HIPAA Audits: Phase Two is Coming. Are You Ready?
By Michael A. Igel and Margaret K. Kramer, Johnson Pope Health Care Group
The Federal government is continuing its efforts to audit HIPAA compliance, and all health care providers and their business associates must be prepared.
From 2010 through 2013, the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) conducted a pilot audit program to assess the controls and processes covered entities have implemented to comply with HIPAA’s Security Rule, Privacy Rule and Breach Notification Rule (the “HIPAA Rules”). The results of the pilot audit program revealed widespread non-compliance, the most common cause of which was a lack of awareness of the requirements of the HIPAA Rules. Despite the issues discovered, the pilot audit did not result in any disciplinary action.
In March of 2014, the OCR announced the implementation of “Phase 2” of the audit program. Phase 2 will focus on specific issues identified in the pilot audit program: risk analysis and risk management; content and timeliness of breach notifications and notice of privacy practices and access rights. However, unlike the pilot audit program, Phase 2 is not going to be a purely investigative exercise. The OCR has indicated that Phase 2 will likely involve compliance reviews, and will be used as an enforcement tool. Thus, now is the time for health care providers and business associates to become compliant.
Who Can Be Audited In Phase 2?
Any covered entities, which include most health care providers. Unlike the pilot audit program, Phase 2 will also include audits of “business associates,” or any entity that performs services for a covered entity that involves Protected Health Information (e.g. patient information).
The OCR will conduct a pre-audit survey of approximately 550-800 entities. This information will be used by the OCR to assess the size, complexity and fitness of an entity for an audit. The OCR will use the results of the pre-audit survey to select approximately 350 entities to audit.
What Can You Expect If You Are Selected for a Phase 2 Audit?
The entities selected will receive notifications and data requests electronically. Entities will be asked to identify the current contact information for their business associates. Unlike the pilot audit program that was conducted by outside contractors, the Phase 2 audits will be primarily conducted by the OCR.
During Phase 2, the OCR has indicated that it will conduct a combination of desk audits and on-site audits. For the desk audits, the OCR will send a specific data request to the selected entities. The data request will specify content and file organization, file names and any other document submission requirements. The selected entities will have two weeks to respond. The OCR has provided the guidance below on expectations for the desk audits.
- Only requested data submitted on time will be assessed.
- All documentation must be current as of the date of the request.
- Auditors will not have the opportunity to contact the entity for clarifications or to ask for additional information.
- Submitting extraneous information may increase difficulty for auditor to find and assess the required items.
- Failure to submit response to requests may lead to referral for regional compliance review.
When Will Phase 2 Begin?
Phase 2 was originally scheduled to begin in the fall of 2014, but has been delayed while the OCR implements a new web portal for audited entities to upload and submit information. While the OCR has not released the official start date for Phase 2, it has recently confirmed that it is coming soon.
What Can You Do To Prepare?
- Educate and train employees on their role in ensuring compliance with the HIPAA Rules. Ensure that training is up to date and documented.
- Ensure that policies and procedures and business associate agreements reflect the current requirements of both HIPAA and HITECH.
- Update policies and procedures as needed.
- Conduct or update risk analysis. Ensure that risk management plan is up to date. Create corrective action plan to address risks if needed.
- Review covered entity and business associate relationships for HIPAA compliance.
- Document compliance with policies and procedures.
The potential for violations of the HIPAA Rules is an ever-present risk that continues to grow as the use of technology and government enforcement increases. The time to evaluate and address HIPAA compliance is now.
The Health Care Group at Johnson Pope is ready to assist you with developing, reviewing and/or updating HIPAA policies and procedures; improving HIPAA compliance; and responding to the OCR during an audit, compliance review or investigation.
Editor’s Note: The January Disclosure article entitled “Audits: Ready or Not, They are Here to Stay”
is an updated article originally authored by Mike Igel while he was at the Trenam Kemker law firm.