In February of this year the Office of Civil Rights (OCR) announced its plans for the Phase 2 mandatory HIPAA compliance audits. Since that time, several details surrounding the HIPAA audits, including the timeline, have become moving targets—literally.
Initially, the Phase 2 pre-audit surveys were supposed to be sent to 1,200 randomly selected covered entities and business associates. Subsequently, 300 covered entities and 50 business associates would be selected for a remote audit. That timeline shifted from the summer to the fall and now to 2015 due to delays with the government’s web portal technology.
You may recall that, under the HITECH Act of 2009, the OCR is mandated to perform compliance audits. The pilot audit phase during 2011-2012 included 115 covered entities. Findings from this phase served as the basis for developing the permanent audit protocols.
The Phase 2 Audits will target HIPAA Standards that showed the highest incidents of non-compliance in the pilot audits; including areas such as risk analysis and risk management, notice of privacy practices, training and policies and procedures.
Previously, the OCR announced the audit findings for the 300 covered entities. It is expected that 100 of those entities will be audited for compliance with the Privacy Rule (Notices of Privacy Practices and patient access to PHI); 100 will be audited on the Breach Notification Rule; and 150 will be audited on the risk analysis and management standards of the Security Rule. Business associate audits will only encompass risk analysis, risk management, and breach reporting to covered entities.
What if you are one of the “lucky” 350 covered entities selected for an audit? If that happens, act quickly, yet carefully. Here are two important tips if you are selected for an audit:
- Pay close attention to the 2-week response deadline. The clock starts ticking based upon the postmark date, not the date you received the letter.
- Understand the gravity of Phase 2 Audits. The pilot audits were performed onsite by subcontractors with no penalties levied. Phase 2 Audits will be “desk audits” or remote audits conducted by OCR staff. If selected for an audit, you will upload the requested information to the OCR website. You won’t be given the opportunity to provide clarification or additional information. This phase will include fines for noncompliance.
However, before you are ever selected, be proactive. Conduct a self-audit and immediately correct any errors you find. Enlist the services of a qualified attorney or HIPAA expert if you are unsure how to self-audit. As Benjamin Franklin said, “Don’t put off until tomorrow what you can do today.” Maintaining compliance readiness is the best strategy.
What is the simplest way for your practice to conduct a self-audit? There is an in-depth self-assessment on the HealthIt.gov website and the Office of Civil Rights has a Guidance Document on Risk Analysis (links are below). It’s important for practices to conduct both a privacy and security risk analysis. In other words, don’t just stop with the analysis of electronic data. Identify PHI in paper format as well as reviewing other privacy concerns. For example, inactive records in the attic/basement, privacy screens for monitors, etc.