On March 21, 2016, the Health and Human Services Office’s (HHS) Office for Civil Rights (OCR) launched the second phase of its audit program to review compliance with Health Insurance Portability and Accountability Act’s (HIPAA) privacy, security, and breach notification rules. OCR has started sending email letters (see sample letter) to covered entities and business associates requesting information within 14 days of receipt. But that is just the beginning. The purpose of this Alert is to provide plan sponsors with a practical overview of the OCR’s audit process.
HHS has conducted a number of random HIPAA audits since the enactment of HIPAA’s Health Information Technology for Economic and Clinical Health Act (HITECH Act). I have represented clients who have undergone Phase 1 HIPAA audits. These audits are quite thorough. In Phase 2, the OCR will analyze plan sponsor risk assessments and follow-up on what plan sponsors have done to resolve any security risks that exist. It continues its investigation until the risks have been removed. Once OCR is satisfied, it will issue its closing letter.
The HITECH Act requires HHS to conduct proactive and periodic audits of covered entities and business associates to assess compliance with HIPAA’s privacy, security and breach notification requirements. OCR implemented a pilot audit program (Phase 1) that concluded in December 2012. Phase 1 audits were performed on 115 covered entities (47 health plans, 67 health care providers, and 7 health care clearinghouses). The OCR’s report to Congress concluded the following:
OCR used the Phase 1 report to shape the Phase 2 audit program.
Under the Phase 2 audit program launched in March, the OCR intends to audit a wide range of covered entities (plans, providers, and clearinghouses) and different types of business associates.
Steps One and Two: The first step of the Phase 2 audit program involves remote desk audits of covered entities, based on documents and other information received in response to an information request. The second step will be remote desk audits of business associates in the same manner as conducted with covered entities.
After reviewing the information, the auditor will provide draft findings, allowing 10 business days for written comments. A final audit report will be completed within 30 days and then sent to the audited entity. Steps One and Two are expected to be completed by December 2016.
Step Three: Finally, the OCR will conduct on-site audits examining a broader scope of HIPAA requirements. Both covered entities and business associates, including those that have already undergone a desk audit may be subject to follow-up on-site audits. On-site audits will include an entrance conference, followed by three to five days of on-site work. As with desk audits, entities subject to an on-site audit will be given an opportunity to comment on the draft audit report, and a final report will be shared with them. If an audit report indicates a serious compliance issue, OCR may investigate further.
Many employers have already taken steps needed to comply with HIPAA’s requirements such as creating written Privacy and Security policies and procedures and conducting workforce member training, but may have overlooked the need to conduct a periodic Risk Analysis. If you do not have a current Risk Analysis, below are some action items to consider for your health plan:
It is important to conduct risk assessments on a regular basis and to maintain detailed records of your findings before you receive an audit notice from the OCR or you learn that your health plan has had a Breach (i.e., unauthorized access or disclosure of PHI).
The following is an informal audit checklist to help you focus on the kinds of things you must address, regardless of the size of your organization, if you receive, store, or create PHI.
Copyright © 2016 Alfred B. Fowler, Attorney at Law · All Rights Reserved. Reprint with permission only. This Benefits Alert is published as an information source for our clients and colleagues. It is general in its nature and is no substitute for legal advice or opinion in any particular case.