Earlier this year (2016), the U.S. Department of Education’s Office for Civil Rights (OCR) alerted healthcare providers that the second phase of HIPAA compliance audits would be taking place during the year. The OCR has been under significant pressure from the Office of the Inspector General (OIG) after OIG officials indicated that the OCR was not properly doing its job of proactively auditing covered entities. It’s important to note that in this phase of audits, the number of entities greatly increased as small providers (practices with less than 15 physicians) and healthcare organization’s business associates (BA’s) are all being included. BA’s are defined as contractors who need to see protected health information (PHI) in order to complete a task for the covered entity. Including BA’s in the audit process will force providers to ensure that their BA’s are complying with HIPAA regulations as well.
In this phase of audits, the OCR will review the policies and procedures adopted and employed by covered entities and their business associates to meet selected standards and implementation specifications of the privacy, security, and breach notification rules. The OCR has indicated that these will predominantly be desk audits but that there will be some on-site audits conducted as well.
The audit process starts with verification of an entity’s address and contact information via an email sent out by the OCR. The OCR is requesting that this email be responded to in a timely manner. The OCR will then transmit a pre-audit questionnaire to gather data about the healthcare provider including its size, type, and operations. This information will then be used by the OCR to create an audit subjects pool. Healthcare providers shouldn’t think that by ignoring the OCR’s requests they won’t be selected for audit. If the OCR sees that a healthcare provider hasn’t responded to their inquiries, they will use publically available information about that organization in order to create its audit subjects pool. If selected for audit, an organization will be required to respond to a document request regarding everything related to the organization’s HIPAA privacy and security programs. These document requests must be satisfied within a 20-day period and could require information to be collected from as far back as six years.
The types of information that will be examined during these audits include, but are not limited to, the following:
- Notice of privacy practices
- Patients’ rights to request privacy for PHI
- Access of individuals to PHI
- Administrative, physical, and technical safeguards
- Uses and disclosures of PHI
- Amendments to PHI
- Requirements of the HIPAA Breach Notification Rule
More specifically, the OCR has indicated that they will focus their attention on those areas that their compliance investigations have historically found to be lacking. Some of these areas include the following:
- Existence of an adequate security-risk assessment
- Existence of an adequate and approved remediation plan
- Existence of a properly documented training program
- Existence of adequate and easily available policies and procedures for all staff and patients
It is the hope of the OCR that these audits will improve industry awareness of compliance obligations and enable them to better develop technical aids related to areas identified in the audits as being problem areas. Healthcare providers should know that there are resources available to assist them with the compliance process in order to address their compliance needs so that their encounter with the OCR, should it arise, is smooth and successful.
This article was also featured in our newsletter Best Practices Vol. 12