The HITECH Act, enacted by Congress in February 2009, mandated that the HHS Office for Civil Rights (OCR) enhance its enforcement efforts through the use of random HIPAA audits. OCR conducted a pilot audit program in which an audit protocol was created and 115 covered entities were audited. Based on what it learned in that program, the OCR has launched Phase 2 of its Audit Program. For Phase 2, all covered entities and business associates will be considered for selection — large and small, public and private, payers and providers, individual or organization, single location of multiple location, electronic record user or paper-based. On March 21, 2016 OCR announced that the Phase 2 audit process is underway.
OCR is currently verifying contact information of covered entities and business associates of various types to determine audit pools. OCR is asking those subject to the HIPAA rule to check spam filters for emails from OCR which uses the email address [email protected]. OCR released a sample email letter — if you receive one of these, you will be required to complete a simple questionnaire from which they will create their final audit pool. For those who don’t respond, HHS will identify contact information via a separate process. Those who are ultimately selected will be required to supply a list of their business associates using a HHS-supplied template.
OCR will first conduct a round of desk audits, followed by a smaller number of onsite audits. Generally, for each covered entity selected, all of its business associates will also be audited. The audits will examine compliance with the specific requirements of the Privacy, Security or Breach Notification Rules and auditees will be notified of the subject(s) of their audit in a formal request letter. OCR has released its full Audit Protocol which consists of 180 audit questions — any specific desk audit will include only a subset of these questions. Those selected will have 10 business days to respond by uploading requested documentation to a secure portal. All of the desk audits will be completed by December 2016.
A certain percentage of those audited with a desk audit will be selected for a more in-depth, onsite audit. Should an audit indicate a serious compliance issue, OCR may initiate a compliance review and investigate further.
Covered entities and business associates who wish to prepare for audits can review the Audit Protocol listed above. Here are some recommendations for preparation based on areas Eagle considers to be OCR’s highest priorities:
- Review and update HIPAA Policies and Procedures. Conduct a gap analysis if necessary as part of your update.
- Insure that all staff have received proper training and that training records are kept.
- Insure that the Notice of Privacy Practices is updated, distributed as required, and that records of distribution are maintained.
- Verify that the Authorization for Release of Records is compliant and that procedures are regularly followed.
- Insure that a comprehensive computer security risk analysis is performed, and that any deficiencies are corrected as part of an ongoing security management process.
- For any mobile devices, verify that appropriate encryption is utilized and that staff are properly trained on proper protocols.
- Consider conducting your own internal audit as preparation.
Eagle Consulting Partners has provided HIPAA Policies and Procedures, training, audits, computer security risk analyses, and technical remediation services for over 15 years and is available for assistance.
