Preparing for Round 2 of HIPAA Audits
Neda M. Ryan, Esq
Corporate Compliance Attorney, Anesthesia Business Consultants, Jackson, MI
Over the past five years, the Department of Health and Human Services Office of Civil Rights (OCR) has been more aggressive about identifying organizations that fail to comply with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its impending regulations. Historically, OCR has taken a reactive approach to noncompliance through tips and complaints or notifications of breaches by covered entities. Recently, however, OCR has been more proactive through its use of audits to identify organizations that are noncompliant with HIPAA and its regulations.
Until now, OCR has only audited covered entities. Covered entities are health plans, healthcare clearinghouses and healthcare providers who conduct certain financial and administrative transactions electronically. Now, OCR is expanding its audits to business associates. Business associates are people or entities performing certain services involving the use or disclosure of protected health information (PHI) on behalf of or for a covered entity. Business associate services include legal, actuarial, accounting, consulting, management, financial and billing.
OCR states that its audits are intended to improve compliance within the industry by identifying vulnerabilities and developing tools to address widespread areas of non-compliance. However, OCR also maintains its right to launch a more thorough investigation into an organization that it discovers, or believes, to pose a threat to the privacy and security of individuals’ PHI. As such, all organizations should be familiar with what the recent phase of audits entails and use this as an opportunity to prepare for this round, or future rounds, of OCR audits.
Pilot and Phase 1 of the Audit Program
During 2011 and 2012, OCR initiated its Pilot Program during which 20 covered entities were audited. It approached the Pilot Program in three steps: (1) developing audit protocols, (2) conducting 20 audits to test the protocol and (3) expanding the audit to Phase 1 to audit 95 additional covered entities using revised protocols. The Pilot Program and Phase 1 included audits of a health plan, a hospital system, small providers, community hospitals, outpatient surgery centers and a regional pharmacy. During the Pilot Program, OCR found various HIPAA compliance-related issues, but did not seek enforcement action against those covered entities. Most notably, OCR found that more than 60 percent of violations were related to Security Rule provisions.1
Phase 2 Audit Program
Phase 2 was launched in July 2016 when 167 covered entities received notice they were selected for desk audits. Business associates will receive notice of desk audits this fall. The focus of the desk audits is on seven controls drawn from the Security Rule, the Privacy Rule and the Breach Notification Rule. The controls are summarized in Figure 1. In early 2017, Phase 2’s third wave of audits will begin with onsite audits, which will be broader in scope than the desk audits.
Entities having received, or that will receive, an audit letter from OCR under Phase 2 can expect to receive a notification email of their selection for participation in the audit. They will also receive a document request for policies, procedures and/or other related documentation. Covered entities will be required to provide the contact information for all business associates.
After a review of the submitted documentation, OCR will develop and share draft findings with the entity. The entity may respond to draft findings, and the written responses will be included in the final audit report. Final audit reports will describe how the audit was conducted, present any findings and contain entity responses to the draft findings. Although OCR claims the audits are “a compliance improvement activity,” OCR has the authority to initiate a separate compliance review or investigation if significant threats to the privacy and security of PHI are revealed through the audit.
How to Prepare for HIPAA Audits
- Conduct Mock Audits – OCR has published the letters it will send to auditees. OCR has also published its audit protocol.2 These resources, and others, can be used to conduct mock audits.
- Conduct a Risk Assessment – HIPAA requires that entities conduct risk assessments to identify areas in which the entity is vulnerable or susceptible to violations. OCR has prepared a Security Risk Assessment Tool (https://www.healthit.gov/ providers-professionals/securityrisk-assessment) where entities can conduct their own risk assessments in evaluating their compliance with HIPAA’s Security Rule.
- Implement and Update Policies and Procedures – Following a risk assessment, entities should develop and/or update their policies and procedures to ensure the areas of vulnerability are addressed.
- Educate Employees and Staff – Employees and staff should regularly be educated on their obligations with respect to the privacy and security of health information traveling in and out of the organization.
- Organize Materials – Begin to organize the materials and documents that could be requested in an audit. These materials would include policies and procedures, historical risk assessments, notifications to individuals and others of breaches, and lists of business associates and their contracts.3
- Respond to OCR – If you receive an audit letter, do not ignore it! There will be a short timeframe in which to respond. Contact an attorney or a HIPAA professional to assist in responding to the audit request and any subsequent OCR communications.
OCR’s auditing activity is only increasing. What was once limited to covered entities has been expanded to business associates, and what once involved fewer than 200 entities, now involves up to 250. All entities should be prepared for the possibility of an audit. OCR has many resources to assist organizations in understanding the requirements and implementing the necessary measures to promote compliance. In today’s auditing environment, entities cannot delay in complying with what is required of them.
1 Lessons Learned from OCR Privacy and Security Audits, Program Overview and Initial Analysis, Presentation to IAPP Global Privacy Summit, March 7, 2013 (https://clearwatercompliance.com/wp-content/uploads/2014/06/4-1.-Lessons-Learned-from-OCR-Privacy-and-Security-Audits-Sanches_Rinker_03-07-2013.pdf).
3 A sample list of business associates is available here: http://www.hhs.gov/hipaa/for-professionals/complianceenforcement/audit/batemplate/index.html.
Neda M. Ryan, Esq is a Corporate Compliance Attorney for Anesthesia Business Consultants. Ms. Ryan has experience in all areas of healthcare law, including healthcare transactional and corporate matters; healthcare litigation matters; providing counsel regarding compliance and reimbursement matters; and third party payer audit appeals. She can be reached at (517) 787-7432 or Neda.Ryan@AnesthesiaLLC.com.