New Phase of HIPAA Audits Have Begun – Are You Prepared?

Date: June 1st, 2016Category: CORHIO e-NewsletterTopics: HIPAA


David Ginsberg, President of PrivaPlan Associates, discusses phase two of the HIPAA audit program, which includes both covered entities and business associates.

As a part of their continued efforts to assess compliance with the HIPAA Privacy, Security and Breach Notification Rules, the HHS Office for Civil Rights (OCR) has begun its next phase of audits of covered entities and their business associates. The 2016 Phase 2 HIPAA Audit Program will review the policies and procedures adopted and employed by covered entities and their business associates to meet selected standards and implementation specifications of the Privacy, Security, and Breach Notification Rules. 

How are the audits determined?

OCR plans to conduct desk and onsite audits for both covered entities and their business associates. According to the HHS notification “Every covered entity and business associate is eligible for an audit. These include covered individual and organizational providers of health services; health plans of all sizes and functions; health care clearinghouses; and a range of business associates of these entities.”

OCR will choose auditees through a random sampling of the audit pool. Selected auditees will then be notified of their participation, typically via email.

According to HHS, “…a questionnaire designed to gather data about the size, type, and operations of potential auditees will be sent to covered entities and business associates. This data will be used with other information to develop pools of potential auditees for the purpose of making audit subject selections. Click here to view the audit pre-screening questionnaire.”

What will the audits entail?

The first set of audits will be desk audits of covered entities followed by a second round of desk audits of business associates. These audits will examine compliance with specific requirements of the Privacy, Security, or Breach Notification Rules and auditees will be notified of the subject(s) of their audit in a document request letter. All desk audits in this phase will be completed by the end of December 2016. Some desk auditees may be subject to a subsequent onsite audit. The third set of audits will be onsite and will examine a broader scope of requirements from the HIPAA Rules.

According to Zinethia Clemmons, Senior Health Information Privacy Specialist with the OCR, their desk audits will be covering “select provisions” including Risk Analysis and Risk Management. Last year, OCR audits found over 2/3 of practices failed to meet the Risk Analysis and Risk Management provisions.

Clemmons says that through their audits they can, “identify Covered Entities for further enforcement through HIPAA,” but emphasizes that the audits are, “not intended to be punitive.” She notes their first step will be to provide technical assistance to Covered Entities to assist with compliance.

However, the “audit inquiry” requirements are more rigorous than the Phase 1 “pilot program” audits and demonstrate that the OCR will evaluate internal documentation, policies and procedures and if these have been implemented. To some degree, the privacy audit protocols align with the recently released OCR summary of patient access rights and covered entity obligations released in recognition likely due to widespread industry misunderstanding of patient rights and inappropriate barriers to access.

Several examples from the protocol demonstrate this, such as “Obtain and review a sample of personal representatives recognized by the entity.” Or this privacy inquiry that staff might overlook or may not be trained to respond to properly: "How has the covered entity ensured that disclosures by a workforce member related to his or her status as a victim of a crime are consistent with the rule? Inquire of management how the entity identifies and treats disclosures of PHI by workforce members who are victims of a crime."

What should you do to be prepared for an audit?

  • Have proof that you’ve conducted a HIPAA Security Risk Analysis - conducting an insufficient risk analysis (such as only looking at your EHR and failing to analyze all of the HIPAA Security Rule requirements) will not be acceptable.
  • Have a risk management plan in place - our clients who have had reportable breaches of 500 or more patients are consistently asked by the OCR (at their first contact) for a copy of their risk management plan. This is what the new protocol states:

“Obtain and review policies and procedures related to risk management. Evaluate and determine if the documents identify how risk will be managed, what is considered an acceptable level of risk based on management approval, the frequency of reviewing ongoing risks, and identify workforce members’ roles in the risk management process.”

  • Document your business associates - because OCR will be asking covered entity auditees to identify business associates, it would be a worthwhile exercise to prepare a list of your business associates with contact information, copies of contracts and any pertinent details.

Join our free webinar to learn more

CORHIO will host an informative free webinar with guest expert David Ginsberg of PrivaPlan Associates on June 28th, noon-1:00 pm MST; please register to learn more.