The U.S. Department of Health and Human Services Office for Civil Rights (OCR) has started a second phase of audits for compliance with HIPAA Privacy, Security and Breach Notification Standards. The OCR has previously conducted an audit pilot phase and Phase 1 audits of HIPAA covered entities (i.e., healthcare providers, clearinghouses, and health plans). In this Phase 2 of the HIPAA audits, OCR will audit both covered entities and their business associates.
Many providers, including physician practices, have already received an email that was issued by OCR to potential audit targets with a pre-screening questionnaire to collect demographic and business associate information. OCR will use this information to select approximately 200 targets on which to perform desk audits, which it intends to complete by the end of 2016. OCR also intends to follow the desk audits with on-site audits in 2017.
The OCR has commented that the Phase 2 audits are also intended to uncover risks and vulnerabilities the OCR has not identified through other enforcement actions. Representatives of the OCR have stated that the Phase 2 Audit findings will be used to build a permanent HIPAA audit program. Physician practices should also be aware that in circumstances where an audit reveals a serious compliance concern, the OCR may initiate a compliance review which could result in civil monetary penalties for non-compliance.
According to the OCR, the HIPAA audits present an opportunity for it to review mechanisms for compliance, identify best practices, and target areas for technical assistance to be provided by OCR to the healthcare industry. For the healthcare industry, the HIPAA audits by OCR are a reminder of the continuing focus by the government on testing an organization’s compliance with the HIPAA Standards.
Covered entities (such as physician practices) and business associates will have a short time frame (approximately ten days) to respond to OCR’s audit request by submitting requested documentation to an online portal, which will also include providing a list of business associates. Failure to respond to requests could lead to a referral to the applicable OCR Regional Office for a compliance review.
The Phase 2 audits will target HIPAA Standards with high occurrences of non-compliance in the Phase 1 HIPAA audits. In the desk audits for the Phase 2 audits, OCR will examine each entity’s documentation to support HIPAA compliance. The OCR will focus on the following areas:
- Notice of Privacy Practices and content requirements;
- Provision of an electronic Notice of Privacy Practices;
- Right of individual Access;
- Risk analysis and risk management;
- Breach Notification, including content and timeliness of providing notice;
- Security Management – Risk Analysis;
- Security Management – Risk Management.
After reviewing submitted documentation (i.e., policies and procedures, etc…), OCR will develop and share its findings with an entity. The entity may respond to the draft findings by OCR, which will be included in a final audit report. As noted above, OCR could decide to open a separate compliance review on an entity based on its review of the submitted documentation.
Physician practices should take several actions to ensure that they are prepared for a potential Phase 2 audit. Even if a practice is not selected for a Phase 2 audit, it should consider focusing their internal compliance efforts on the areas of the HIPAA Standards that OCR has selected for focus areas in the Phase 2 audits.
Some areas that physician practices should focus on in preparing for the Phase 2 audits:
- Review your current HIPAA risk analysis processes, including ensuring that you have a recently completed comprehensive risk assessment of potential security risks and vulnerabilities to your organization;
- Review all action items identified in your risk assessment and ensure that they have been completed or on a reasonable timeline to completion;
- Have a risk management plan for your practice has that addresses the risks and vulnerabilities identified in the risk assessment.
- Confirm that all required HIPAA Privacy and Security policies have been adopted and are current;
- Document training of workforce members;
- Have a complete inventory of business associates and ensure that the business associate agreements have been updated with the most recent requirements and have been executed;
- Ensure that a Breach Notification Policy has been implemented and that Breach Notification procedures are in place with business associates;
- Ensure that the practice has reasonable and appropriate safeguards for PHI that exists in any form, including paper, verbal and electronic PHI;
- Ensure that all systems and software that transmit electronic PHI employ encryption technology, or the practice has documented a Risk Analysis supporting a decision not to use encryption technology.
The Office of the National Coordinator for Health Information Technology (ONC), the Office for Civil Rights and the Office of the General Counsel of the U.S. Department of Health and Human Services have collaborated to develop an audit tool to conduct a HIPAA security risk assessment. Physician practices could use this audit tool in their internal HIPAA compliance efforts. This audit tool can be downloaded at www.healthit.gov.
Written by: Clay J. Countryman