OCR’s Phase 2 Proactive HIPAA Audits
Phase 2 of the proactive HIPAA Audits mandated by the HITECH Act of 2009 began in earnest in March 2016, when OCR sent out emails to survey a number of covered entities.
The thumbnail sketch of the new audits includes the following information:
200 covered entities will be audited by December 31, 2016
- All these audits will be paper bench audits of a covered entities HIPAA Security, Privacy, and Breach Notification compliance documentation
- All these audits will be done by the ten regional OCR offices
- A number of these audits may turn into investigations if problems are discovered, and
- A number of these investigations may have fines and compliance plans imposed on the covered entity by OCR.
- A number of these audits may turn into investigations if problems are discovered, and
A number of the covered entities will be asked to share a list of all their business associates and contact information for each business associates.
- From this list of business associates will come the 200 business associates that will be audited in the second phase of audits
- All these audits will be paper bench audits of a business associate HIPAA documentation
- All these audits will be done by the ten regional OCR offices
- A number of these audits may turn into investigations if problems are discovered, and
- A number of these investigations may have fines and compliance plans imposed on the business associate by OCR.
- A number of these audits may turn into investigations if problems are discovered, and
- All these audits will be done by the ten regional OCR offices
A covered entity or business associate will be asked for specified documents, and not compendiums of all the covered entity or business associate’s policies and procedures.
- If an OCR requested document is not available the covered entity or business associate must provide equivalent instances from a previous time period if they are available
- For example, if a covered entity or business associate is asked for a 2016 HIPAA Security Risk Analysis/Assessment document, and there is one form 2015, the 2015 version should be sent to OCR.
Remember, workforce means employees, students and volunteers, and information systems include hardware, software, information, data, communications and people.
To help you prepare for an audit, OCR has posed new Audit Protocols at http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/protocol/index.html
The new set of protocols cover all the HIPAA Privacy, HIPAA Security and HIPAA Breach Notification rules requirements in a very long word table that will print as 350 + pages.
The protocol table is searchable by keyword(s). Where the protocol uses the work “ENTITY,” it means that both a covered entity and a business associate must comply. If it is just a covered entity or business associate that must comply, it will not say ENTITIY, but covered entity or business associate.
There are seven columns in the table, as follows:
| Audit Type | Section | Key Activity | Established Performance Criteria | Audit Inquiry | Required or Addressable |
The audit type is the name of the rules only, so there are three types:
- Privacy
- Security
- Breach Notification.
The section is the section of a regulation.
The key activity is a simple statement of the section.
The established performance criteria are the regularity language of the section, and other sections including definitions.
The audit inquiry is the question, and practical requirements to the covered entity or business associate.
For example, for the key activity of Prohibited uses and disclosures – Use and disclosure of genetic information for underwriting purposes, the audit inquiry includes:
- Does the health plan use or disclose for underwriting purposes, “Genetic Information” as defined at § 160.103, including family history?
- Inquire of management.
- Obtain and review all underwriting policies and procedures (for example, published and unpublished underwriting guidelines currently used by underwriting staff, including manuals and training materials).
- Evaluate whether the underwriting policies are consistent with the established performance criterion.
The required/addressable column applies only to the HIPAA Security rule implementation specifications. Don’t forget that addressable is not a get out of jail free card. A covered entity and business associate will need to do all the Security standards and all the implementation specification requirements
A covered entity or business associate could use the new OCR audit protocols to outline the documents and the areas management needs to review using the audit inquiry column in each section. This would be a first step in reviewing you HIPAA compliance and documents and excellent preparation for a HIPAA audit.
You can read all the new OCR proactive audits at http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/phase2announcement/
In the future all the HIPAA covered entitles and all the HIPAA business associates WILL BE audit! Yes, that is correct … it is not a matter of “if,’ only of WHEN?
