Are you prepared for the next round of HIPAA audits?
HIPAA audits really are here. One of my clients let me know this week that they were contacted by the OCR announcing a HIPAA audit. Now is the time to make sure you are prepared.
Almost two years after the OCR first announced preparation for another round of HIPAA audits, Phase II of OCR’s HIPAA audit program is finally underway.
Since March 21, the OCR has been emailing various entities to verify their e-mail addresses and contact information. OCR acknowledged that its email communication may be treated by email filters as spam, but has advised that it expects entities to check their junk or spam email folder for emails from OCR. Recipients have 14 days to verify their email address or provide OCR with updated primary and secondary contact information.
A pre-screening questionnaire will follow seeking details regarding the entity’s size, geographic location, services and scope of operations. Covered entities will also be asked to identify their business associates. Presumably, OCR will use this information to identify and begin emailing business associates to verify their contact information and follow-up with a pre-screening questionnaire.
OCR will be examining a large variety of audit candidates and will be considering a variety of factors including:
- Size of the entity;
- Affiliation with other healthcare organizations;
- The type of entity and its relationship to individuals;
- Whether an entity is public or private; and
- Geographic factors.
The only entities that will be exempt from audits are those with an open complaint investigation or currently undergoing a compliance review.
OCR audited 115 covered entities in Phase I. For Phase II, OCR expects to conduct more than 200 audits with a balance between covered entities and business associates. Phase II will consist of three rounds with a primary emphasis on desk audits.
- Round 1: Desk Audits of Covered Entities
- Round 2: Desk Audits of Business Associates
- Round 3: On-site Audits of Covered Entities and Business Associates
Desk audits will focus on compliance with a focus on provisions of the Privacy, Security and Breach Notification Rules. All desk audits are expected to be completed by the end of 2016.
Entities may be selected for on-site audit even if they were subject to a desk audit. On-site audits will be 3-5 days and cover a wider range of compliance requirements under the HIPAA Rules. As in the case of desk audits, the audited entity will still only have 10 business days to review OCR’s draft findings and provide written comments, and a final audit report will be issued by OCR within 30 business days.
This is key, if you haven’t done so already, check your spam or junk email folder and include OCR (OSOCRAudit@hhs.gov) as an approved sender. If multiple individuals from your organization receive the initial email communication from OCR, coordinate your responses so that OCR is notified of the correct primary and secondary contact.
Business Associate Contacts.
If you are a covered entity, compile a comprehensive list of business associates and their contact information. It’s also a good idea to confirm that a business associate agreement is in place with each service provider on the list.
While OCR is developing its audit pool, take this time to ensure that your HIPAA compliance documents are in order. OCR is still drafting its protocols for Phase II, which are expected to be available prior to the start of on-site audits. Focus your immediate attention on the documentation relevant to the areas targeted for attention under the desk audits.
Due to the widespread noncompliance with various aspects of the HIPAA Rules that Phase I of the audits found, OCR indicated that Phase II and future audits would be more focused on enforcement including the imposition of civil monetary penalties or resolution agreements.
If you have any questions about your preparation for the possibility of being audited in Phase II of the HIPAA audits, give ITPAC a call today.