OCR HIPAA Audits – It’s real this time

Background

Although HIPAA is an important set of laws passed to protect the sensitive medical information handled by millions of covered entities and business associates, Health and Human Services Office for Civil Rights (OCR) has never established a permanent compliance audit program.   Auditing activity to date by OCR has consisted of a pilot program of audits conducted in 2011 and 2012, involving less than 200 covered entities.  It is no wonder that many medical providers have had little concern about ever being subject to a HIPAA compliance audit, and hence many have made compliance a low priority.  They have never been audited nor have they heard of anyone who has.  This situation is now going to change.

On March 21, 2016, OCR announced its Phase 2 Audit Program.    With the alarming increase in patient data breaches, OCR has felt intense pressure from Congress and The Office of the Inspector General (OIG) to get this long delayed program underway.  Organizations subject to HIPAA need to take this development seriously, as it is a signal that they must now put their compliance programs in place.
 

So who will be audited in the Phase 2 Program?

Unlike the Phase I Pilot Audits, Phase 2 will not be limited to just larger covered entities.  OCR is aware that the vast majority of smaller organizations are not HIPAA compliant and that there is also a serious compliance gap among business associates, so Phase 2 will cover a larger and more diverse pool of organizations.  According to the OCR website:

OCR is identifying pools of covered entities and business associates that represent a wide range of health care providers, health plans, health care clearinghouses and business associates.  By looking at a broad spectrum of audit candidates, OCR can better assess HIPAA compliance across the industry – factoring in size, types and operations of potential auditees.

Who will be selected?

Organizations will be contacted via email  to obtain and verify contact information (PDF).  It will be important to ensure that this email does not end up in a SPAM or Junk folder, to avoid being flagged as not responding.  Failing to respond will invite additional scrutiny.  Just the act of contacting entities to let them know they are eligible should give that organization a good reason to start paying attention to HIPAA, if they have not done so already. Organizations will be required to complete a pre-audit questionnaire.  Once this data has been collected, OCR will select organizations to participate in the actual audit program.
 

What is the audit process?

If you are selected for an audit, it will most likely be a desk audit.  This means that you will be required to upload specified documents to a secure portal that OCR has developed for this purpose.  The specific documents that will be requested have not yet been identified, so organizations should prepare for this by putting a comprehensive compliance program in place, as it will provide all of the documentation which could be requested.  You will have only 10 business days to upload your documents. After the documents are uploaded they will be reviewed by an investigator.  The results of the audit will obviously vary, but a further compliance review could be initiated.  No one should take this program lightly – late, incomplete or inappropriate responses could be very costly.
 

Is this just one time event?

This is a precursor to a permanent audit program. Prudent organizations should assume they will be audited sooner or later.
 

How can HIPAA Secure Now! help me?

Our HIPAA compliance service will get you fully prepared for the upcoming audit program.  However, we will be going one step further.  If your organization is selected for the audit, we will provide assistance in helping you to respond.  There will be no extra fee for this; the service will be included in our HIPAA Compliance Premier Subscription.
 

When is all this supposed to happen?

The process of verifying contact information has already begun, and OCR has stated that the desk audits will be completed  by December 2016.
 

Preparing for HIPAA Audits

There are still many unanswered questions about the program.  OCR will have to fill in the details over the coming weeks and months.  However, one thing is very clear – if you are subject to HIPAA, you should be preparing to get audited.

Below is some information to help organizations make sure they are prepared for an OCR audit as well as lower the chance of having a data breach.

(Click on the links below for more information)

Covered Entities

Business Associates