By: Jackie Bain
Section 13411 of the HITECH Act authorizes and requires the Department of Health & Human Services Office for Civil Rights (“OCR”) to provide for periodic audits to ensure that covered entities and business associates comply with the HIPAA Privacy and Security Rules. OCR conducted its first round of those audits in 2011 and 2012, and has announced that it will begin a second phase. Unlike the first phase of audits, which were limited to covered entities, both covered entities and business associates are intended to be audited during this second phase.
How will audited businesses be selected?
This fall, OCR will deliver pre-audit surveys to between 550 and 800 covered entities. OCR is attempting to obtain a fair snapshot of all covered entities, so these pre-audit surveys will be sent to health care providers, health plans, and health clearinghouses. Moreover, the audits will span the gamut of business sizes, from large corporations to solo practitioners. After pre-audit surveys are returned, OCR will randomly select 350 of those covered entities for a full audit. As a part of these full audits, covered entities will be asked to identify their business associates. OCR will then select 50 business associates to participate.
How will audits be conducted?
This particular phase will be conducted by desk audits. On one hand, this is less disruptive to your business because there is no site visit. On the other, however, your business will not have the same level of access to the auditors to casually ask questions and gain insight. In fact, OCR has stated that it will not allow businesses to ask questions or seek clarifications regarding requested information.
How long will your business have to respond to audit requests?
Your business will have twenty days from receipt of the audit notification letter to respond to OCR. Documentation that is submitted late will not be considered. In the event that a business does not submit responsive information to the audit may be referred for a compliance review with a regional office of OCR.
What types of information will the audit seek?
Audits will focus on particular requirements of the HIPAA rules identified as problem areas in Phase 1 and specific subsets of covered entities and business associates. However, the proposed scope of the audits is still extensive. OCR will look to whether your business has engaged in regular risk analyses and reviews for information breaches; timely notifications of breaches (where appropriate); employee training; secure transmissions of protected health information; reasonable safeguards of information; and controls on releases of information.
What should my business do right now to prepare for an audit?
Start with the following:
- Confirm that your business has in place a policy and procedure for complying with HIPAA’s Privacy, Security and Breach Notification Rules, and that your employees are following such guidance.
- Confirm that your business has recently completed a risk assessment and has addressed all action items raised by that assessment.
- Be sure that your employees are trained in HIPAA compliance
- Review your files for updated business associate agreements.
- If you are a healthcare provider, review your Notice of Privacy Practices to make sure it is up to date.
If you are particularly worried that your business is out of compliance, you might contact your attorney in order to gain insight about how to come into compliance.
Where can I get more information about the audit process?
OCR is in the process of updating its audit protocol online to reflect the new requirements implemented through the January 25, 2013, final rule and will post it to the OCR website. Once it is posted covered entities and business associates can use the updated protocol to complete their own internal compliance assessments.