The Health and Human Services Office for Civil Rights (OCR) has begun its Phase 2 Audits of covered entities and their business associates under the HIPAA Privacy, Security and Breach Notification Rules.
A Look at the Audit Process
In 2016, the OCR will review the policies and procedures developed and used by covered entities and their business associates to meet the specifications of the Privacy, Security, and Breach Notification Rules.
The 2016 audit process begins with verification of address and contact information through emails being sent to covered entities and business associates. Once that information is verified, OCR will then send a pre-audit questionnaire to gather data about the size, type, and operations of potential auditees. The OCR will use this data to create potential audit subject pools.
Not responding to an OCR verification request or pre-audit questionnaire does not preclude an entity from being audited. Instead, OCR will use publically available information about those unresponsive entities to create its pool. Likewise, the OCR expects some of their emails will end up in a spam folder and advises covered entities and business associates “to check their junk or spam email folder for emails from OCR.”
While the OCR announcement did not indicate how many entities will be audited in 2016, Barbara Holland, regional manager for OCR’s Mid-Atlantic region, told attendees of the PHI Protection Network Conference in Philadelphia this week that OCR is planning 200 audits –150 covered entities and 50 business associates divided into 150 desk audits and 50 on-site audits Of the 50 on-site audits, Holland said 40 would be covered entities and 10 business associates.
What Should You Do?
Adam Greene, an attorney at the Davis Wright Tremaine law firm and a former OCR official, told Health Data Management Magazine that covered entities and business associates should begin preparing for audits as the first emails have been sent and those who hear from the OCR will have only “10 [business] days to produce requested documents and 10 [business] days to respond to a draft audit report.”
“Now is the time for covered entities and business associates to review and update HIPAA policies and procedures,” advises David Holtzman, vice president of compliance strategies at security vendor CynergisTek and also a former OCR official.
In the same Health Data Management article, Holtzman and Greene predicted several items would be included in this round of audits, including enterprise-wide risk assessments, mitigation plans, patients access to their records upon request, breach notification content and processes, and privacy practices notifications. Linn Freedman, a HIPAA attorney at the Robinson & Cole law firm in Providence, R.I., also expects the audits to closely examine the security of protected health information accessed by business associate subcontractors.
Experts agree that entities should be prepared for audits but not overly worried about them. With more than 3 million covered entities and even more business associates, 200 audits isn’t a lot. “The risk is small. I think you should be more worried about breaches and complaints,”Greene said, speaking on the same panel with Holland at the PHI Protection Network Conference. “If you are trying to decide whether to do a mock audit or a tabletop exercise of a breach, remember that the risk of a breach is a lot higher than the risk of an audit. Don’t let the possibility of an audit blindside you to the much bigger risk.”
— All rights reserved. For use or reprint in your blog, website, or publication, please contact us at firstname.lastname@example.org.