After being delayed over two years, Phase 2 of the US Department of Health and Human Services’ Office of Civil Rights’ (OCR) HIPAA audits began earlier this summer. Phase 2 consists of between 200 and 250 covered entities and business associates undergoing “desk audits.” Of these audits, only a small number (likely less than 30) will face lengthy on-site audits, however that process won’t begin until 2017.
The OCR’s audit program was created in the hopes of correcting improper protocol before they become breaches. Phase 1 of these audits took place in 2011 and 2012, with only 11 percent of providers having no negative findings reported.
The key to being one of the providers with no negative findings is preparation. Providers who receive a desk audit will be asked to provide a large amount of information with only a few days’ notice. The requested information will include a list of business associates and two points of contact for each of their firms, compliance policies for the past 6 years, and proof that risk analysis policies are available to the people responsible and are periodically reviewed.
Providers who fail aspects of the desk audit may be subject to an on-site audit in 2017. Doing poorly on both of these audits will likely lead to significant disciplinary actions taken by the OCR, likely including large financial settlements that could take years to finalize. Advocate Health Care recently settled for $5.55 million and was forced to adopt a corrective plan after an OCR audit found they likely had multiple HIPAA violations.
Ultimately, most providers won’t undergo a HIPAA compliancy audit. With that being said, it is still a very wise idea to have a plan in place in the event of an audit or breach to avoid being disciplined by OCR.
What can you do to prepare?
- Insure you have up-to-date compliance and risk analysis policies in place.
- Evaluate your patient clinical communication and documentation technologies support those policies including securing ePHI and providing audit trails of all ePHI access.
- Insure that your staff are trained in the appropriate management of PHI and ePHI.