As a part of its continued efforts to assess compliance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Breach Notification Rules, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has begun a round of audits of covered entities and their business associates.
These audits, like other OCR enforcement tools, are designed to help OCR to identify best practices and proactively uncover and address risks and vulnerabilities to protected health information (PHI).
Phase 1 began back in 2011–2012
This is actually Phase 2 of OCR’s HIPAA audit program. Phase 1 began back in 2011 and 2012, when the OCR implemented a pilot audit program to assess the controls and processes implemented by 115 covered entities to comply with HIPAA’s requirements. The OCR also conducted an extensive evaluation of the effectiveness of the pilot program.
Drawing on that experience and the results of the evaluation, the OCR is now implementing Phase 2 of the program, during which the OCR will review the policies and procedures adopted and employed by covered entities and their business associates to meet selected standards and implementation specifications of the Privacy, Security, and Breach Notification Rules. These audits will primarily be desk audits, although some on-site audits will be conducted.
How the audit process works (Note: Check your spam folder!)
The 2016 audit process begins with verification of an entity’s address and contact information. An e-mail is being sent to covered entities and business associates requesting that contact information be provided to the OCR in a timely manner.
The OCR will then transmit a preaudit questionnaire to gather data about the size, type, and operations of potential auditees; this data will be used with other information to create potential audit subject pools.
If an entity does not respond to OCR’s request to verify its contact information or preaudit questionnaire, the OCR will use publicly available information about the entity to create its audit subject pool. (So, an entity that does not respond to the OCR may still be selected for an audit or subject to a compliance review.)
The OCR will then conduct a random sample of entities in the audit pool. Selected auditees will then be notified of their participation.
The OCR is planning to post updated audit protocols on its website as the 2016 audits draw closer. The audit protocol will be updated to reflect the HIPAA Omnibus Rulemaking and can be used as a tool by organizations to conduct their own internal self-audits as part of their HIPAA compliance activities.
Who will be audited?
Every covered entity and business associate is eligible for an audit. These include covered individuals and organizational providers of health services; health plans of all sizes and functions; healthcare clearinghouses; and a range of business associates of these entities.
For this phase of the audit program, the OCR is identifying pools of covered entities and business associates that represent a wide range of healthcare providers, health plans, healthcare clearinghouses, and business associates in order to evaluate HIPAA compliance across the industry—factoring in size, types, and operations of potential auditees.
Sampling criteria for auditee selection will include size of the entity, affiliation with other healthcare organizations, the type of entity and its relationship to individuals, whether an organization is public or private, geographic factors, and present enforcement activity with the OCR.
The OCR says it will not audit entities with an open complaint investigation or that are currently undergoing a compliance review.
Tomorrow we’ll look at details of how the audits will be conducted.