Covered Entities and Business Associates may be ringing in the New Year with the prospect of responding to on-site HIPAA audits by federal regulators. The U.S. Department of Health and Human Services Office for Civil Rights (OCR) has announced that a certain number of comprehensive on-site HIPAA compliance reviews will be done over the first quarter of next year. Details of these audits are currently being finalized and will be posted on the OCR website in the coming months.

In a departure from the OCR’s Phase I HIPAA Audit Program, OCR staff will conduct the majority of such reviews with limited support from outside contractors. The stated purpose of such audits is to examine existing compliance measures, identify best practices, and discover problem areas likely to surface at a later date in time. OCR will use the audit reports to determine what types of technical assistance should be developed and what types of corrective action would be most helpful. The information gleaned from such audits may result in follow up investigations, fines and sanctions depending upon the severity of violations found. These onsite audits follow the desk audits of 167 Covered Entities that OCR began in July 2016. According to reports, OCR is still reviewing the voluminous documentation submitted in response to that audit. OCR is currently slated to begin desk audits of Business Associates this month. As with the covered entity desk audits, business associates will receive notice by email that they have been selected for a desk audit and will have ten (10) business days to respond to the request for documentation.  OCR expects to complete all desk audits for Phase II by December 31, 2016. Entities selected for a desk audit may also be chosen for an onsite audit.

To prepare for either a Phase 2 business associate desk audit or a covered entity onsite audit by OCR, we suggest that immediate consideration should be given to the following:

  • Perform a self-assessment and risk analysis of existing security and privacy measures.
  • Review existing risk management plans and protocols. Ensure that they are up to date and fully documented. If it is not documented – it never happened.
  • Organize all current and past HIPAA related documentation.
  • Review, update, and document personnel records to ensure that staff has completed necessary HIPAA training. If it is not documented – it never happened.
  • Review the published audit protocols of OCR to ensure readiness for the audit.
  • Review prior OCR alerts and advisories to ensure your current and prior practices are compliant.
  • Update and organize your listing of Business Associates (BA) and Business Associate Agreements (BAA). If you are a Business Associate ensure that existing protocols under your BAA are documented and compliant with HIPAA standards.
  •  Institute a plan and structure for the on-site audit, including:
    • Select which of your employees will participate in the audit;
    • Select site/work area for auditors to use;
    • Review and discuss operational aspects with participants and leadership;
    • Drill down on specific areas of weakness and discuss ways to respond if raised by audit staff

Should you have any questions regarding HIPAA compliance or the terms of this article, please contact the authors of this post to discuss further.