Our Blogs

OVERVIEW

The Department of Health and Human Services (HHS) announced that it has launched the second phase of its HIPAA audit program, which focuses on compliance with HIPAA’s Privacy, Security and Breach Notification Rules.

This second phase of the HIPAA audit program covers both covered entities and business associates. HHS’ Office for Civil Rights (OCR) has already started sending emails to covered entities and business associates to verify their contact information. Next, OCR will send a pre-audit questionnaire to gather data about potential auditees. OCR will use this data to select covered entities and business associates for audits.

According to OCR, these HIPAA audits are primarily a compliance improvement activity. However, if an audit reveals a serious compliance issue, OCR may initiate a compliance review to investigate.

ACTION STEPS

To prepare for a possible HIPAA audit, covered entities and business associates should review their compliance with HIPAA’s Privacy, Security and Breach Notification Rules.

OCR has stated that it will post an updated audit protocol on its website closer to conducting the 2016 audits. Once it is available, this audit protocol can be used as a guide for internal self-audits of HIPAA compliance.

Also, because communications from OCR will be sent via email and may be incorrectly classified as spam, OCR expects covered entities and business associates to check their junk or spam email folders for emails from OCR (OSOCRAudit@hhs.gov). An entity that does not respond to OCR may still be selected for an audit or subject to a compliance review.

BACKGROUND

HIPAA established national standards for the privacy and security of protected health information (PHI) and the Health Information Technology for Economic and Clinical Health (HITECH) Act established breach notification requirements to provide greater transparency for individuals whose information may be at risk.

OCR is responsible for enforcing the HIPAA Rules. In 2011 and 2012, OCR implemented a pilot audit program to assess the controls and processes implemented by 115 covered entities to comply with HIPAA’s requirements. Through those audits, OCR developed an audit protocol and identified some overall findings and observations.

NEW AUDIT PROGRAM

Drawing on its experience from the pilot audit program, OCR is implementing the second phase of its HIPAA audit program, which covers both covered entities and business associates. As part of this program, OCR is developing enhanced protocols (sets of instructions) to be used in the next round of audits and pursuing a new strategy to test the effectiveness of desk audits in evaluating HIPAA compliance.

OCR will post updated audit protocols on its website closer to conducting the 2016 audits. The audit protocol will be updated to reflect the HIPAA Omnibus Rulemaking and can be used as a tool by organizations to conduct their own internal self-audits as part of their HIPAA compliance activities.

When Will the HIPAA Audits Begin?

The second phase of OCR’s HIPAA audit program is currently underway. OCR has begun to obtain and verify contact information to identify covered entities and business associates of various types and determine which are appropriate to be included in potential auditee pools. Communications from OCR will be sent via email. A sample email letter from OCR is available here.

Who Will Be Audited?

Every covered entity and business associate is eligible for an audit. According to OCR, it is identifying pools of covered entities and business associates that represent a wide range of health care providers, health plans, health care clearinghouses and business associates.  By looking at a broad spectrum of audit candidates, OCR can better assess HIPAA compliance across the industry—factoring in size, types and operations of potential auditees.

For more information contact Sue Justice at sue@emerybenefitsolutions.com

www.emerybenefitsolutions.com

Emery Benefit Solutions LLC all rights reserved