During 2014, two different audit programs
conducted by the U.S. Department of Health and Human Services (“HHS”) will
continue to focus on HIPAA security risk assessments.
The first audit program, currently being
conducted by HHS’ Centers for Medicare and Medicaid Services (“CMS”), concerns
eligible hospitals and professionals who seek incentive payments for
“meaningful use” of electronic health records under the EHR Incentive Program
for Program Year 2013. One of the “meaningful use” audit criteria for
this Program Year requires documentary evidence that a security risk assessment
or analysis was conducted to ensure the privacy and security of patients’
protected health information.
The second audit program, to be conducted by
HHS’ Office of Civil Rights (“OCR”), will concern both HIPAA Covered Entities
and Business Associates and their compliance with HIPAA privacy and security
requirements. Evidence of security risk assessments will be critical to
the OCR’s 2014 audit criteria.
As a result of a collaborative effort by the
OCR and HHS’ Office of the National Coordinator for Health Information
Technology (“ONC”), a new security risk assessment tool has been published
online at www.HealthIT.gov/security-risk-assessment.
Additional video and tutorial resources are also available. These tools
are available to assist HIPAA covered entities and business associates, and
those covered entities seeking “meaningful use” incentive payments, to comply
with the related HIPAA and Program Year 2013 requirements.
Questions regarding these audit procedures
or the conduct of a security risk assessment process should be directed to
Susan Ziel at sziel@kdlegal.com or
Meghan McNab at mmcnab@kdlegal.com.