Expansion of HIPAA audit program now underway

As detailed in our latest webinar, “Daunting but doable: Preparing for the next round of HIPAA audits,” the Office for Civil Rights (OCR) has begun implementing the first full-phase HIPAA audit program. The 2009 HITECH Act, which amended HIPAA, requires periodic audits of covered entities and their business associates to ensure HIPAA compliance. After conducting a pilot program in 2012, OCR is now implementing the permanent periodic audit process required by the HITECH Act. Covered entities and their business associates should familiarize themselves with the audit process generally and ensure that their HIPAA ducks are in a row if and when the OCR selects them for audit, whether now or in the future.

While the audits are not directly tied to corrective actions, significant defects revealed may lead to further compliance investigation and review by OCR, which has stepped up its enforcement efforts in 2016. Recent settlements have included $750,000 for failure to execute a business associate agreement prior to turning over the protected health information of thousands of patients; $3.9 million following the theft of a laptop containing electronic PHI relating to participation in a research study; and $1.55 million for failing to enter into a business associate agreement with a major contractor and to institute an organization-wide risk analysis.

Every covered entity and business associate is eligible for audit, except for those who are already subject to an open complaint investigation or compliance review. As it did in its pilot program, OCR will gather identifying information about a sampling of covered entities — for example, its size, location, type, use of health information technology, revenue, and affiliation with other healthcare organizations. It will group the entities into pools that represent a wide range of entities across the industry and then select its audit targets at random from those pools.

Most audits will be “desk audits,” whereby covered entities will simply submit requested documents to OCR via a secure electronic portal. Thus, the documentation submitted must accurately put the covered entity’s best foot forward in demonstrating its overall HIPAA compliance. Covered entities will also be asked to identify their business associates, who may then be separately selected for audits. A smaller number of covered entities and business associates — who may or may not have been the subject of a desk audit — will be selected for a more comprehensive on-site audit. These will be scheduled in advance and are predicted to last 3-5 days. OCR will provide its draft audit findings to each audited entity, which will have the opportunity to review and comment before the report is finalized.

What can you do to prepare yourself for the possibility of an audit? Generally speaking, there are five areas to focus on:

  • A documented assessment and rating of potential risks and vulnerabilities to electronic protected health information — aka a “risk analysis” — that has been updated within the last year, as required by the HIPAA Security Rule
  • An ongoing internal risk management plan to mitigate the identified risks and vulnerabilities, including a training and education component
  • Gather and organize documentation of your entity’s compliance activities — for example, training, responses to patient access requests, breach investigations and notifications, and disciplinary actions arising from noncompliance
  • Review and update (as appropriate) your HIPAA privacy, security and breach notification policies and procedures, as well as a listing of business associates and contact information, and your notice of privacy practices
  • Organize the foregoing so that you are ready to respond quickly to a request for information. OCR states that, for desk audits, the turnaround time for submission of documentation will be 10 days, so it will be extremely helpful to have as much information as possible organized and ready to submit upon request.

Finally, be sure to “allow” emails from OCR, or check your junk/spam email folder for emails from OSOCRAudit@hhs.gov, as all communications from OCR will be electronic.

For a more detailed discussion of the audit process and what you can do to prepare, our complimentary webinar “Daunting but doable: Preparing for the next round of HIPAA audits” is available on demand by clicking here or clicking the graphic at right.

If you have any questions about preparing for an audit or responding to an OCR audit, please contact a member of McAfee & Taft’s HIPAA Compliance & Health Privacy Team:
  • Patricia Rogers – 405.552.2233