Previously, the Department of Health and Human Services (HHS) only audited doctors and hospitals for HIPAA compliance. In March of 2016; however, the Office for Civil Rights (OCR) announced the launch of phase 2 of the audit program - auditing all businesses which handle Protected Health Information (PHI).
Many employers don’t think they come into contact with PHI - but any employer that provides health insurance can have exposure to their employees’ protected information.
What to Expect
Phase 2 of the audit program will be conducted in three rounds:
- Round 1 - Remote desk audits of covered entities, based on information received in response to an information request.
- Round 2 - Remote desk audits of business associates based on another information request.
- Round 3 - On-site, examining a broader scope of HIPAA requirements. Covered entities and business associates, including those that already had a desk audit, may be subject to on-site audits.
If you’ve been selected for an audit, you’ll be notified via email. You will then be asked to provide certain documents and data, which will be detailed in a document request letter.
All documents can be submitted online through OCR’s new, secure audit portal within 10 business days. After review, auditors will develop and share the findings of their audit. You will have the opportunity to respond to the findings within another 10 days, and the response will be included in the final audit report, usually ready within 30 days.
What They’re Looking For
Audits are looking to ensure you are HIPAA compliant. The main points you should go over when ensuring you are compliant are:
- Whether you are distributing the Notice of Privacy Practices to new employees and notifying current employees every 3 years
- The rights of participants to request privacy protection for PHI
- Who comes into contact with PHI
- Administrative requirements you are following such as:
- Policies and Procedures
- Document Retention
- A record of all uses and disclosures of PHI
- The right of an individual to request an amendment of their PHI or a record of all disclosures
How to Prepare
Make sure to open every OCR communication, even those that seem unimportant. Do not ignore any OCR request, and make sure to keep a record of all OCR inquiries. You should note when you received the request, when the response was sent, and who was responsible for handling the communication.
The best way to prepare for an audit is to perform one yourself beforehand. Go over the checklist included in this post as if you were an auditor, reviewing how your office handles PHI.
Make sure to update your compliance documents frequently; reviewing them often will help you find possible vulnerabilities in your compliance strategy. This is especially important with your business associates; any business you use, that may come into contact with PHI, must have a business associate agreement with you. This includes businesses from insurance companies all the way down to your email provider.
By preparing ahead of time and having an audit response plan in place, the process will be simple (albeit document heavy), rather than a crisis.