The long awaited second phase of HIPAA compliance audits started earlier this year with the sending of emails to covered entities requesting contact information. From the responses, the Department of Health and Human Services’ Office for Civil Rights (OCR) formed a pool of eligible covered entities which would be eligible for a HIPAA compliance audit.
The OCR announced this week that 167 covered entities have been selected for a “desk audit”. Each of those entities was emailed on July 11 and was requested to submit documentation for review. Covered entities selected for a compliance audit have been given 10 days to upload the requested documents to the secure OCR audit web portal.
Health plans, healthcare providers, and healthcare clearinghouses will be audited during the first round of audits. Organizations of all sizes have been selected for the desk audits, not just large healthcare organizations.
The second phase of HIPAA compliance audits have a much narrower focus than the pilot phase, which was conducted in late 2011/early 2012. During those audits, the OCR looked at a much broader range of areas of compliance.
This time around, the OCR has selected the elements of HIPAA which have previously caused the most problems for HIPAA covered entities. The results of the first phase of audits were assessed and the OCR also looked at the main areas of non-compliance that were identified as part of the agency’s enforcement activities.
These common areas of non-compliance include risk assessments and risk management, which are required by the HIPAA Security Rule. The notice of privacy practices and content requirements– requirements of the HIPAA Privacy Rule – will also be assessed. Covered entities selected for an audit will also be required to provide evidence that policies are in place concerning the breach response, as required by the HIPAA Breach Notification Rule.
The OCR wants to see evidence patients will be notified promptly of a breach of their PHI and that policies have been developed concerning the content of those notifications.
The purpose of the audits is to determine whether HIPAA-covered entities have understood the requirements of Health Insurance Portability and Accountability Act and have developed policies and procedures accordingly. The audits are not part of a witch hunt to find organizations that are failing to comply with HIPAA Rules.
The OCR uses the audits to determine how best to help covered entities comply with HIPAA. The audits will be used to help the OCR develop new technical guidance and tools that covered entities can use for self-evaluation of their HIPAA-compliance efforts.
That said, if serious compliance issues are discovered, a full compliance review may be triggered. Financial penalties for non-compliance may then follow if serious violations of HIPAA Rules have occurred.
In a recent blog posting, covered entities have been warned that their spam filters may misclassify the OCR’s email notification as spam and send the audit email to the junk folder. All covered entities have been advised to check the junk folder for any OCR communications.
Organizations will also receive an email requesting details of their business associates and the information will be used by the OCR to form a pool of BA’s to audit. Business associate audits will take place in the fall after the first round of desk audits have been completed. A number of full compliance reviews – including site visits – will take place in the New Year.