The U.S. Department of Health and Human Services Office of Civil Rights has launched Phase 2 of its long-awaited HIPAA Audit Program. OCR has already begun sending out address verification letters, which will be followed by a questionnaire.
The new round of privacy and security audits will focus on the business associates of healthcare providers, insurers and other HIPAA-covered entities to meet selected standards and implementation specifications of the Privacy, Security and Breach Notification Rules.
As we reported in December, The U.S. Department of Health and Human Services Office of the Inspector General issued a report last fall that was critical of OCR oversight of covered entities. In that report, the OIG found that OCR’s oversight is primarily reactive, not proactive. It noted that as of September 2015, OCR had received more than 120,000 complaints regarding alleged privacy violations since the Privacy Rule went into effect in April 2003.
The audit program will take place in three phases. The first set of audits will be desk audits of covered entities followed by a second round of desk audits of business associates. These audits will examine compliance with specific requirements of the Privacy, Security, and Breach Notification Rules and auditees will be notified of the subject(s) of their audit in a document request letter. All desk audits in this phase will be completed by the end of December. The third set of audits will be onsite and will examine a broader scope of requirements from the HIPAA rules than desk audits. Some desk auditees may be subject to a subsequent onsite audit.
OCR is identifying pools of covered entities and business associates that represent a wide range of healthcare providers, health plans, healthcare clearinghouses and business associates.
While there is no way of knowing who will be the target of an audit, there are some things you can do now to prepare.
- If you don’t already have one, designate someone to oversee your HIPAA compliance.
- Put together a list of all business associates that have access to your organization’s protected health information. This can include data storage companies, software vendors, consultants. The time to have all of this information together is now.
- Conduct your own risk assessment looking for any potential areas of weakness and take corrective action.
- Make sure you have HIPAA training program in place for new hires.
- Make sure you have a Notice of Privacy posted prominently.
- Determine the following: What are your file-sharing procedures? Do you have policies in place to ensure proper data backup?
- If you are contacted, only submit the information requested. Submitting information not requested could lead to additional questions and a more comprehensive review.
If an audit report finds a serious compliance issue, OCR may initiate a compliance review to further investigate. OCR will not post a listing of audited entities or the findings of an individual audit which clearly identifies the audited entity. However, under the Freedom of Information Act (FOIA), OCR may be required to release audit notification letters and other information about these audits upon request by the public.
Having a compliance program in place is the first step in protecting yourself and your practice. The Health Law Offices of Anthony C. Vitale’s highly skilled team of experienced professionals can help you to create a compliance program designed to meet your unique needs.