The U.S. Department of Health and Human Services’ Office for Civil Rights is gearing up for its compliance audits; and the OCR pre-audit screening questionnaires have now been dispatched. This signals the start of phase two of the HIPAA compliance audit program.
Monitoring Compliance and Enforcing HIPAA Rules
The OCR is tasked with enforcing compliance with the Health Insurance Portability and Accountability Act, which it does in part by conducting periodic audits on covered entities. A pilot phase was conducted in 2011/2012 and the second round was planned for the fall of 2014. However, a combination of poor infrastructure, a lack of staff and a highly restrictive budget has resulted in the program being delayed.
The second phase of the HIPAA-compliance audits will follow a different protocol to the pilot phase, and more organizations will be scrutinized, including Business Associates of HIPAA-covered entities. The exact number of audits has not yet been confirmed, although the figure of 350 audits for healthcare providers, health plans and healthcare clearinghouses and 50 compliance audits for Business Associates has been previously been proposed by the OCR.
OCR Pre-Audit Screening Questionnaires now Sent
According to a notice placed in the federal register, up to 1,200 covered entities can be contacted by the OCR and sent pre-audit screening questionnaires, which should be received in the next few days. The purpose of the OCR pre-audit questionnaires is to gather up to date information on covered entities, and to confirm the contact details of their BAs.
The OCR cannot audit every organization covered under HIPAA, but it will audit a representative selection and for that it needs accurate data. The OCR has confirmed that emails have now been sent, but whether all 1,200 have been posted is not yet known. It has been suggested that approximately 800 surveys were dispatched by the OCR. If the number of audits is to be 350, there is a high probability of an audit being conducted if a covered entity receives a screening survey.
Countdown to Phase 2 of the HIPAA-Compliance Audits has Begun
The Office for Civil Rights will require some time to process the data and select organizations for audit. The questionnaires were expected to be sent this time last year according to the original schedule, with the audits due to begin a few months later. Since the questionnaires have now been sent, and given the improvements the OCR have made to its infrastructure – the new website portal for example – it is possible that the second phase of the HIPAA-compliance audits will now begin in the fall of 2015 although they may not commence until 2016 if there are further delays.
Once a notice is placed on the OCR website announcing the second phase, the audits are expected to start approximately 3 months later. For a fall start, that notice will need to be published and some point between now and the end of June.
Covered entities are therefore advised to check the OCR website regularly, especially if they have already received a pre-audit screening questionnaire.