Phase II of the HIPAA Audit Program is underway for covered entities and their business associates. The Office of Civil Rights (OCR), a division of the U.S. Health and Human Services (HHS) Department, implemented the audit program for the purpose of improving compliance with the HIPAA Privacy, Security and Breach Notification Rules.
WHO IS ELIGIBLE FOR AN AUDIT?
Any covered entity and business associate is eligible to be audited including individual and organizational providers of healthcare services, all types of health plans, healthcare clearinghouses, and a wide range of business associates including collection agencies.
OCR desk audits for both covered entities and business associates will continue through 2016 and will examine compliance with specific requirements of the Privacy, Security or Breach Notification Rules. The desk audits are scheduled to conclude in December 2016. Onsite audits will follow and will examine a broader scope of HIPAA requirements.
HOW ARE ORGANIZATIONS NOTIFIED OF AN IMPENDING AUDIT?
Potential auditees will be notified via email; therefore it is important that covered entities and business associates check spam folders to make sure OCR notifications are not caught up in their filters. Organizations that miss their email notifications will be subject to an automatic compliance review.
WHAT IS THE PURPOSE OF THE AUDITS?
The OCR Privacy, Security and Breach Notification Audit Program was implemented for the purpose of:
• Establishing national standards for the privacy and security of protected health information (PHI)
• Establishing breach notification requirements to provide transparency for patients who may be at risk
• Conducting periodic audits of covered entities and business associates to assess HIPAA compliance
• Providing a process for investigating complaints and performing compliance reviews
Phase 2 of the Audit Program is designed to:
• Examine the mechanisms in place for compliance
• Identify best practices
• Discover any vulnerabilities of the process currently in place
• Enable OCR to identify risks before they become actual breaches
• Provide guidance to covered entities and business associates for overcoming compliance challenges
The OCR audit selection process will take into consideration:
• Size, type and operation of organization
• Affiliation with other healthcare organizations
• Whether the organization is public or private
• Geographic location
• Current enforcement activity with OCR
WHAT WILL RESULT FROM THE AUDIT FINDINGS?
In Phase II, OCR will review the policies and procedures adopted and implemented by covered entities and their business associates to ensure they are meeting the standards of the Privacy, Security and Breach Notification Rules.
Reports that result from audit findings will be used by OCR to determine what types of technical assistance should be developed to help covered entities and business associates better comply with HIPAA and also determine what types of corrective action should be employed. Information obtained from the audits will help OCR develop tools to assist both covered entities and business associates with compliance self-evaluation techniques, and in preventing breaches, with the ultimate goal of ensuring protection of every patient’s private health information.
More details on the OCR audits can be found at:
http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/index.html
