The US Department of Health and Human Services (HHS), Office for Civil Rights (OCR) is moving steadily forward to auditing covered entities and business associates. In the last few days the agency has distributed surveys to identify covered entities that will make up a pool of potential audit targets, released a new audit protocol substantially expanding the scope and criteria of what is subject to review, and described how it will collect information about business associates from covered entities. The information on business associates will be used as the basis for identifying contractors and vendors to covered entities who will be audited by December 2016 as part of the HIPAA audit program.
OCR has begun sending pre-audit screening questionnaires to approximately 1,200 covered entities. The questionnaire asks covered entities to supply information concerning the size of the entity, affiliation with other covered entities, types and operations of the organization, and present enforcement activity with OCR. OCR will not audit entities with an open complaint investigation or that are currently undergoing a compliance review.
HIPAA Audit Program Selection Process
Approximately 200 covered entities will be selected for the HIPAA audit program on a rolling basis throughout the remainder of 2016. If a covered entity is selected for audit they will be asked to provide information about its business associates. OCR will notify the selected covered entities in writing through email about their selection for a desk audit. The OCR notification letter will introduce the audit team, explain the audit process and discuss OCR’s expectations in more detail. In addition, the letter will include initial requests for documentation. OCR expects covered entities that are the subject of an audit to submit requested information within 10 business days of the date on the information request. All documents are to be in digital form and submitted electronically via the secure online portal. OCR will also ask covered entities to prepare a list of each business associate with contact information. The agency has developed a template to use in listing business associates.
Business associates will be selected for desk audits in the same fashion as covered entities. While conducting desk audits of covered entities, OCR will replicate the notification and document request process for initiating desk audits of selected business associates.
Similarly, entities will be notified via email of their selection for an on-site audit. The auditors will schedule an entrance conference and provide more information about the on-site audit process and expectations for the audit. Each on-site audit will be conducted over three to five days on-site, depending on the size of the entity. On-site audits will be more comprehensive than desk audits and cover a wider range of requirements from the HIPAA Rules.
The agency also debuted a new audit protocol that represents a significant change in scope and approach from the 2012 HIPAA Pilot Audit Program. OCR boosted its approach to testing compliance with the HIPAA rules through developing an audit design that looks at each standard and implementation specification in each rule and assigning an audit inquiry to measure compliance.
How to Prepare
Healthcare provider practices, health plan administrators and business associates should prepare now so they are ready if selected for a desk audit:
- Review OCR’s audit protocol as well as the HIPAA and HITECH regulations
- Make sure you have the latest guidelines, policies, and procedures in place
- Ensure you have access to all required audit documentation and clearly understand the submission process
- Consider conducting a mock audit (either by internal staff or by a third-party specialist) to make sure you’re prepared for the real thing