Head over to the Compliance Cornered blog to check out our latest post: Will a HIPAA Audit be in Your Future? It seems a day doesn’t pass without a news item regarding a data breach of some kind. To that end, the Department of Health and Human Services’ Office of Civil Rights (OCR) recently announced a new phase in its efforts to audit and assess compliance with the HIPAA Privacy, Security and Breach Notification Rules.
Phase 1 of the audit program was a pilot program to assess how covered entities implemented controls and processes to protect health information. OCR measured 115 covered entities against a set of protocols. Business associates were not audited in the Phase 1 program.
Covered entities include healthcare providers, health plans, including insurers and company health plans, and healthcare clearinghouses. A “business associate” is “a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.” Health insurance brokers are typically business associates under HIPAA.
Phase 2 of the HIPAA audit program is launching this year. OCR will focus on desk audits of covered entities and their business associates. In some cases, on-site audits will also be conducted. In auditing business associates, OCR will consider risk analysis, risk management and timeliness and content of breach notification to covered entities.
The audit process begins with an email that is sent to covered entities and business associates to gather contact information. This email is followed by a pre-audit questionnaire. The questionnaire asks about the size, type and operations of potential audit targets. Pre-audit surveys should be responded to within 10 days.
If an entity doesn’t respond, then OCR will use publicly available information to identify information about the audit target. So, merely not replying to an OCR email is insufficient to avoid a compliance review. OCR’s phase 2 audit announcement instructs covered entities and business associates to check their spam folders for OCR communications.
The audit pre-screening questionnaire can be reviewed here.