Federal enforcers are preparing to audit healthcare organizations for how well they establish and follow privacy and security practices and data breach notification standards.

The Office of Civil Rights published the procedures to be assessed when examiners conduct performance audits to assure that health plans and payers and their business associates safeguard health information. The audits are called for under the HITECH Act.

[See also: Newsmaker Interview: Mac McMillan]

OCR enforces the Health Insurance Portability and Accountability Act (HIPAA) and oversees health information privacy in the Department of Health and Human Services.

The audit protocol released June 26 details activities, including conducting a risk assessment, acquiring IT systems and services if needed to protect health information and developing and deploying information system review processes, such as audit logs and security incident tracking reports.

The audit protocol covers how effectively organizations establish the policies and requirements for the HIPAA Privacy Rule for notice of privacy practices, rights to request privacy protection for protected health information, access by individuals to the information, administrative requirements, uses and disclosures of health information, accounting of disclosures and changes to health information.

The audit protocol also covers HIPAA Security Rule requirements for administrative, physical and technical safeguards for health information, and breach notification procedures.

[See also: 3 hot buttons that can trigger an OCR audit]

OCR has piloted a program to audit 115 plans and payers and some business associates to get a field assessment of how organizations are complying with privacy and security protections. Audits began in November 2011 with the first group of 20 organizations and will conclude in December.

Audits present an opportunity to examine methods for compliance, identify best practices and discover risks and vulnerabilities that may not have come to light through OCR’s complaint investigations and compliance reviews. OCR will share best practices it learns through the audits and provide guidance aimed at compliance challenges.

During the pilot audits to date among large and small hospitals and integrated systems and small providers and group health plans, OCR has found privacy challenges throughout all the entities and all sizes but many more vulnerabilities in the smaller organizations, according to Linda Sanches, OCR senior adviser on health information privacy, and lead on HIPAA compliance audits.

“Doing a risk analysis was a sore point among those we looked at,” she said at a recent HIPAA conference, adding that contingency planning and monitoring access activity were also issues.

The risk of non-compliance can lead to other investigations if an audit raises issues; possible penalties and state actions; and the cost of notification, which can be quite high, she noted.

In addition to risk analysis, Sanches said that based on her early observations from the first pilots organizations still need to:

• Establish and follow privacy and security policies and procedures
• Make HIPAA compliance a priority
• Update risk analyses periodically for those who have done one -- once is not enough
• Think about third parties who are not required to monitor compliance of their business associates, but if a compliance problem is made known, how to resolve it

[See also: 10 tips to prepare for an OCR audit]