By Gwen Cofield
Now that the U.S. Department of Health and Human Services (HHS) has begun prescreening questionnaires for Phase 2 privacy and security audits, Health Insurance Portability and Accountability Act (HIPAA)-covered entities should make sure they’re prepared on the compliance areas HHS’ Office for Civil Rights (OCR) has indicated it plans to emphasize.
Desk audits are likely to start this summer with covered entities, to be followed by business associates, said Adam Greene, an attorney with Davis Wright Tremaine LLP. Currently, 200 to 250 desk audits are planned but that number is subject to change. OCR apparently is sending out thousands of preliminary questionnaires, so even if you got one of those the chance is still pretty small that you’ll be audited, he said.
“OCR is building a database of organizations that could be audited in this phase or in the future,” added David Holtzman, vice president of compliance services with Cynergistek Inc. In addition, every auditee will be required to provide a list of business associates, so covered entities need to get that information documented about all of their contractors and vendors, he noted.
Once notified of an audit, a covered entity will have 10 business days to respond, Holtzman said. All of the requested documentation must be uploaded to OCR’s portal within that time, and it must have been in effect as of the date of the audit letter. If a response is late, “you’re out of luck,” he said. “