After years of waiting, the Office for Civil Rights (OCR) has finally sent out its initial round of notice letters for HIPAA audits. This first batch consists of 167 covered entities, who will have to answer a list of audit questions and provide a complete list of their Business Associates (BAs). BAs are where hosting partners come into play: a HIPAA compliant data center must sign a Business Associates Agreement with each covered healthcare provider. The OCR will be using these lists of BAs to choose around 30 BAs to audit, starting in September.
Even if your organization did not receive an audit letter, know that up to 50 more covered entities and BAs will face on-site comprehensive audits by OCR in early 2017. Now that OCR audits are upon us, how can healthcare providers and their business associates prepare?
The HIPAA audits are (supposedly) non-punitive. OCR officials have stated that the end goal is to gather information about the state of the industry and compliance measures, and that as long as “good faith efforts” are being made, organizations are not likely to face enforcement action.
HIPAA fines and penalties can range in the thousands of dollars or even include jail time. If organizations are found to have “significant threats” to protected health information (PHI), they will likely invoke action from OCR.
OCR chose specific targets from a pool of over 10,000 covered entities and BAs in order to get a range of different sizes, types, health plans, and BAs. Those who received an audit notice provided contact information and all future communications are via e-mail. The first step is a pre-audit questionnaire, which can be found here.
OCR also requests organizations identify their business associates complete with contact information, from which randomly chosen auditees are notified. Covered entities can use a sample template to draft this list.
The first round of audits consists of a questionnaire or “desk audit” to see if good faith HIPAA compliance measures are in place, focusing on security of PHI, access controls, written policies and procedures, evidence of ongoing risk assessment, and patient notices.
In the meantime, don’t just twiddle your thumbs and hope your HIPAA compliance measures will cut the mustard if you’re picked for the next round. Take some proactive steps and you’ll have to spend less time on a potential audit – besides, regular compliance checks provide valuable feedback on your ePHI security measures and handling protocol.
At a minimum, you should have the following pieces of documentation on hand:
Some other useful steps to prepare include:
Read on to see the timeline for this fall's OCR audits, including the involvement of Business Associates.
Requirements & best practices to keep in mind for a HIPAA compliant cloud server deployment
Desk audit entities were notified by e-mail, including initial requests for documentation. These organizations had 10 days to respond using OCR’s online portal. Auditors then review and provide draft findings, to which auditees have 10 more days to respond if they desire. 30 days after this response, selected entities will receive their final audit report. As part of this process, OCR will contact BAs to test the process for retrieving notification and document requests.
Once on-site audits begin, selected entities will be notified in the same manner. Each in-person audit will take between three and five days and will be more comprehensive. Similarly, auditees will have 10 days to respond to the audit draft and will receive their final report within 30 days after response.