The Department of Health and Human Services' Office for Civil Rights (OCR) released an updated HIPAA audit protocol earlier this month.
Phase 2 audits began in late March, following an announcement by OCR Director, Jocelyn Samuels, at the 24th National HIPAA Summit. "[OCR will] be looking at risk analyses and risk management, notices of privacy practices and access and response to requests for access, and content timeliness of notifications," said Samuels. Audits are expected to continue through December 2016.
Here are the protocol details and what healthcare providers should expect.
Desk and Onsite Audits
The second phase of the HIPAA Audit Program will be comprised of more than 200 desk and on-site audits, including:
· Initial desk audits of covered entities;
· A subsequent round of desk audits focusing on business associates; and
· A third round of more extensive, onsite audits.
Being subjected to one type of audit doesn’t necessarily mean you will be exempt from the other. The OCR advises that some auditees may encounter both.
The Auditing Process
All covered entities and business associates are eligible for auditing. The OCR will send an email in order to verify the contact information for the individual(s) in charge of HIPAA compliance at each location.
Following verification of the contact information, the OCR will then send a pre-screening questionnaire. The questionnaire will gather information about the size and type of the organization. This data will be used to create audit pools, from which auditees will be chosen.
The OCR believes this method is also useful in establishing a better understanding of where HIPAA compliance stands industry-wide.
For the Phase 2 audits, covered entities will be asked to identify their business associates. The OCR recommends preparing a comprehensive list of associates including contact information. They have provided a sample template to assist in this process.
It's important to note that failure to verify contact information does not exclude anyone from participation. However, entities currently under compliance review or facing an open investigation will be exempt.
What's the Purpose of the Audits?
The HIPAA Audit Program is designed to ensure the guidelines outlined in the HITECH Act are being followed. Specifically, the audit protocol evaluates:
· Privacy Rule requirements including notice of privacy practices for PHI, uses and disclosures of PHI, and amendment of PHI among others.
· Security Rule requirements for administrative, physical, and technical safeguards.
· Breach Notification Rule requirements.
Looking ahead, entities should focus on HIPAA compliance planning to ensure they meet the demands of the audit program.
Has your organization been selected for an audit before? How are you preparing for Phase 2 audits? Please join the conversation below.