Now that the U.S. Department of Health and Human Services finally appears to be moving ahead with its HIPAA audit program, health plans and other covered entities need to be preparing documentation and shoring up their risk analysis and training, among other things, HIPAA experts suggested in recent webinars.
“They’ve been talking about it for a long time,” but now HHS’ Office for Civil Rights has “made public progress developing the capability” to perform the privacy and security audits mandated by the HITECH Act, according to David Holtzman, vice president of compliance at CynergisTek, Inc.
OCR has been planning to send out 1,200 screening surveys to identify the entities to be audited. Organizations now have begun getting emails to verify contact information, Holtzman noted, but “these are not the surveys,” and people now being contacted by email will not be the only ones who get surveys, he said.
In any event, though, covered entities should be on the lookout for communications from OCR by email or regular mail, continued Holtzman, himself a former OCR official. “Many of us receive all kinds of emails” purporting to be from OCR, but one of these might actually be from the agency, he warned. Likewise, in case OCR communicates by U.S. Mail, it is important to know who opens the mail at your organization.
The delay to this point “frankly is one of technology on OCR’s end,” Holtzman said. The agency has been slow to develop the consumer-facing Web portal by which audited entities can enter the necessary information. Now, however, such a product is apparently being tested, he said. “All I can suggest is, stay tuned, it’s coming.”
OCR will select about 350 covered entities for desk audits, and at most that number of business associates, Holtzman said. The agency will seek to include a wide variety of entities based on type, location and affiliation with other covered entities.
Short Turnaround Time
The major challenge of the upcoming desk audits will be the very short turnaround time — likely two weeks, with no opportunity to get clarification of OCR’s data request, Holtzman said. And if an organization does not respond, the agency “will look upon it as a failure to comply” and refer it the appropriate regional office for enforcement, he said.
The first round of covered entity desk audits, even if OCR begins them by the end of the summer, likely will extend into 2016, Holtzman continued. This round will be followed by desk audits of selected business associates, and finally by comprehensive onsite audits of both covered entities and business associates, he said. These will be performance audits designed to gauge the effectiveness of an organization’s compliance program and internal controls.
Start With Risk Assessment
Security risk assessment “needs to be the starting point of any efforts to prepare for these audits,” said Michael Bertoncini, an attorney with Jackson Lewis in Boston. “That should allow you to target your compliance efforts,” he said. “There’s no prescribed methodology here but you have to document that you did it.”
Policies are another recurring focus. “The regulators don’t want to see a dusty manual that hasn’t been touched since your last employee’s first day at work,” Bertoncini said. Organizations also should avoid the “tendency to cut and paste from the privacy and security rules,” because this usually yields a product “too dense for many workforce members to internalize.”
“OCR is becoming much more concerned about training of workforce members,” so make sure your organization has a training program and is training employees on a periodic basis, Holtzman said. As for the training materials, “I would certainly have that documentation prepared and ready,” along with an “ongoing rolling roster.”