May 20, 2016 – New Round of HIPAA Audits and Enforcement
When did you last distribute a HIPAA Privacy Notice or conduct HIPAA training for employees?
Do you have HIPAA privacy policy and procedures? Do you follow them?
When were they last updated?
The answers to questions like these are critical as the OCR
begins a new round of HIPAA audits and enforcement known as “HIPAA Audit Phase II.”
The Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH) requires the Health and Human Services Office for Civil Rights (OCR) to conduct regular audits of HIPAA covered entities (including employer sponsored health plans) and their business associates. Through a pilot audit program conducted in 2011 and 2012 (referred to as Phase I), OCR audited 115 covered entities. Phase I focused on controls and processes used to comply with the HIPAA requirements.
Now comes Phase II. The Phase II audit program focuses on the policies and procedures currently being used by covered entities and their business associates, including those that address problem areas identified through Phase I. Phase II is expected to last three years.
Procedurally, Phase II consists of three tiers: (1) desk audits of covered entities (including employer sponsored health plans); (2) desk audits of business associates; and (3) onsite audits of both, intended to examine a broader scope of HIPAA requirements than the desk audits. The new audit protocol being used by OCR for the Phase II audits is available here.
Unlike the limited pilot approach of Phase I, virtually any covered entity and business associate is a candidate for Phase II audit. This includes employer sponsored health plans of all sizes and functions and their business associates. OCR notifies the subject of the audit through, and makes the initial document request by, email. A template email is available at: http://www.hhs.gov/sites/default/files/ocr-address-verification-email.pdf. The entity then has ten (10) business days to respond to the email.
SPECIAL NOTE: The email address OCR is using to send these notifications is OSCOCRAudit@hhs.gov. Covered entities and business associates are expected to pay attention to their emails (including their spam/junk folders).
Phase II audits are “primarily a compliance improvement activity.” OCR intends to use the information garnered from these audits to determine technical assistance needs and corrective action options. Although OCR indicates that Phase II is not specifically intended to discover privacy and security breaches, uncovering a serious compliance issue could trigger further investigation. Consequently, the Phase II audit process will likely result in penalties assessed against covered entities and business associates.
We strongly recommend employers sponsoring health plans and entities serving as business associates review the new OCR protocol and adjust HIPAA policies, procedures, and implementation accordingly.
Please contact us if you have questions or are in need of assistance establishing or reviewing your HIPAA policy and procedures.