Over the past several months, there have been some key announcements and developments from the Health and Human Services Department of the Office for Civil Rights regarding HIPAA Audits.
A first set of audits which was called Phase 1 was done in 2011 and 2012 for Covered Entities only as a Pilot Program. During this time, 115 covered entities went through site visits and an audit report and those findings were later studied by the Office for Civil Rights.
A second set of audits called Phase 2 were announced in March 2016 and this time it involved about 200 covered entities and business associates. There were two parts within Phase 2, one which involved desk audits for Business Associates and Covered Entities and another that involved on-site audits for Business Associates and Covered Entities. The desk audits were completed at the end of December 2016 and the on-site audits would begin in 2017.
However, more recently, information was provided about these on-site audits. At a HIMMS conference in December 2016, senior advisor Linda Sanches announced that the Office for Civil Rights would be conducting a small number of on-site audits that would be broader in scope in the 2017 year and that the reason for these on-site audits would be to find gaps that would not already be found during a desk audit. The on-site audit would be conducted anywhere from three to five days on-site and would be more comprehensive in nature.
The following factors would be used in selecting the covered entities and business associates for these on-site audits:
- Size of the organization
- Type of operation
- Relationships with other organizations
- Whether a public or private organization
- Geographic factors
*It was noted that organizations who were currently undergoing a compliance review or had an open complaint for investigation would not be audited.
With the rapid increase of complaints, specifically 6,534 in 2004 and 17,643 in 2015, and 41 HIPAA violation cases totaling $48,679,700.00 million in settlements, covered entities and business associates can expect more on-site audits and enforcement activity in the near future.
In heed of the above, covered entities and business associates can do the following to comply and prepare for future audits:
- Have a thorough security risk analysis to identify any gaps
- Have a risk management plan to remediate any gaps
- Have physical, technical, and administrative safeguards in place for both PHI and ePHI
- Provide clear policies and procedures, including sufficient training in regards to patient access to PHI
- Provide clear policies and procedures, including sufficient training in regards to the minimum necessary rule for disclosing protected health information
- Locate and review business associate agreements to ensure they are being followed
- Have documentation evidencing yearly HIPAA training
- Review the Audit Protocol and verify that these requirements are being met.
- Depending on the size of the organization, whether a health plan, medical practice, business associate, consider using a third party vendor to provide assistance in meeting requirements.
- Engage a third party to review compliance against the requirements
- Last but not least, document, document, document!
With the above developments, covered entities and business associates should be proactive in preparing their organization of any potential future audits that could come their way, including ensuring that compliance with policies, procedures, and training are inspected and updated as needed on at least an annual basis. In addition, implementing a continuous monitoring program to ensure ongoing compliance and to monitor risk areas so that continuous reassessment can take place, including when new regulation is implemented would be highly recommended.