As promised, Phase 2 of Health & Human Services’ Office for Civil Rights (OCR) audit program on HIPAA rule compliance is underway. If you receive a request from OCR to verify contact information, a request to complete a screening questionnaire, or are actually selected for the audit, a timely response is critical.
Confirmation and Questionnaire
Currently, OCR is working on confirmation contact information:
- If you are requested to verify your contact information you will have 14 days to either confirm your identity and email address or instead provide updated primary and secondary contact information.
From there, entities will be asked to complete a screening questionnaire that is intended to gather data about the size, types, and operations of potential auditees for the HIPAA Privacy, Security and Breach Notification Audit Program:
- Receiving this notice does not mean your organization has been selected for an audit; rather, your organization is part of a pool from which OCR will select the entities that will be audited this year.
- If you receive a request, you will have 30 days to complete the on-line screening questionnaire.
What if Our Organization is Selected For an Audit?
In a recent interview published May 18, 2016, Deven McGraw, deputy director of health information privacy for OCR said if you are selected for an audit you have 10 business days to submit documentation, and this timeline is confirmed on the actual questionnaire forms. Documentation would include a list of all current business associates with up to date contact information, which will be used by OCR to compile a list of potential business associate subjects to audit. According to Deven McGraw “the current database of business associates is not robust enough.”
OCR will then either:
- Conduct a focused desk audit to review documentation of evidence of your compliance with selected provisions of the Rules; or
- Conduct a comprehensive onsite review of your compliance with applicable requirements of the HIPAA Rules, or
- Follow up a desk audit with an onsite audit
These audits will be conducted later this summer following the process of verifying entity contact information and establishing a pool of covered entities.
Audit Protocol
The Audit Protocol is organized by regulatory provisions and addresses separately the elements of privacy, security, and breach notification. The audits performed may vary based on the type of covered entity or business associate selected for review. According to McGraw there are two areas that OCR are focusing on at this juncture:
- Enterprise-wide risk assessments
- Policies and procedures for providing patients with access to their medical records
How to Be Prepared
It is imperative to have your HIPAA ducks in a row and be prepared for an audit even if you are not selected. Here are several steps that should be familiar to you by now:
- Policies and procedures must be documented, implemented, as specific to your organization as necessary, and easily retrieved and submitted if requested.
- Employees must receive training on policies and procedures at the time of hire, and on an annual basis and whenever there are updates.
- Perform a HIPAA Walkthrough of your office. What safeguards do you have in place to ensure ePHI is secured? Are you using and disclosing minimum necessary ePHI?
- Review or conduct a Security Risk Analysis and have a corrective action plan in place to address any identified deficiencies.
- Have a written inventory of any and all devices that access ePHI.
- Any mobile devices that access ePHI must be properly secured – preferably encrypted.
- Ensure your Notice of Privacy Practices is current, available upon request, and prominently posted within your facility. Does your NPP include instructions for filing a complaint?
- Review your processes and any documentation that supports patient rights to access PHI – e.g. if a patient has made a request do you have supporting documentation that reflects timely response?
- Breaches of ePHI that affect fewer than 500 individuals must be submitted to the Secretary within 60 days of the end of the calendar year in which the breach was discovered.
- Know definition of a Business Associate and who yours are. Do you have a list? Are signed business associate agreements in place?
