On March 31, the HHS Office for Civil Rights (OCR) finally provided details on what the next phase of its HIPAA audit program will look like. These are outlined in detail in their presentation (slides here) and also in this article written by Adam Greene and Rebecca Williams. According to Greene & Williams, the Phase 2 audits, which will begin in the fall of 2014, “will look little like the old ones, with OCR conducting the audits itself and focusing on more high-risk areas, doing away with on-site visits…and potentially integrating the audits into the OCR’s formal enforcement program.”
Earlier in March, the US Department of Health and Human Services (HHS) announced the start of “pre-audit” HIPAA compliance surveys to be completed by 800 Covered Entities and 400 Business Associates to determine suitability for the audit program. We wrote earlier about the long-awaited start of the HIPAA Random Audit Program, and this survey (published in the Federal Register on February 24th) will identify a subset of entities that potentially may be audited in the fall.
The Office for Civil Rights (OCR) has been the arm of the HHS that is responsible for conducting periodic audits to assess covered entities’ compliance with the HIPAA Privacy, Security and Breach Notification Rules. Under the HITECH Act Final Rule, made effective in September 2013, business associates now are subject to the same kind of HIPAA compliance audits that covered entities have been subject to since 2011.
Business associates include organizations that help the covered entities carry out certain health care functions that may require the business associates to handle or disclose the protected health information of patients. The Privacy Rule requires that a covered entity obtain satisfactory assurances from its business associate that the business associate will appropriately safeguard the protected health information it receives or creates on behalf of the covered entity. Covered entities are required to have written business contracts in place with all business associates that contain the elements specified in 45 CFR 164.504(e).
Since the HITECH Act Final Rule, OCR is now also responsible for auditing business associates for compliance as well. Although the OCR is still retooling their 2011 HIPAA Audit Protocol to reflect the latest HIPAA rule changes and the expanded scope of its auditing powers, they are preparing to identify business associates who may be suitable to audit through these pre-audit surveys.
The survey’s will assess the size, complexity, and audit fitness of survey participants, focusing on the extent to which the surveyed entities utilize electronic records, along with the size of their business service areas and annual revenues. The 1,200 pre-audits surveys are speculated to begin this summer. The OCR estimates that it will take those selected to complete the survey between 30-60 hours to complete the survey.
The OCR completed a pilot audit program of 115 in 2011 and we also blogged recently about the findings here. Security accounted for 60% of the findings and observations with inadequate completion of the computer security risk assessment requirement being the most common reason for audit failure. The risk assessment process Eagle Consulting Partners has developed includes both recommendations for specific policies covering business associates and the development of a standard business associate agreement.
