsistency in approach and results. The results are obviously crucially important to the enforcement target, which will face penalties up to $1.5 million per provision violated in a given calendar year. Since HIPAA includes dozens of substantive provisions, it is easily conceivable that targets could be fined multiple millions following from the audit, so the stakes are incredibly high.”

***

Agnes Bundy Scanlan, CIPP
Global Chief Privacy Officer, TDBG

“Based on a review of the HIPAA/HITECH, the HIPAA compliance audit requirements mandated by HITECH will extend to business associates. While HIPAA/HITECH compliance audit requirements touch non-healthcare industries (ie: financial institutions), it would seem that the possibility of an audit for a non-healthcare organization would be less likely given the large number of healthcare organizations that could be selected for an audit. However, it is important to recognize that since HITECH extended HIPAA compliance audit requirements to business associates, it would seem that someone (i.e., HHS) would come back to business associates to perform an audit. In addition to external audit concerns, organizations required to be HIPAA/HITECH compliant will also have to deal with state attorneys general, who will have the right to bring civil actions for HITECH violations and potential scrutiny from internal audit departments.”

***

Ross Federgreen, CIPP
Founder, CSRSI

“It is my belief that OCR/ HHS is very serious about the implementation of the HITECH audit provisions. OCR imposed it first civil monetary penalty of 4.3 million dollars in February, 2011  against Cignet Health and several days later reached a settlement with Massachusetts General Hospital for one million dollars. HIPAA was initially viewed 10 years ago as a viable compliance issue but rapidly fell into the realm of a toothless tiger. With the announcement that KPMG has been contracted to complete approximately 150 "audits" over the next 12 to 18 months for a fee of 9.2 million dollars and with the separate award to Booz-Allen to determine who shall be audited the process is very real.

The increased scope of the initiative, which now affects all "covered entities," and the potential utilization of this approach throughout the federal government's enforcement of privacy security matters is not surprising. Given the high visibility of identity theft and the universal political capital that solving this problem brings to legislators that verbalize and demonstrate a strong voice against these activities with emphasis on protection of the public, I believe that these types of actions will continue, increase in scope and increase across multiple areas that fall under federal jurisdiction.

The success of this program will lead to greater enforcement. This is the classic positive feedback loop. Success will be measured by the amount of dollars captured and the positive visibility of these efforts in the minds of the electorate.”