What You Should Know About OCR’s HIPAA Privacy Audits

Have you received a request from HHS Office for Civil Rights (OCR) asking that you provide the name of your privacy official along with any additional criteria? If you have, then you likely are aware that you may be the focus of a HIPAA privacy audit.

This is part of the Phase 2 HIPAA Audit Program, launched in http://vitalehealthlaw.com/ocr-launches-phase-2-hipaa-audits/2016, which we have previously written about. It is designed to “review the policies and procedures adopted and employed by covered entities and business associates to meet selected standards and implementation specifications of the Privacy, Security, and Breach Notification Rules.”

Even if you haven’t yet received a request, there’s still a chance you will, as OCR has stepped up its enforcement activities. The questionnaire that you receive helps OCR gather data on those who might be audited.

Those selected for an audit will be sent an email notification and will be asked to provide documents and other data in response to a document request letter.

If you have been notified, then time is of the essence. It’s important that you respond to OCR’s questionnaire in the time frame required – 10 days. Failure to do so will not keep you from being audited. Instead, OCR will simply gather data that is publicly available.

  • First and foremost, make sure those who will be interacting with auditors are trained in how to respond to any questions.
  • If you have not already conducted a pre-audit review, don’t waste another minute, do it!
  • Consider conducting a mock audit to ensure you are prepared for the real one.
  • By now you should have a system in place that can monitor user activity and show what patient files have been accessed and by whom, as well as who created, edited or even deleted information.
  • Are you making sure that employees are only accessing a patients’ electronic health records when it is required to do their job. Even with policies in place, entities should keep in mind that not every employee will adhere to them. Some are just curious, others have a more malicious intent in mind. Whatever the reason, it is imperative for you to ensure that proactive access monitoring and auditing takes place.
  • You likely will be asked about business associates and their HIPPA policies, so make sure you have a list of those associates and their contact information.

For the most part these audit reports will be used determine what types of technical assistance entities should develop and what types of corrective action would be most helpful. If OCR determines there is a more serious issue, it may initiate a compliance review to further investigate.

This year has already seen a number of costly HIPAA settlements.

Having a HIPAA (Privacy/Security) compliance program in place is the first step in protecting yourself and your practice. The Health Law Offices of Anthony C. Vitale’s highly skilled team of experienced professionals can help you to create a HIPAA compliance program designed to meet your unique needs. Contact us for additional information at 305-358-4500 or send us an email to info@vitalehealthlaw.com and let’s discuss how we might be able to assist you.