After many years of anticipation, the Office of Civil Rights (OCR) launched a new round of audits to gauge compliance with patient privacy provisions under the Health Insurance Portability and Accountability Act (HIPAA). These audits are intended to determine whether or not healthcare organizations and their contractors are in compliance with HIPAA. If organizations and contractors are not in compliance OCR is hoping that the audits will trigger a reaction and allow them to get in front of potential problems and better direct guidance to address issues that affect the confidentiality and security of protected health information (PHI).
The launch came with little fanfare, starting with emails to “covered entities” (i.e., healthcare providers, insurance plans, and clearinghouses) and to business associates that may handle patient information on behalf of those entities. The emails ask them to verify contact information, which, once verified, will lead to receipt of a “pre-audit questionnaire,” seeking details on their business size, business type, and operations. If an entity or associate does not respond to the “pre-audit questionnaire,” OCR will use publicly available information about the entity in creating the audit pool. An entity who fails to respond to OCR may still be selected for an audit or subject to a compliance review.
Once OCR receives the audit questionnaires back, it will create a pool of audit targets that represents a range of covered entities and business associates. According to OCR, the wider the range of audit candidates, the better idea OCR will have of HIPAA compliance across the industry.
The audits will take place in several rounds: desk audits (focused on document review) make up the majority of the audits and will take place in two rounds. The first round will focus on covered entities and the second round will focus on their business associates. The desk audits are expected to be completed by December 2016. The third round of audits is reserved for on-site audits, which will begin later in the year. Additionally, just because an entity undergoes a desk audit does not release them from a potential on-site audit. HHS will cover the cost of the on-site auditor; neither covered entities nor their business associates are responsible for the costs of the audit program.
Desk Audits
Entities who are selected for a desk audit will be informed via email and will be asked to provide documents and other data. The desk audit will focus on compliance with particular provisions of the HIPAA Privacy, Security, and Breach Notification Rules, such as risk analyses, notices of privacy requests, and response to requests for PHI access. Those subjected to an audit will be given ten days to submit the requested information to OCR through a portal. Once OCR receives the documents, it will review them and develop draft findings, which will then be shared with the audited entity, allowing ten business days for an entity response. The written entity response will be included in the final audit report, which will also be shared with the entity.
On-Site Audits
An on-site audit is also preceded by an email, and will take place over three to five days, depending on the size of the entity. On-site audits will be more comprehensive and have a broader focus on HIPAA requirements. Entities subject to an on-site audit will also have ten business days to review the draft findings and provide written responsive comments to the auditor. A final report will then be shared with the audited entity.
What Comes After the Audit
Following an audit, if any serious issues were uncovered, an OCR compliance review may be done. Even though OCR will not post a list of audited entities, nor will they post the findings of an individual audit that clearly identifies the audited entry, audit notification letters and other audit information may be discoverable under the Freedom of Information Act (FOIA).
Generally, OCR will use the audit reports to determine what types of technical assistance should be developed and what types of corrective action would be the most helpful. OCR will also use information gleaned from the audits to develop tools and guidance to assist the industry in compliance self-evaluation, preventing further breaches.