|The Office of Civil Rights (OCR) of the Department of Health and Human Services has begun Phase 2 of its audit program under the Health Insurance Portability and Accountability Act (HIPAA). In this phase, OCR will:
· Collect contact information from covered entities and their business associates;
· Audit selected covered entities and, later, business associates for certain documents to assess compliance;
· Conduct on-site audits of certain entities.
The audits are expected to target specific areas of compliance under the privacy, security, and breach notification rules.
Initial Requests Health plan sponsors and administrators, health care providers, and business associates of all types will soon receive (and some may have already received) emails from the OCR asking for contact information. The information collected will help OCR build its pool of candidates for audit. OCR has warned that certain systems may filter its email as spam and that it expects entities to check spam and junk folders for the solicitation.
OCR intends to use publicly available sources to identify potential audit targets, so a failure to respond to the OCR solicitation will not necessarily exempt an organization from the audit process. Guidance does not state whether OCR is more likely to audit an entity that does not respond or self-identify than one that does. However, an organization can exercise more control over the process (in particular, the ability to designate who within the organization is to be contacted by OCR in the future) if it responds to the initial solicitation.
It appears as if the solicitations will come in two stages: first a request for basic contact information about the organization, followed by a pre-audit questionnaire that asks for certain information, including contact information for relevant business associates.
Getting Ready To prepare for OCR’s initial requests, covered entities and business associates should:
Audit Selection OCR intends to choose subjects for audit from a wide range of entities, taking into account their type, size, location, nature as a public or private entity, and relationship to other healthcare organizations and individuals. Entities currently under a HIPAA investigation or compliance review will not be audited.
Audits Audits are expected to occur in three stages: desk audits of covered entities; desk audits of business associates; and on-site audits. OCR has announced that it plans to complete the desk audits by the end of 2016. The desk audits likely will focus on documents demonstrating compliance with particular requirements in HIPAA’s privacy, security, and breach notification rules. On-site audits will review a broader scope of requirements. Although the on-site audits are not necessarily linked to the desk audits, some entities selected for a desk audit also may be selected for an on-site audit.
OCR will notify covered entities that they have been selected for a desk audit. That notice will explain the process and OCR’s expectations in more detail. The notice will ask the covered entity to submit documents in digital form through a secure portal within 10 business days of the date on the request. After reviewing the documentation, auditors will share a draft of their findings with the covered entity. A covered entity will have 10 business days to submit written responses to the draft report. The final audit report will include those written responses.
While the desk audits of covered entities are in process, OCR will start to notify business associates that they have been selected for a desk audit. Those audits will follow the same basic process that applies to covered entities.
Covered entities and business associates that are subject to an on-site audit also will be notified. More information about the on-site audit will be provided during an entrance conference. The audit itself will last three to five days. The audited entity will have 10 business days to review a draft of the audit’s findings and submit written responses.
OCR has stated that audits will primarily focus on compliance improvement. The program is intended to help OCR, covered entities, and business associates identify areas of vulnerability and find ways to better protect information. But if an audit report indicates a serious compliance issue, OCR may undertake enforcement action.
Getting Ready Covered entities and business associates will not know if they will be selected for an audit, but they should take certain measures in the event they are audited:
It is worth keeping in mind that, although compliance with HIPAA’s privacy and security requirements is an important goal, it is ultimately a means toward making sure that sensitive information is appropriately protected. Members of our HIPAA Compliance Team and our Employee Benefits and Executive Compensation and Privacy and Data Security Groups are prepared to help you address these concerns proactively and, if necessary, when incidents occur.
Ballard Spahr’s HIPAA Compliance Team, comprised of attorneys from various disciplines, advises health care providers, health plans, and their business associates on the privacy and security requirements under HIPAA. Our attorneys provide guidance on security rule practices and policies; prepare HIPAA policies, forms, vendor agreements, and other compliance documentation; prepare training tools and conduct HIPAA compliance training; and advise clients about OCR audit requirements.
If you have questions about the HIPAA audit program or HIPAA compliance, please reach out to the authors of this alert or any of the members of the HIPAA Compliance Team listed below: