Back in March, we reported that OCR had announced its Phase 2 Audit Program. OCR stated that they would compile a database of both Covered Entities and Business Associates to form the basis of the pool of organizations potentially targeted for audit. They have followed up on their intentions and in the last week organizations have started to receive contact emails from OCR.
The first email that an organization gets will look exactly like this. Business Associates could receive more than one email, as they could have relationships with more than one Covered Entity. If you receive this email, you have 14 days to respond. If you are the proper contact, you should respond as directed in the affirmative by clicking YES. If not, click NO and follow the instructions.
If you respond YES, within a few hours, you will get an email that looks like this. The highlights include:
- You have 30 days to complete an online screening questionnaire.
- The online questionnaire instructions can be found here. Every organization should review the pre-screening questionnaire before they actually provide answers.
- Most of the questions should be pretty easy to answer, although some might require a little bit of research (for instance, Healthcare Providers are asked to submit how many patient visits they had in the previous fiscal year).
- There are four separate respondent categories: Healthcare Providers, Health Plans, Healthcare Clearinghouse and Business Associates. Each category has about 10 questions.
- You have the ability to print the answers to your questions before you submit them. We suggest you do this and retain for future reference.
If you do not respond to the email, OCR has other methods to identify your organization. Do not expect to be excluded from the audit pool database for not replying to the email.
OCR will be auditing Covered Entities first, according to Deven McGraw, Deputy Director of Health Information Privacy at HHS/OCR. In an interview with Healthcare Info Security she stated, “We will definitely be selecting the Covered Entities and begin to audit them first because our current database of Business Associates is not robust enough. And so we will need to rely on Covered Entities who are selected for audit to provide us with information on their Business Associates so that we can go through the same process of verifying contact information and forming more robust Business Associate pools – and pick Business Associate auditees from there.”
Once organizations complete the screening questionnaire it needs to be well understood that they could be randomly selected for an audit AT ANY TIME. If you are selected for an audit, you will have only 10 business days to submit the requested documentation. Therefore we recommend that organizations ensure that their HIPAA documentation is thorough and complete before answering the questionnaire.
It is expected that most of the audits will be desk audits, in which communications and documentation will be remote as opposed to in-person/onsite. Although OCR does not explicitly say what documentation would be requested, their letter states they will “conduct a focused desk audit to review documentation of evidence of your compliance with selected provisions of the Rules” and “The audit protocols, which contain criteria the auditors will use, will be available here”. The audit protocol is quite detailed. It has been called “dense” by Health Info Security. It is not clear how OCR will apply the audit protocol to different entities based on organization type or size, if at all. In their letter they have left themselves flexibility.
Our advice: Forewarned is Forearmed. If your HIPAA documentation is not in order today, you need to take action to correct this immediately. Although chances of being selected for an audit are low, if you are selected you have to be prepared to submit documentation in a timely manner. Other government programs (Meaningful Use, MACRA, PCMH) require HIPAA compliance as a condition of participation.